Hi,
i am trying to get automatic certificates from my own boulder instance. Since the boulder HTTPS server is running with an untrusted TLS Certificate singed by a untrusted CA, I added the CA to ubuntu's /etc/ssl/certs and did update-ca-certificates -f to get it merged to /etc/ssl/certs/ca-certificates.crt
./caddy
Activating privacy features...2017/10/11 15:18:55 get directory at 'https://wfe.boulder:4430/directory': failed to get json "https://wfe.boulder:4430/directory": Get https://wfe.boulder:4430/directory: x509: certificate signed by unknown authority
I can see with strace caddy that caddy opens the CA file:
openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY|O_CLOEXEC) = 6
With openssl as client it works
openssl s_client -connect wfe.boulder:4430 -CAfile /etc/ssl/certs/ca-certificates.crt
...
Verify return code: 0 (ok)
Adding the CA to chrome's CA Store also shows a green OK.
Anyone have an idea how I can get a verify OK with caddy for the custom CA?
(i am using the latest caddy version)
mschneider82
All 3 comments
It finally worked adding the CA manually to /etc/ssl/certs/ca-certificates.crt
update-ca-certificates only updates certs listed in file /etc/ca-certificates.conf
mschneider82
on 12 Oct 2017
Great! Glad you managed to fix it.
For future reference, it's usually best to ask questions on https://caddy.community/ instead. There's more activity there. This issue board is more for bugs and feature requests.
francislavoie
on 12 Oct 2017
This is good to know! Thanks for reporting back. I'm sure others will find this solution useful too.
@mschneider82 If you happen to decide to deploy boulder internally inside your company (I'm presuming?), tell Let's Encrypt -- not because you have to, but because I think they'd be interested in knowing how people are using it. :+1:
mholt
on 12 Oct 2017
Related issues
PhilmacFLy
路
3Comments
lorddaedra
路
3Comments
crvv
路
3Comments
muhammadmuzzammil1998
路
3Comments
kilpatty
路
3Comments