Caddy: v2: can not skip automatic certificate even already set cert path

Created on 18 Feb 2020  路  3Comments  路  Source: caddyserver/caddy

v2: can not skip automatic certificate even already set cert path

here is my Caddyfile, my cert file is get from acme.sh, their domain is *.siteA.com and *.siteB.com

https://siteA.com {
    encode zstd gzip
    tls /data/certs/siteA.com/siteA.com.cer /data/certs/siteA.com/siteA.com.key
    reverse_proxy 127.0.0.1:5002 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}

https://blog.siteB.com {
    tls /data/certs/siteB.com/siteB.com.cer /data/certs/siteB.com/siteB.com.key
    encode zstd gzip
    reverse_proxy 127.0.0.1:4000 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}

https://git.siteB.com {
    tls /data/certs/siteB.com/siteB.com.cer /data/certs/siteB.com/siteB.com.key
    encode zstd gzip
    reverse_proxy 127.0.0.1:4000 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}

here is out put

./caddy2_beta14_linux_amd64 version
v2.0.0-beta.14 h1:QX1hRMfTA5sel53o5SuON1ys50at6yuSAnPr56sLeK8=
./caddy2_beta14_linux_amd64 run
2020/02/18 11:31:55.598 INFO    using adjacent Caddyfile
2020/02/18 11:31:55.602 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/02/18 11:31:55 [INFO][cache:0xc0002d8f50] Started certificate maintenance routine
2020/02/18 11:31:55.603 INFO    http    enabling automatic HTTP->HTTPS redirects    {"server_name": "srv0"}
2020/02/18 11:31:55.604 INFO    tls cleaned up storage units
2020/02/18 11:31:55.604 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "siteA.com", "server_name": "srv0"}
2020/02/18 11:31:55.604 INFO    http    enabling automatic TLS certificate management   {"domains": ["blog.siteB.com", "git.siteB.com"]}
2020/02/18 11:31:55.604 INFO    autosaved config    {"file": "/root/.config/caddy/autosave.json"}
2020/02/18 11:31:55.604 INFO    serving initial configuration
2020/02/18 11:31:57 [INFO][blog.siteB.com] Obtain certificate
2020/02/18 11:31:57 [INFO][blog.siteB.com] Obtain: Waiting on rate limiter...
2020/02/18 11:31:57 [INFO][blog.siteB.com] Obtain: Done waiting
2020/02/18 11:31:57 [INFO] [blog.siteB.com] acme: Obtaining bundled SAN certificate
2020/02/18 11:31:57 [INFO][git.siteB.com] Obtain certificate
2020/02/18 11:31:57 [INFO][git.siteB.com] Obtain: Waiting on rate limiter...
2020/02/18 11:31:57 [INFO][git.siteB.com] Obtain: Done waiting
2020/02/18 11:31:57 [INFO] [git.siteB.com] acme: Obtaining bundled SAN certificate
^C2020/02/18 11:31:59.067   INFO    shutting down   {"signal": "SIGINT"}
2020/02/18 11:31:59 [INFO][cache:0xc0002d8f50] Stopped certificate maintenance routine
2020/02/18 11:31:59.067 INFO    shutdown done   {"signal": "SIGINT"}

the automatic generated json file only read siteA's cert. siteB is not read.

{
...
"tls": {
    "certificates": {
        "load_files": [
            {
                "certificate": "/data/certs/siteA.com/siteA.com.cer",
                "key": "/data/certs/siteA.com/siteA.com.key",
                "tags": [
                    "cert0"
                ]
            }
        ]
    }
}
...
}

when i manually add cert it is work

{
...
"tls": {
    "certificates": {
        "load_files": [
            {
                "certificate": "/data/certs/siteA.com/siteA.com.cer",
                "key": "/data/certs/siteA.com/siteA.com.key",
                "tags": [
                    "cert0"
                ]
            },
            {
                "certificate": "/data/certs/siteB.com/siteB.com.cer",
                "key": "/data/certs/siteB.com/siteB.com.key",
                "tags": [
                    "cert1","cert2"
                ]
            }
        ]
    }
}
...
}

this config worked on V1 lower version.

https://siteA.com {
    tls /data/certs/siteA.com/siteA.com.cer /data/certs/siteA.com/siteA.com.key
    ...
}

https://blog.siteB.com {
    tls /data/certs/siteB.com/siteB.com.cer /data/certs/siteB.com/siteB.com.key
        ...
}

https://git.siteB.com {
    tls /data/certs/siteB.com/siteB.com.cer /data/certs/siteB.com/siteB.com.key
    ...
}

Please help

bug
Source
picture xfzka

Most helpful comment

Thanks for the report, @xfzka -- and to @qwqVictor and @francislavoie for chiming in!

I've pushed a fix for this in 0b09b07 -- please try it out!

picture mholt on 18 Feb 2020
👍2

All 3 comments

I'm not familiar with Caddyfile. But when it comes to the config JSON, maybe you can add this directive into your server struct:

"automatic_https": {
    "disable": true
}
qwqVictor picture qwqVictor on 18 Feb 2020

the automatic generated json file only read siteA's cert. siteB is not read.

Oh, that's strange. Seems like a Caddyfile parser bug if it's not appearing in the adapted JSON.

The only difference I see between your siteA and siteB blocks are that your encode and tls directives are listed in reverse order. Do you mind trying while swapping those?

francislavoie picture francislavoie on 18 Feb 2020

Thanks for the report, @xfzka -- and to @qwqVictor and @francislavoie for chiming in!

I've pushed a fix for this in 0b09b07 -- please try it out!

mholt picture mholt on 18 Feb 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

la0wei picture la0wei  路  3Comments
wayneashleyberry picture wayneashleyberry  路  3Comments
kilpatty picture kilpatty  路  3Comments
PhilmacFLy picture PhilmacFLy  路  3Comments
SteffenDE picture SteffenDE  路  3Comments