Caddy: TLS Internal where to set install_trust or installtrust

Created on 7 May 2020  路  5Comments  路  Source: caddyserver/caddy

I want to use self signed certificates for my IP address and reverse DNS hostname so I use tls internal but I don't want to add this self signed cert to my system certificate store. (Caddy runs as www-data anyway so calling sudo doesnt work)

Where do I set install_trust or InstallTrust to false?
I can see it in
https://github.com/caddyserver/caddy/search?q=install_trust&unscoped_q=install_trust
and
https://github.com/caddyserver/caddy/search?q=InstallTrust&unscoped_q=InstallTrust

but neither term appear in the docs at
https://caddyserver.com/docs/caddyfile/directives/tls

Relevant error for search engines:

May 06 20:49:39 hostname.com caddy[4314]: {"level":"error","ts":1588823379.7819474,"logger":"pki.ca.local","msg":"failed to install root certificate","error":"failed to execute sudo: fork/exec /usr/bin/sudo: permission denied","certificate_file":"storage:pki/authorities/local/root.crt"}

Thanks

picture goldstar611

Most helpful comment

This is how I got it working. The name/key of the CA should be "local" instead of "default" for the current version.

{
  "apps": {
    "pki": {
      "certificate_authorities": {
        "local": {
          "name": "Local (self-signed)",
          "root_common_name": "local",
          "intermediate_common_name": "local",
          "install_trust": false
        }
      }
    },
    "http": {...}
}
picture ericdoerheit on 30 Jul 2020
👍2

All 5 comments

It's here, in the JSON: https://caddyserver.com/docs/json/apps/pki/#certificate_authorities/install_trust

Configure that to false for the CA named "local".

mholt picture mholt on 7 May 2020

This is how I got it working. The name/key of the CA should be "local" instead of "default" for the current version.

{
  "apps": {
    "pki": {
      "certificate_authorities": {
        "local": {
          "name": "Local (self-signed)",
          "root_common_name": "local",
          "intermediate_common_name": "local",
          "install_trust": false
        }
      }
    },
    "http": {...}
}
ericdoerheit picture ericdoerheit on 30 Jul 2020
👍2

Oops! You're right, I updated my comment. (It was always "local" I just forgot.)

mholt picture mholt on 31 Jul 2020

That should be in the documentation somehow. I was reading this section:

The first time a root key is used, Caddy will try to install it into the system's local trust store(s). If it does not have permission to do so, it will prompt for a password. This behavior can be disabled in the configuration if it is not desired.

And then there is no further information how this can be disabled. I was not able to find anything in the documentation and the link @mholt gave above is broken. Seems the json config for the pki app is currently not documented (any more?).

djmaze picture djmaze on 3 Jan 2021

@djmaze It's back up now; when I updated the docs a couple days ago I forgot to update that package. (There's a bug in the doc system that requires that I wipe them all and manually re-add each package. I really need to fix that...)

mholt picture mholt on 3 Jan 2021
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lorddaedra picture lorddaedra  路  3Comments
xfzka picture xfzka  路  3Comments
muhammadmuzzammil1998 picture muhammadmuzzammil1998  路  3Comments
treviser picture treviser  路  3Comments
jgsqware picture jgsqware  路  3Comments