In caddy, when I disable auto_https
and set the tls
cert and key to those on the host machine, and have my upstream app(s) use the same certificates, I keep getting an error that says tls: bad certificate
. This works in NGINX, and I have attempted to replicate what I am doing in NGINX, but to no avail. Please note that I do not have the authority to change the way the certificates are managed. We are on a corporate enclave, and we need to use their official PKI. Even if I could get permission to use the certs on the overlay services network, where they would be isolated, the services still have to call out to other services on the enclave network, and there is no way that I could get the other services to trust certificates that my Caddy instance manages. So, if you would, please focus the discussion on what I might be doing wrong with my provided certs and configuration.
I have tried all of the options I could find in the documentation that I thought might possibly alter the behavior. My current approach can be cloned from my github repository and you can run it if you have a machine with podman running. The Caddy file shows my approach:
{
debug
auto_https off
ocsp_stapling off
}
:8443 {
tls /certs/test.crt /certs/test.key
handle /greeting-service/* {
reverse_proxy https://greeting-service:8443 {
header_up Host {env.OUTER_HOST}
transport http {
tls_insecure_skip_verify
tls_server_name {env.OUTER_HOST}
tls_trusted_ca_certs /certs/trust.pem
tls_client_auth /certs/test.crt /certs/test.key
}
}
}
}
I have also tried to set the host header to {upstream_hostport}
, but my results were the same. Thanks in advance for anyone who can point me in a better direction.
It turns out that I was signing the cert with the CA cert, and then immediately overwriting it by self-signing it. When I fixed that, things appeared to work better. Then I played around with some options, and found the winning/working configuration:
{
debug
auto_https off
ocsp_stapling off
}
:8443 {
tls /certs/test.crt /certs/test.key {
client_auth {
mode require_and_verify
trusted_ca_cert_file /certs/trust.pem
}
}
handle /greeting-service/* {
reverse_proxy https://greeting-service:8443 {
header_up Host {$OUTER_HOST}
transport http {
tls_server_name {$OUTER_HOST}
tls_trusted_ca_certs /certs/trust.pem
tls_client_auth /certs/test.crt /certs/test.key
}
}
}
}