search

caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
https://caddyserver.com
Apache License 2.0
57.51k stars 4.01k forks source link

v2: can not skip automatic certificate even already set cert path #3056

Closed xfzka closed 4 years ago

xfzka commented 4 years ago

v2: can not skip automatic certificate even already set cert path

here is my Caddyfile, my cert file is get from acme.sh, their domain is .siteA.com and .siteB.com

https://siteA.com {
    encode zstd gzip
    tls /data/certs/siteA.com/siteA.com.cer /data/certs/siteA.com/siteA.com.key
    reverse_proxy 127.0.0.1:5002 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}

https://blog.siteB.com {
    tls /data/certs/siteB.com/siteB.com.cer /data/certs/siteB.com/siteB.com.key
    encode zstd gzip
    reverse_proxy 127.0.0.1:4000 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}

https://git.siteB.com {
    tls /data/certs/siteB.com/siteB.com.cer /data/certs/siteB.com/siteB.com.key
    encode zstd gzip
    reverse_proxy 127.0.0.1:4000 {
        header_up Host {host}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}

here is out put

./caddy2_beta14_linux_amd64 version
v2.0.0-beta.14 h1:QX1hRMfTA5sel53o5SuON1ys50at6yuSAnPr56sLeK8=
./caddy2_beta14_linux_amd64 run
2020/02/18 11:31:55.598 INFO    using adjacent Caddyfile
2020/02/18 11:31:55.602 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/02/18 11:31:55 [INFO][cache:0xc0002d8f50] Started certificate maintenance routine
2020/02/18 11:31:55.603 INFO    http    enabling automatic HTTP->HTTPS redirects    {"server_name": "srv0"}
2020/02/18 11:31:55.604 INFO    tls cleaned up storage units
2020/02/18 11:31:55.604 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "siteA.com", "server_name": "srv0"}
2020/02/18 11:31:55.604 INFO    http    enabling automatic TLS certificate management   {"domains": ["blog.siteB.com", "git.siteB.com"]}
2020/02/18 11:31:55.604 INFO    autosaved config    {"file": "/root/.config/caddy/autosave.json"}
2020/02/18 11:31:55.604 INFO    serving initial configuration
2020/02/18 11:31:57 [INFO][blog.siteB.com] Obtain certificate
2020/02/18 11:31:57 [INFO][blog.siteB.com] Obtain: Waiting on rate limiter...
2020/02/18 11:31:57 [INFO][blog.siteB.com] Obtain: Done waiting
2020/02/18 11:31:57 [INFO] [blog.siteB.com] acme: Obtaining bundled SAN certificate
2020/02/18 11:31:57 [INFO][git.siteB.com] Obtain certificate
2020/02/18 11:31:57 [INFO][git.siteB.com] Obtain: Waiting on rate limiter...
2020/02/18 11:31:57 [INFO][git.siteB.com] Obtain: Done waiting
2020/02/18 11:31:57 [INFO] [git.siteB.com] acme: Obtaining bundled SAN certificate
^C2020/02/18 11:31:59.067   INFO    shutting down   {"signal": "SIGINT"}
2020/02/18 11:31:59 [INFO][cache:0xc0002d8f50] Stopped certificate maintenance routine
2020/02/18 11:31:59.067 INFO    shutdown done   {"signal": "SIGINT"}

the automatic generated json file only read siteA's cert. siteB is not read.

{
...
"tls": {
    "certificates": {
        "load_files": [
            {
                "certificate": "/data/certs/siteA.com/siteA.com.cer",
                "key": "/data/certs/siteA.com/siteA.com.key",
                "tags": [
                    "cert0"
                ]
            }
        ]
    }
}
...
}

when i manually add cert it is work

{
...
"tls": {
    "certificates": {
        "load_files": [
            {
                "certificate": "/data/certs/siteA.com/siteA.com.cer",
                "key": "/data/certs/siteA.com/siteA.com.key",
                "tags": [
                    "cert0"
                ]
            },
            {
                "certificate": "/data/certs/siteB.com/siteB.com.cer",
                "key": "/data/certs/siteB.com/siteB.com.key",
                "tags": [
                    "cert1","cert2"
                ]
            }
        ]
    }
}
...
}

this config worked on V1 lower version.

https://siteA.com {
    tls /data/certs/siteA.com/siteA.com.cer /data/certs/siteA.com/siteA.com.key
    ...
}

https://blog.siteB.com {
    tls /data/certs/siteB.com/siteB.com.cer /data/certs/siteB.com/siteB.com.key
        ...
}

https://git.siteB.com {
    tls /data/certs/siteB.com/siteB.com.cer /data/certs/siteB.com/siteB.com.key
    ...
}

Please help

qwqVictor commented 4 years ago

I'm not familiar with Caddyfile. But when it comes to the config JSON, maybe you can add this directive into your server struct:

"automatic_https": {
    "disable": true
}
francislavoie commented 4 years ago

the automatic generated json file only read siteA's cert. siteB is not read.

Oh, that's strange. Seems like a Caddyfile parser bug if it's not appearing in the adapted JSON.

The only difference I see between your siteA and siteB blocks are that your encode and tls directives are listed in reverse order. Do you mind trying while swapping those?

mholt commented 4 years ago

Thanks for the report, @xfzka -- and to @qwqVictor and @francislavoie for chiming in!

I've pushed a fix for this in 0b09b07 -- please try it out!