Intermediate certificate expired without using specified root certificate

[wangyuanwenGit]

In the process of using caddy2, we found that in the pki configuration, we used our own ca certificate as root. More importantly, caddy will generate an intermediate certificate.

However, we found that the validity period of the intermediate certificate is one week by default. If the intermediate certificate expires, caddy will regenerate a new root certificate and will not use the root in our configuration. We checked for a long time, and finally in the renewCertsForCA function in the source code:

If we do not configure an intermediate certificate, and the root certificate will be reloaded after the intermediate certificate expires, but the root option we configured is not used when loading.

I checked the latest version later and found that this problem has been fixed, so if you encounter the same problem, please update to the latest version directly.

If caddy is built with source code, you can also directly modify the source code to fix it. You only need to modify the loadOrGenRoot function in the ca.go file. For details, please refer to the modification method of the latest version.

Thanks to the official for fixing this bug!

[mholt]

Just to be sure I understand, you are reporting that you encountered a bug, but it has been fixed?

Thank you for sharing your experience and details for others!

[francislavoie]

Sounds like you were using a really old version. I think https://github.com/caddyserver/caddy/pull/5189 was the fix. What version were you on?