pki.ca.local - failed to install root certificate

[christoph-kluge]

I'm experimenting with Caddy on OSX but it seems I'm having issues with installing the root/intermediate certificates into the keychain.

It seems to work for Firefox because there it's recognized correctly but all other browser's do not. I did took a look already at #3205 and #3534 but I'm still stuck.

I have tried:

• brew uninstall caddy + remove the /Application Support/Caddy directory
• Adding the root crt into the keychain (system) and trust it manally
• Adding the intermediate crt into the keychain (system) and trust it manually

---

I am running:

• Catalina 10.15.5
• caddy version: v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=
• Browsers: Safari, Opera, Chrome, Firefox

---

Caddyfile

customer3.company.local {
    tls internal

    reverse_proxy * customers.live-domain.com:443 {
        header_up Host customers.live-domain.com
        header_up X-Forwarded-Host {host}
        header_up X-Forwarded-Port {port}
        header_up X-Forwarded-Proto {proto}
        header_up X-Forwarded-Proto-Custom {proto}
        header_up CloudFront-Forwarded-Proto {proto}

        transport http {
            tls_server_name customers.live-domain.com
        }
    }
}

Logs when adding a new local domain (before manually trusting certificates)

2020/07/11 05:37:43.815 INFO    watcher config file changed; reloading  {"config_file": "Caddyfile"}
2020/07/11 05:37:43.815 INFO    using provided configuration    {"config_file": "Caddyfile", "config_adapter": ""}
2020/07/11 05:37:43.816 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/07/11 05:37:43.816 INFO    admin   stopped previous server
2020/07/11 07:37:43 [INFO][cache:0xc000723080] Started certificate maintenance routine
2020/07/11 05:37:43.817 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/07/11 05:37:43.817 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/07/11 05:37:43.817 WARN    pki.ca.local    installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
2020/07/11 05:37:43.889 ERROR   pki.ca.local    failed to install root certificate      {"error": "certificate cannot be installed in NSS security databases", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/07/11 05:37:43.889 INFO    http    enabling automatic TLS certificate management   {"domains": ["customer2.company.local"]}
2020/07/11 07:37:43 [INFO][cache:0xc000797f20] Stopped certificate maintenance routine
2020/07/11 05:37:43.889 INFO    autosaved config        {"file": "/Users/christophkluge/Library/Application Support/Caddy/autosave.json"}
2020/07/11 07:37:43 [INFO][customer2.company.local] Obtain certificate; acquiring lock...
2020/07/11 07:37:43 [INFO][customer2.company.local] Obtain: Lock acquired; proceeding...
2020/07/11 07:37:43 [INFO][customer2.company.local] Certificate obtained successfully
2020/07/11 07:37:43 [INFO][customer2.company.local] Obtain: Releasing lock
2020/07/11 07:37:43 [WARNING] Stapling OCSP: no OCSP stapling for [customer2.company.local]: no OCSP server specified in certificate

Logs when adding a new local domain (after manually trusting certificates)

2020/07/11 05:56:09.544 INFO    watcher config file changed; reloading  {"config_file": "Caddyfile"}
2020/07/11 05:56:09.544 INFO    using provided configuration    {"config_file": "Caddyfile", "config_adapter": ""}
2020/07/11 05:56:09.545 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["127.0.0.1:2019", "localhost:2019", "[::1]:2019"]}
2020/07/11 07:56:09 [INFO][cache:0xc000c5d920] Started certificate maintenance routine
2020/07/11 05:56:09.545 INFO    admin   stopped previous server
2020/07/11 05:56:09.546 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/07/11 05:56:09.546 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/07/11 05:56:09.546 INFO    pki.ca.local    root certificate is already trusted by system   {"path": "storage:pki/authorities/local/root.crt"}
2020/07/11 05:56:09.546 INFO    http    enabling automatic TLS certificate management   {"domains": ["customer3.company.local"]}
2020/07/11 07:56:09 [INFO][cache:0xc00011c360] Stopped certificate maintenance routine
2020/07/11 05:56:09.546 INFO    autosaved config        {"file": "/Users/christophkluge/Library/Application Support/Caddy/autosave.json"}
2020/07/11 07:56:09 [INFO][customer3.company.local] Obtain certificate; acquiring lock...
2020/07/11 07:56:09 [INFO][customer3.company.local] Obtain: Lock acquired; proceeding...
2020/07/11 07:56:09 [INFO][customer3.company.local] Certificate obtained successfully
2020/07/11 07:56:09 [INFO][customer3.company.local] Obtain: Releasing lock
2020/07/11 07:56:09 [WARNING] Stapling OCSP: no OCSP stapling for [customer3.company.local]: no OCSP server specified in certificate

Logs when opening the website in the browser (2x refreshed)

2020/07/11 07:54:17 http: TLS handshake error from 127.0.0.1:62849: EOF
2020/07/11 07:54:17 http: TLS handshake error from 127.0.0.1:62850: EOF
2020/07/11 07:55:27 http: TLS handshake error from 127.0.0.1:63176: EOF
2020/07/11 07:55:27 http: TLS handshake error from 127.0.0.1:63177: EOF

Screenshots:

Before adding certitficates

After adding root certificate

After adding intermediate certificate

[francislavoie]

Could you try the latest build from the master branch? There have been some fixes recently that may be relevant for you here, see #3535

[francislavoie]

To follow up, you can use the build from source or use the latest CI artifact

[mholt]

Yeah I think this is resolved already. Thanks for the report!

Duplicate of #3535

[christoph-kluge]

Feedback: With the latest CI artifact (724613a) I see that the host certificate is now correctly recognized 👍 but the CA is not added to the keychain nor it gets trusted. I added couple of scenarios what I have tried:

Case 1) caddy trust does not add the root cert to macOS keychain

GIVEN is an empty macOS keychain
 WHEN I perform a `caddy trust`
 THEN the root certificate is NOT added to the macOS keychain

% caddy trust
2020/07/12 11:02:18.209 WARN    ca.local        installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
trust: certificate cannot be installed in NSS security databases

Case 2) caddy trust does not set the root cert to trusted

GIVEN manually added certificate in the macOS keychain
  AND the certificate is still untrusted
 WHEN I perform a `caddy trust` 
 THEN the root certificate is still untrusted

 % caddy trust  
2020/07/12 11:00:38.842 WARN    ca.local        installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
trust: certificate cannot be installed in NSS security databases

Case 3) caddy untrust works as expected

GIVEN manually added certificate in the macOS keychain
  AND the certificate is set manually to trusted
 WHEN I perform a `caddy untrust` 
 THEN the root certificate is correctly "untrusted"

 % caddy untrust       
2020/07/12 13:00:15 certificate uninstalled properly from NSS security databases
2020/07/12 13:00:15 define JAVA_HOME environment variable to use the Java trust
Password:
2020/07/12 13:00:18 certificate uninstalled properly from macOS keychain

[mholt]

@christoph-kluge

Case 1) caddy trust does not add the root cert to macOS keychain
% caddy trust
2020/07/12 11:02:18.209 WARN ca.local installing root certificate (you might be prompted for password) {"path": "storage:pki/authorities/local/root.crt"}
trust: certificate cannot be installed in NSS security databases

It looks like it worked; NSS security database != macOS keychain.

Case 2) caddy trust does not set the root cert to trusted

How do you know? You have not presented any evidence that it does not work. (Some browsers require you to restart them, FYI.)

[christoph-kluge]

Fair enough. I'm looking at the keychain in macOS directly. Do you expect a differnt type of evidence that it does not work?

Additionally to case 1)
I did a full reset again. Run caddy trust. They macOS keychain is still empty and not showing the Caddy ECC root certificate. I was not asked for sudo permissions. In order to validate that I didn't had sudo permissions before I ran a custom sudo command which was asking me for permissions.

% caddy trust
2020/07/13 09:00:23.004 WARN    ca.local        installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
trust: certificate cannot be installed in NSS security databases

% date; sudo vi /etc/hosts
Mon Jul 13 11:00:43 CEST 2020
Password:

Additionally to Case 2)
I did add the certificate manually into the macOS keychain. I ran again caddy trust and checked the certificate state directly inside the macOS Keychain.

% caddy trust
2020/07/13 09:07:11.409 WARN    ca.local        installing root certificate (you might be prompted for password)        {"path": "storage:pki/authorities/local/root.crt"}
trust: certificate cannot be installed in NSS security databases

[mholt]

Hmm, make sure you've configured the cert's trust settings properly. Something like this:

[christoph-kluge]

@mholt thnak you so much for beeing patient with me. Setting these manually with the latest CI artefact works fine 👍 Since the root cert is valid for 10y+ it's kinda a one-off setup task.

I'm just curious if it's just me experiencing this issue or am I misunderstanding the desired behavior for caddy trust on macOS?

a) Should it automatically add the root cert into the keychain?
b) Should it automatically set the trust level to "always trust"?

I'm able to reproduce this over and over again.

[mholt]

It "just works" for me consistently -- but the installation is merely best-effort. If you can figure out why it's not working for you, I'd be happy to see an explanation and review a PR.

[christoph-kluge]

Small update: I have digged into the smallstep/trustcert package and checked the raw commands. They work as expected.

Reference: https://github.com/smallstep/truststore/blob/master/truststore_darwin.go#L55
Example: sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain ~/Library/Application\ Support/Caddy/pki/authorities/local/root.crt

After deleting the certificate manually from the keychain and executing the above command manually: The certificate is correctly added correctly and set to trusted.

I'm not much an expert in golang which results in some starting difficulties to follow the code but I have the feeling there could be some cache/flag which prevents the command from beeing re-executed. This is perhaps the reason why I'm not recieving the sudo-promt anymore when running caddy trust.

Do you think it's an issue related to this project or related to smallstep/truststore?

[mholt]

Do you think it's an issue related to this project or related to smallstep/truststore?

I'm not sure -- how can we reproduce the problem?