Hey everyone,
I was thrilled to find out that OpnSense now has a plugin for Caddy, so I started to migrate my configuration from HAProxy to Caddy. However, I seem to be running into some snags:
1. Wildcard certificates do not seem to include the domain root.
When using a wildcard certificate and browsing to myDomain.com, I get an invalid certificate error. However, when browsing to www.myDomain.com, everything is fine. So it seems that the wildcard certificate does not contain the domain root and I cannot find any way to include it.
2. I cannot replace headers for forwarding requests
In the documentation (https://docs.opnsense.org/manual/how-tos/caddy.html (https://docs.opnsense.org/manual/how-tos/caddy.html)) it states you can manipulate the headers when sending to vhosts, however, the "headers" tab mentioned in the documentation seems to be missing. Since I cannot set the headers, my routing fails.
Is there a way to resolve these problems? And is there a way to see what config the caddy plugin generates?
Thanks!
Hello,
1. I'm not sure about this yet, I will ask the Caddy community what should happen. Can you share your Caddyfile with me? (You can replace your domain name and API tokens etc... with example.com or something)
cat /usr/local/etc/caddy/Caddyfile
And please tell me what the SAN of your wildcard cert includes.
2. The header feature comes in the upcoming version os-caddy-1.5.4 in a few days, I was faster with the docs than the new version releases.
https://github.com/opnsense/plugins/pull/3891
It seems like the input validation that prevents to create both *.example.com and example.com in domains is too strict.
https://caddy.community/t/create-wildcard-cert-with-other-sans-too/16322
The Wildcard certificate won't include the SAN of the base domain. So it would have to be created as additional domain, like this:
*.example.com {
}
example.com {
}
The base domain "example.com" would then need the handle of "www.example.com" cloned and assigned to it.
I will create a small patch that fixes this input validation error.
https://github.com/opnsense/plugins/pull/3915
Thank you for the amazingly fast reply and patch!
At current it's indeed not possible to add a wildcard certificate and a root domain at the same time. I will try your patch, that would already solve a part of my problem.
Once the header feature is released I believe my other problem would be solved as well.
That being said: I don't know what the future plans for the plugin is, but I have a feature request. Where could I log this request?
Thanks in advance!
You can put feature requests here:
https://github.com/opnsense/plugins/issues
If its nothing too unreasonable it's likely that I will include it at some point. Though if its a very edge case, using the https://docs.opnsense.org/manual/how-tos/caddy.html#using-custom-configuration-files is the best choice to have things working right away.