Some issues with Caddy (Certificate and Routing)

[Stitch10925]

Hey everyone,

I was thrilled to find out that OpnSense now has a plugin for Caddy, so I started to migrate my configuration from HAProxy to Caddy. However, I seem to be running into some snags:

1. Wildcard certificates do not seem to include the domain root.

When using a wildcard certificate and browsing to myDomain.com, I get an invalid certificate error. However, when browsing to www.myDomain.com, everything is fine. So it seems that the wildcard certificate does not contain the domain root and I cannot find any way to include it.

2. I cannot replace headers for forwarding requests

In the documentation (https://docs.opnsense.org/manual/how-tos/caddy.html) it states you can manipulate the headers when sending to vhosts, however, the "headers" tab mentioned in the documentation seems to be missing. Since I cannot set the headers, my routing fails.

Is there a way to resolve these problems? And is there a way to see what config the caddy plugin generates?

Thanks!

[Monviech (Cedrik)]

Hello,

1. I'm not sure about this yet, I will ask the Caddy community what should happen. Can you share your Caddyfile with me? (You can replace your domain name and API tokens etc... with example.com or something)

Code: [Select]

cat /usr/local/etc/caddy/Caddyfile
And please tell me what the SAN of your wildcard cert includes.

2. The header feature comes in the upcoming version os-caddy-1.5.4 in a few days, I was faster with the docs than the new version releases.
https://github.com/opnsense/plugins/pull/3891

[Monviech (Cedrik)]

It seems like the input validation that prevents to create both *.example.com and example.com in domains is too strict.

https://caddy.community/t/create-wildcard-cert-with-other-sans-too/16322

The Wildcard certificate won't include the SAN of the base domain. So it would have to be created as additional domain, like this:

Code: [Select]

*.example.com {
}

example.com {
}

The base domain "example.com" would then need the handle of "www.example.com" cloned and assigned to it.

I will create a small patch that fixes this input validation error.
https://github.com/opnsense/plugins/pull/3915

[Stitch10925]

Thank you for the amazingly fast reply and patch!

At current it's indeed not possible to add a wildcard certificate and a root domain at the same time. I will try your patch, that would already solve a part of my problem.

Once the header feature is released I believe my other problem would be solved as well.

That being said: I don't know what the future plans for the plugin is, but I have a feature request. Where could I log this request?

Thanks in advance!

[Monviech (Cedrik)]

You can put feature requests here:

https://github.com/opnsense/plugins/issues

If its nothing too unreasonable it's likely that I will include it at some point. Though if its a very edge case, using the https://docs.opnsense.org/manual/how-tos/caddy.html#using-custom-configuration-files is the best choice to have things working right away.