Some issues with Caddy (Certificate and Routing)

[Stitch10925]

Hey everyone,

I was thrilled to find out that OpnSense now has a plugin for Caddy, so I started to migrate my configuration from HAProxy to Caddy. However, I seem to be running into some snags:

1. Wildcard certificates do not seem to include the domain root.

When using a wildcard certificate and browsing to myDomain.com, I get an invalid certificate error. However, when browsing to www.myDomain.com, everything is fine. So it seems that the wildcard certificate does not contain the domain root and I cannot find any way to include it.

2. I cannot replace headers for forwarding requests

In the documentation (https://docs.opnsense.org/manual/how-tos/caddy.html) it states you can manipulate the headers when sending to vhosts, however, the "headers" tab mentioned in the documentation seems to be missing. Since I cannot set the headers, my routing fails.

Is there a way to resolve these problems? And is there a way to see what config the caddy plugin generates?

Thanks!

[Monviech (Cedrik)]

Hello,

1. I'm not sure about this yet, I will ask the Caddy community what should happen. Can you share your Caddyfile with me? (You can replace your domain name and API tokens etc... with example.com or something)

Code Select Expand

cat /usr/local/etc/caddy/Caddyfile

And please tell me what the SAN of your wildcard cert includes.

2. The header feature comes in the upcoming version os-caddy-1.5.4 in a few days, I was faster with the docs than the new version releases.
https://github.com/opnsense/plugins/pull/3891

[Monviech (Cedrik)]

It seems like the input validation that prevents to create both *.example.com and example.com in domains is too strict.

https://caddy.community/t/create-wildcard-cert-with-other-sans-too/16322

The Wildcard certificate won't include the SAN of the base domain. So it would have to be created as additional domain, like this:

Code Select Expand


*.example.com {
}

example.com {
}


The base domain "example.com" would then need the handle of "www.example.com" cloned and assigned to it.

I will create a small patch that fixes this input validation error.
https://github.com/opnsense/plugins/pull/3915

[Stitch10925]

Thank you for the amazingly fast reply and patch!

At current it's indeed not possible to add a wildcard certificate and a root domain at the same time. I will try your patch, that would already solve a part of my problem.

Once the header feature is released I believe my other problem would be solved as well.

That being said: I don't know what the future plans for the plugin is, but I have a feature request. Where could I log this request?

Thanks in advance!

[Monviech (Cedrik)]

You can put feature requests here:

https://github.com/opnsense/plugins/issues

If its nothing too unreasonable it's likely that I will include it at some point. Though if its a very edge case, using the https://docs.opnsense.org/manual/how-tos/caddy.html#using-custom-configuration-files is the best choice to have things working right away.