Client certificates (mTLS) in Caddy plugin

[nsky]

Hi,

am I right, that the Caddy reverse proxy plugin (https://github.com/opnsense/plugins/tree/master/www/caddy) currently has no possibility to configure TLS client certificates through the GUI?

If yes, my approach would be to add a custom config file since the generated Caddyfile imports anything from

Code Select Expand

/usr/local/etc/caddy/caddy.d/*.conf.

But for this, I need to know where OPNsense stores the generated CAs and certificates when using System --> Security to create them. Can someone tell me where they are stored? I need the file path to provide them in the Caddy config...

Thanks and best regards

[Monviech (Cedrik)]

https://github.com/opnsense/plugins/issues/4089

PRs welcome, all the framework is there. It should be very easy to add to the GUI.

There is a script that will automatically extract certificates from System - Trust for caddy here:

https://github.com/opnsense/plugins/blob/bb69d4653746320c0bf4363eb42f63906b5584e8/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php#L35

It runs automatically when caddy reloads or starts so the certs are all there.

[millie75]

Hi did anyone get this working.

It would be great to have the option to use mtls with self hosting apps like Immich and Home Assistant and on mobile devices.

Having it as an option in the caddy plug in along with access lists and http authentication would be great to have that option. Lots of mobile apps don't have option to use http authentication either

[Monviech (Cedrik)]

It can be added to the plugin if somebody spends the time to implement and test it. PRs still welcome.

I could implement it too, but I dont have a reason for my own use and the priority is low.

[millie75]

https://github.com/opnsense/plugins/issues/4089

PRs welcome, all the framework is there. It should be very easy to add to the GUI.

There is a script that will automatically extract certificates from System - Trust for caddy here:

https://github.com/opnsense/plugins/blob/bb69d4653746320c0bf4363eb42f63906b5584e8/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php#L35

It runs automatically when caddy reloads or starts so the certs are all there.

Wondered if you could help. I have create some certs in Opnsense under System:Trust and following this link the certs should be copied in /var/db/caddy/data/caddy/certificates/temp/ after Caddy starts or reloads. I have stop and started a few times and the /var/db/caddy/data/caddy/certificates/temp/ folder is empty no certs copied to this location - id there something else that has to be done?

Thanks

[Monviech (Cedrik)]

The script changed a bit from the last time. It only extracts certificates that are known in the model.

https://github.com/opnsense/plugins/blob/931f2c5d7a73f4158748fdf14c1a1f8ba3c5d20e/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php#L52

Here you can see, it collects all certificates that have been set in "Reverse Proxy - Domains - Custom Certificates" and only then extracts them to that folder.

The same happens with HttpTlsTrustedCaCerts a step later for "Reverse Proxy - Handlers - Tls Trust Pool".

So for testing things, just create some dummy handlers under a dummy domain and attach certificates to them, it will be copied into the folder.

[Monviech (Cedrik)]

https://github.com/opnsense/plugins/pull/4601