Caddy, SEC_ERROR_UNKNOWN_ISSUER and TLS Internal

I have solved this before but forgot how. Maybe typing something will help me remember the next time.

I use Caddy in a docker container to reverse proxy around my docker box and other computers in my network. Something like this:

# test subdomain
test.mydomain.net {

        reverse_proxy http://10.10.10.15:8010
        tls internal
}

It always gives SEC_ERROR_UNKNOWN_ISSUER error and I can just accept this, which works for a while. Ideally you want it to just work, especially if you are setting up a site your 83 year old mum might access.

I had forgotten that if you want it to work, you need to add the subdomain to your DNS as an A record – and then remove TLS internal. Job done.

This does mean that anyone can hit that domain – which is fine in some cases and not fine in others. So I updated the internal only domains to this:

fileserver.mydomain.net {

        @denied not client_ip 10.10.10.0/16 172.26.0.0/12

        handle @denied {
                 abort
        }

        reverse_proxy http://10.10.10.15:8081
}

The 172.26 address comes from docker and I think it fails without it from memory.

Leave a Reply

Your email address will not be published. Required fields are marked *