Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Proxy to a remote server with the remote using self signed certs fails. #320
Suppose that you have caddy running as a reverse proxy to a 2nd server. Caddy will return
Suppose that https://www.test2.com:9443/ is a server running with self-signed certificates.
2015/11/05 09:00:00 http: TLS handshake error from 192.168.0.158:56996: remote error: bad certificate
The :9443 server is in Go with HTTP2.0. I can provide the source code for it if you need it.
@pschlump You SHOULD NOT use self-signed certificates DIRECTLY. You MUST use them INDIRECTLY.
You just need to add 3 steps to your process:
What caddy does need, @mholt, is a way to specify the pool of trusted cas.
Edit: changed the clientca / rootca location (I think I got it right now)
See https://golang.org/pkg/crypto/tls/#Config RootCAs / CertPool
This is most useful in a business / enterprise environment where the user only wants to trust their local authority, not
The suspense is killing me
I think this issue needs some careful consideration. Disabling cert verification may be acceptable in dev/test environments, and should probably be an option anyway. Adding to the trust store is a separate matter.
not the global authorities.
I don't believe that disabling cert verification should ever be an option. I think that instead there should be a FAQ "how do I disable cert verification" and then a "you don't need to, run this command instead and add this line to your config file".
I would be very happy to finesse my self-signed authority / cert scripts and publish that material.
The belief that a person needs to disable cert verification - even during testing - stems from very popular tutorials with misinformation regarding the matter.
Hm, I somehow disagree with the talk on this page.... Let me explain my situation....
I'm exposing some services at home. I have native IPv6 (changing prefix) and IPv4 (changing single ip) connectivity. I'm regularly updating a DNS zone.
Wherever possible I'm using the IPv6 addresses as this will mean I can reach my services directly if I'm at home.
Some services like subsonic generate a redirect to https (for good reasons!) which means I have to proxy to the https port or I'll just get 30X responses.
I am using self signed certificates at home.
I'm now running an apache proxy just to get rid of this caddy mess. The "solution" to run an internal CA is a bit overkill for a home network.
Caddy will let you use plain HTTP upstreams, so there is no reason at all not to let a user disable verification (which should be on by default).
I'll make it easy and add a generic insecure_skip_verify option.
BTW, the fact that upstreams can be HTTPS is not documented AFAICT.
I just tried the patch in my home network and it works as expected. Thank you!
Am 23. Januar 2016 06:36:15 MEZ, schrieb Matt Holt firstname.lastname@example.org:
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.