caddy icon indicating copy to clipboard operation
caddy copied to clipboard

Published 20 hours ago verified publisher icon caddyserver

`trusted_leaf_certs` functionality after its deprecation in Caddyfile

Open PhysicsIsAwesome opened this issue 11 months ago • 7 comments

Hey,

I would like to only allow clients with certain client leaf certificates to access some services. Unfortunately trusted_leaf_certs is deprecated and I could not find a way to get this working without it via Caddyfile. Can anyone point me into the right direction?

Thx and best regards, PhysicsIsAwesome

PS: I tried to sign up for caddy.community to ask this question instead of opening an issue, but could not find a way to sign up.

PhysicsIsAwesome avatar Jan 07 '25 17:01 PhysicsIsAwesome

Now you use trust_pool, see https://caddyserver.com/docs/caddyfile/directives/tls#client_auth

Please ask your usage questions on the Caddy community forums. We prefer to keep the GitHub issue board for bugs and feature requests. Don't forget to fill out the thread template so we can help you!

francislavoie avatar Jan 07 '25 18:01 francislavoie

Neither the linked documentation makes my use case clear, nor is it possible to sign up to the community forum atm. There is no sign up button and https://caddy.community/signup, which I only found through a search engine, forwards to https://caddy.community/latest without the possibility to sign up. How am I supposed to use it?

PhysicsIsAwesome avatar Jan 07 '25 18:01 PhysicsIsAwesome

We've been trying different tactics on and off to combat huge spam attacks (hundreds of posts in minutes), so apologies if access is a bit difficult lately.

Follow the docs linked above, they'll lead you to configuring a specific module: https://caddyserver.com/docs/caddyfile/directives/tls#trust-pool-providers

mholt avatar Jan 07 '25 18:01 mholt

Thx. I read this part of the documentation quite a few times, searched via Google and the community forum. Already took me quite a few hours. It is nevertheless unclear to me how to use it to only allow some specific leaf certificates. The way I understood it, 'trust_pool' is only used to specify CAs:

trust_pool configures the source of certificate authorities (CA)

Then there is 'verifier' mentioned on the same site, but no documentation on how to use it in a Caddyfile or whether it even provides this functionality. Would you mind giving me an example on how to only allow some leaf certificates without using the deprecated trusted_leaf_certs?

PhysicsIsAwesome avatar Jan 07 '25 19:01 PhysicsIsAwesome

Depending on your setup and use case, you can either use trust_pool, as Matt and Francis said, or verifier. The verifier is closer in concept to the trusted_leaf_cert. I realize now the documentation for the verifier guest modules is missing. We only mention it without its descendants, so that's to be fixed on the caddyserver/website repo, but the available modules names are here and their config bodies are very similar to trust_pool.

mohammed90 avatar Jan 07 '25 19:01 mohammed90

Sorry to be this persistent, but it is still completely unclear on how to do this in a Caddyfile. If you could just provide a minimal Caddyfile example with a leaf certificate file path?

Tried a few things and the leaf verifier does not seem to be available via Caddyfile, at least this is what the error message module tls.client_auth.verifier.leaf is not a Caddyfile unmarshaler probably means?

PhysicsIsAwesome avatar Jan 07 '25 19:01 PhysicsIsAwesome

this is what the error message module tls.client_auth.verifier.leaf is not a Caddyfile unmarshaler probably means

Oops 🤐 This is my bug. Sorry. The deprecated directive isn't removed yet, so you can keep using it for now, at least until I fix this tiny gap.

mohammed90 avatar Jan 07 '25 19:01 mohammed90