auto managed domain mistakenly using self-signed

[arpitjindal97]

Expected Behaviour:

I want to use self-signed certificate for arpit-test.msmartpay.in domain only. I want caddy to automatically manage other domains.
When i visit arpit.msmartpay.in, I should be presented with let's encrypt certificate
when I visit arpit-test.msmartpay.in, I should be presented with self-signed certificate

Actual Behaviour:

• Caddy gets certificates from let's encrypt for both domains (why both)
• Caddy is using self-signed for both

Caddyfile:

{
    servers {
        metrics
    }
    auto_https ignore_loaded_certs
}

arpit.msmartpay.in {
    respond "Hello World"
}

arpit-test.msmartpay.in {
    tls /ssl/msmartpay.in/self/domain.crt /ssl/msmartpay.in/self/privkey.pem
    respond "Hello World"
}

domain.crt:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4a:b0:51:03:a6:50:ec:05:d7:78:7d:17:52:c2:ca:cd:55:25:ac:ab
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=SL, ST=Western, L=Colombo, OU=ABC, CN=arpit.msmartpay.in
        Validity
            Not Before: Nov 15 21:44:09 2024 GMT
            Not After : Nov 13 21:44:09 2034 GMT
        Subject: C=SL, ST=Western, L=Colombo, OU=ABC, CN=arpit.msmartpay.in
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bc:46:76:77:dd:16:77:75:8e:32:87:36:75:ac:
                    .................
                    b4:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:arpit.msmartpay.in, DNS:*.msmartpay.in
            X509v3 Subject Key Identifier:
                E9:51:26:A4:56:31:40:CA:D5:DA:C2:35:92:32:9D:2B:2C:9E:7B:6A
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3b:ae:10:b6:d9:cd:18:54:cd:0b:97:2b:b2:3d:52:9e:91:9f:
        ..................................
 

[mholt]

ignore_loaded_certs will tell Caddy to ignore loaded certificates when choosing what to manage certificates for, so it doesn't matter that you have loaded a certificate for your site, it will still obtain one for them to manage.

Seems to be a duplicate of #5933.

[arpitjindal97]

the problem is when I visit arpit.msmartpay.in, I'm presented with self-signed certificate

[arpitjindal97]

@mholt Please re-open the issue, Please understand the fully before closing it

[mholt]

@arpitjindal97 Not sure what I am missing here, please enlighten me. This seems to be a duplicate, as I said. The other issue will track this.

[mohammed90]

Caddy gets certificates from let's encrypt for both domains (why both)

Because you used ignore_loaded_certs.

Caddy is using self-signed for both

You haven't presented evidence of this.

the problem is when I visit arpit.msmartpay.in, I'm presented with self-signed certificate

We haven't seen evidence of this.

[arpitjindal97]

Ignore auto_https ignore_loaded_certs parameter for a while, I will talk about it later. First take a look at this

@mholt @mohammed90
I'm using above mentioned Caddyfile

Here is the evidence of this:

$ curl https://arpit.msmartpay.in -v -k                                                                                                         
* Host arpit.msmartpay.in:443 was resolved.
* IPv6: (none)
* IPv4: 77.248.167.27
*   Trying 77.248.167.27:443...
* Connected to arpit.msmartpay.in (77.248.167.27) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: C=SL; ST=Western; L=Colombo; OU=ABC; CN=arpit.msmartpay.in
*  start date: Nov 15 21:44:09 2024 GMT
*  expire date: Nov 13 21:44:09 2034 GMT
*  issuer: C=SL; ST=Western; L=Colombo; OU=ABC; CN=arpit.msmartpay.in
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://arpit.msmartpay.in/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: arpit.msmartpay.in]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: arpit.msmartpay.in
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< server: Caddy
< content-length: 11
< date: Thu, 21 Nov 2024 16:31:52 GMT
<
* Connection #0 to host arpit.msmartpay.in left intact
Hello World

[mohammed90]

The certificate CN is literally arpit.msmartpay.in. Configuring it under arpit-test doesn't make it valid.

[mholt]

What's the difference between this issue and #5933?

[arpitjindal97]

I have configured the self-signed certificate under arpit-test so I expect caddy to use that only for arpit-test.

for arpit.msmartpay.in, I expect it to use let's encrypt certificate.

It shouldn't matter what the CN of certificates are.

[arpitjindal97]

@mholt My apologies, you are correct it is related to that issue. I didn't have a closer look earlier.

When can we expect a fix?