Caddy HTTPS working in browser but not in curl

General
1

I am trying to run Caddy HTTPS web server in the employer’s internal network.

This is my Caddyfile

https://subdomain.internal.employer.com {
  root * /usr/share/caddy

  tls /cert/certificate.crt /cert/private.key {
    # I guess I have to put something here
  }

  # Reverse proxy to Cockpit
  rewrite /cockpit /cockpit/
  reverse_proxy /cockpit/* localhost:9090 {
    transport http {
      tls_insecure_skip_verify
    }
  }
}

Everything works perfect in the web browser, but it does not work when I try to download some files using curl

curl -v https://subdomain.internal.employer.com
*   Trying 10.10.0.124:443...
* Connected to subdomain.internal.employer.com (10.10.0.124) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My IT department send me 5 files, first two of them I already used is certificate and private key, they are both listed in my Caddyfile

  • certificate.crt
  • private.key

Other 3 files I received from IT guys are:

  • local_domain_seller.pem
  • local_cert_authority.pem
  • local_cert_authority2.pem

I discovered that I can download those pem files using Firefox “View Certificate” window and then clicking “Download PEM(cert)” in “Miscellaneous” section. At least downloaded local_domain_seller.pem file content is same as file provided by our IT guys.

I guess that Web Browsers are more smart in checking chains of certificates, but how can I fix my curl issue? I think my problem is very simple, but I don’t have extensive knowledge about certificates and I don’t know much about Caddy, so I’m asking for help.

2

To resolve the issue with cURL not recognizing the SSL certificate chain, you need to ensure that the necessary CA (Certificate Authority) certificates are included in the trusted certificates that cURL uses3. .

Here’s how you can fix the problem:

Steps to Fix cURL SSL Certificate Verification

  1. Combine CA Certificates: You need to create a single CA bundle file that includes all the CA certificates provided by your IT department. This will help cURL verify the server’s certificate.Create a new file, for example ca-bundle.pem, and concatenate the CA certificates into it:
cat local_cert_authority.pem local_cert_authority2.pem > /path/to/ca-bundle.pem

Configure cURL to Use the CA Bundle: You can specify the CA bundle file to cURL by using the --cacert option. Run your cURL command like this:

curl -v --cacert /path/to/ca-bundle.pem https://subdomain.internal.employer.com

Global Configuration (Optional): If you want to make this CA bundle available system-wide for cURL, you can add the CA certificates to the default trusted store. This way, you won’t need to specify the --cacert option every time.

On most Linux distributions, you can copy your ca-bundle.pem to the system CA certificates directory. For example:

Global Configuration (Optional): If you want to make this CA bundle available system-wide for cURL, you can add the CA certificates to the default trusted store. This way, you won’t need to specify the --cacert option every time.

On most Linux distributions, you can copy your ca-bundle.pem to the system CA certificates directory. For example:

sudo cp /path/to/ca-bundle.pem /usr/local/share/ca-certificates/ca-bundle.crt
sudo update-ca-certificates

Testing: After you’ve done the above steps, test the cURL command again:

curl -v https://subdomain.internal.employer.com