I am trying to run Caddy HTTPS web server in the employer's internal network.
This is my Caddyfile
https://subdomain.internal.employer.com { root * /usr/share/caddy tls /cert/certificate.crt /cert/private.key { # I guess I have to put something here } # Reverse proxy to Cockpit rewrite /cockpit /cockpit/ reverse_proxy /cockpit/* localhost:9090 { transport http { tls_insecure_skip_verify } }}Everything works perfect in the web browser, but it does not work when I try to download some files using curl
curl -v https://subdomain.internal.employer.com* Trying 10.10.0.124:443...* Connected to subdomain.internal.employer.com (10.10.0.124) port 443 (#0)* ALPN, offering h2* ALPN, offering http/1.1* CAfile: /etc/ssl/certs/ca-certificates.crt* CApath: /etc/ssl/certs* TLSv1.0 (OUT), TLS header, Certificate Status (22):* TLSv1.3 (OUT), TLS handshake, Client hello (1):* TLSv1.2 (IN), TLS header, Certificate Status (22):* TLSv1.3 (IN), TLS handshake, Server hello (2):* TLSv1.2 (IN), TLS header, Finished (20):* TLSv1.2 (IN), TLS header, Supplemental data (23):* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):* TLSv1.2 (IN), TLS header, Supplemental data (23):* TLSv1.3 (IN), TLS handshake, Certificate (11):* TLSv1.2 (OUT), TLS header, Unknown (21):* TLSv1.3 (OUT), TLS alert, unknown CA (560):* SSL certificate problem: unable to get local issuer certificate* Closing connection 0curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above.My IT department send me 5 files, first two of them I already used is certificate and private key, they are both listed in my Caddyfile
- certificate.crt
- private.key
Other 3 files I received from IT guys are:
- local_domain_seller.pem
- local_cert_authority.pem
- local_cert_authority2.pem
I discovered that I can download those pem files using Firefox "View Certificate" window and then clicking "Download PEM(cert)" in "Miscellaneous" section. At least downloaded local_domain_seller.pem file content is same as file provided by our IT guys.
I guess that Web Browsers are more smart in checking chains of certificates, but how can I fix my curl issue? I think my problem is very simple, but I don't have extensive knowledge about certificates and I don't know much about Caddy, so I'm asking for help.