From 1b62e0d1e55c97916ac1fd23811844fe64c51c02 Mon Sep 17 00:00:00 2001 From: Thibaut Selingue <7049020+thislg@users.noreply.github.com> Date: Fri, 7 Nov 2025 14:29:46 +0100 Subject: [PATCH] fix(caddy): TLS certificates trust on all platforms --- README.md | 41 +++++++++++++++++++---------------------- docker-compose.yml | 4 ++++ setup.sh | 39 +++++++++++++++++++++++++++++---------- 3 files changed, 52 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 8e97977..723f3b1 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ cp .env.dist .env docker compose up -d ``` -Github Container Registry : +GitHub Container Registry : 1. Go to [Settings / Developer Settings / Personal Access Token](https://github.com/settings/tokens/new?scopes=write:packages) 2. Enter "Docker stack" in the **Name** field and check **write:packages** and **read:packages** @@ -45,41 +45,38 @@ Restart your browsers! The base stack contains the minimal configuration related to web development. - - caddy - - adminer - - maildev - - memcached +- Adminer +- Caddy +- MailDev +- Memcached ## Compose your stack -The default configuration include 3 databases containers : mysql 5, postgres 9 and postgres 17. You can change the loaded containers by changing the `COMPOSE_FILE` environment variable in the `.env` file. +The default configuration include 3 databases containers : MySQL 5, PostgreSQL 9 and PostgreSQL 17. -The default configuration can be found in the `.env.dist` file. +You can change the loaded containers by changing the `COMPOSE_FILE` environment variable in the `.env` file. +The default configuration can be found in the `.env.dist` file. The repository currently supports these databases: - - postgresql 9, 10, 11, 12, 13, 14, 15, 16, 17 - - mysql 5 - - mariadb 10 +- PostgreSQL 9, 10, 11, 12, 13, 14, 15, 16, 17 +- MySQL 5 +- MariaDB 10 The repository currently supports these message brokers: - - rabbitmq 3.8 +- RabbitMQ 3.8 [Redisinsight](https://redis.io/insight/) is available: - Add `./redis/redisinsight.yml` to your `.env` - - Go to `https://redisinsight.${DOCKER_HOST_SUFFIX}` - -An optional watchtower service is available to update docker images automatically. Add `watchtower.yml` to `COMPOSE_FILE` variable and set a schedule with `WATCHTOWER_SCHEDULE` variable in your `.env` file (default is `0 0 17 * * *`). You should also [login to your docker hub account](https://docs.docker.com/security/for-developers/access-tokens/#create-an-access-token) to prevent rate limit issues. + - Got to [redisinsight.${DOCKER_HOST_SUFFIX}.lph](https://redisinsight.${DOCKER_HOST_SUFFIX}.lph/) or [redisinsight.lph](https://redisinsight.lph/) -## Troubleshooting +An optional watchtower service is available to update docker images automatically: +Add `watchtower.yml` to `COMPOSE_FILE` variable and set a schedule with `WATCHTOWER_SCHEDULE` variable in your `.env` file +(default is `0 0 17 * * *`). -- If setup.sh respond `trust: install is not supported on this system`: - -```shell - sudo trust anchor --store /var/lib/docker/volumes/dev_caddy_data/_data/caddy/pki/authorities/local/root.crt - sudo trust anchor --store /var/lib/docker/volumes/dev_caddy_data/_data/caddy/pki/authorities/local/intermediate.crt - sudo update-ca-trust -``` +You should also +[login to your docker hub account](https://docs.docker.com/security/for-developers/access-tokens/#create-an-access-token) +to prevent rate limit issues. diff --git a/docker-compose.yml b/docker-compose.yml index c16dc27..849ebb0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,6 +17,10 @@ services: - target: 443 published: ${HTTP3_PORT:-443} protocol: udp + # Caddy admin API + - target: 2019 + published: ${CADDY_ADMIN_PORT:-2019} + protocol: tcp environment: CADDY_INGRESS_NETWORKS: dev_public volumes: diff --git a/setup.sh b/setup.sh index c1bcdeb..8032a10 100755 --- a/setup.sh +++ b/setup.sh @@ -1,14 +1,33 @@ -#!/usr/bin/env bash +#!/usr/bin/env sh -docker compose --ansi never up -d --build 2>& 1> /dev/null -docker compose cp proxy:/usr/bin/caddy /tmp/caddy +set -e -XDG_DATA_HOME=/var/lib/docker/volumes/dev_caddy_data/_data +docker compose up -d 2>/dev/null -sudo XDG_DATA_HOME=${XDG_DATA_HOME} \ -/tmp/caddy start 2&> /dev/null; \ -/tmp/caddy untrust; \ -/tmp/caddy trust; \ -/tmp/caddy stop 2&> /dev/null; \ +CERTIFICATES_STORAGE_DIRECTORY=/usr/local/share/ca-certificates +CADDY_ROOT_CERTIFICATE_FILE=$CERTIFICATES_STORAGE_DIRECTORY/Le_Phare_Docker_stack_Caddy_root.crt -rm /tmp/caddy +if [ -e $CADDY_ROOT_CERTIFICATE_FILE ]; then + echo "Le certificat Caddy existe déjà ($CADDY_ROOT_CERTIFICATE_FILE)." + echo "Si vous souhaitez le remplacer par un nouveau : supprimez-le puis relancez cette commande." + echo "Sinon, vous n'avez rien à faire." + + exit +fi + +sudo mkdir -p $CERTIFICATES_STORAGE_DIRECTORY + +sudo docker compose cp proxy:/data/caddy/pki/authorities/local/root.crt /usr/local/share/ca-certificates/ 2>/dev/null + +if [ "$(uname -s)" != "Darwin" ]; then + docker compose exec proxy wget -qO- --post-data='"0.0.0.0:2019"' --header='Content-Type:application/json' 'http://127.0.0.1:2019/config/admin/listen' + + sudo docker compose cp proxy:/usr/bin/caddy /tmp/caddy 2>/dev/null + + /tmp/caddy trust +else + sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /usr/local/share/ca-certificates/Le_Phare_Docker_stack_Caddy_root.crt +fi + +echo "Certificats Caddy installés avec succès !" +echo "En cas de problèmes de certificats HTTPS non reconnus (dans votre navigateur par ex.), importez le fichier suivant dans les certificats du logiciel : /usr/local/share/ca-certificates/Le_Phare_Docker_stack_Caddy_root.crt"