opnsense/plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2025-12-11 05:44:12 -06:00
Code Issues Packages Projects Releases Wiki Activity

www/caddy: Prevent sudo on startup via skip_install_trust (#5015)

Browse Source 
This can happen when an internal domain has been added, e.g. example.internal. Caddy will then generate a self signed certificate via smallstep CA, and on startup it tries to install a root certificate for it into the FreeBSD trust store.

If running as www user, this causes sudo to appear at boot, because that is baked into smallstep CA.

https://github.com/smallstep/truststore/blob/master/truststore_freebsd.go

Via skip_install_trust, we prevent caddy from trying this.
This commit is contained in:
Monviech 2025-11-10 17:01:03 +01:00 committed by GitHub
parent c4c5632a49
commit 0152180865
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
View File

@ -228,6 +228,7 @@
# Default of Caddy is to wait for all connections to close before allowing reload, meaning the higher the value, the longer applies take.
#}
grace_period {{ generalSettings.GracePeriod }}s
skip_install_trust
import /usr/local/etc/caddy/caddy.d/*.global
}