Setting tls.ca_pool.source.http's tls.ca config option always panics #7392
Description
Issue Details
Minimal config, intended to be used when using an ACME test server (in my case, Let's Encrypt's Pebble)
While this is seemingly convoluted, the idea is to bootstrap with Pebble's hardcoded root cert and use that to pull the "real" root cert.
{
"admin": {
"disabled": true,
"config": {
"persist": false
}
},
"apps": {
"http": {
"servers": {
"pebble": {
"routes": [{
"handle": [{
"handler": "reverse_proxy",
"upstreams": [{"dial": "pebble:14000"}],
"transport": {
"protocol": "http",
"tls": {
"ca": {
"provider": "http",
"endpoints": ["https://pebble:15000/roots/0"],
"tls": {
"ca": {
"provider": "inline",
"trusted_ca_certs": ["MIIDPzCCAiegAwIBAgIIU0Xm9UFdQxUwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAxMVbWluaWNhIHJvb3QgY2EgNTM0NWU2MCAXDTI1MDkwMzIzNDAwNVoYDzIxMjUwOTAzMjM0MDA1WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA1MzQ1ZTYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5WgZNoVJandj43kkLyU50vzCZalozvdRo3OFiKoDtmqKPNWRNO2hC9AUNxTDJco51Yc42u/WV3fPbbhSznTiOOVtnAjm6iq4I5nZYltGGZetGDOQWr78y2gWY+SG078MuOO2hyDIiKtVc3xiXYA+8Hluu9F8KbqSS1h55yxZ9b87eKR+B0zu2ahzBCIHKmKWgc6N13l7aDxxY3D6uq8gtJRU0toumyLbdzGcupVvjbjDP11nl07RESDWBLG1/g3ktJvqIa4BWgU2HMh4rND6y8OD3Hy3H8MY6CElL+MOCbFJjWqhtOxeFyZZV9q3kYnk9CAuQJKMEGuN4GU6tzhW1AgMBAAGjezB5MA4GA1UdDwEB/wQEAwIChDATBgNVHSUEDDAKBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSu8RGpErgYUoYnQuwCq+/ggTiEjDAfBgNVHSMEGDAWgBSu8RGpErgYUoYnQuwCq+/ggTiEjDANBgkqhkiG9w0BAQsFAAOCAQEAXDVYov1+f6EL7S41LhYQkEX/GyNNzsEvqxE9U0+3Iri5JfkcNOiA9O9L6Z+YbqcsXV93s3vi4r4WSWuc//wHyJYrVe5+tK4nlFpbJOvfBUtnoBDyKNxXzZCxFJVhf9uc8UejRfQMFbDbhWY/x83y9BDufJHHq32OjCIN7gp2UR8rnfYvlz7Zg4qkJBsnDG4dwd+pRTCFWJOVIG0JoNhK3ZmE7oJ1N4H38XkZ31NPcMksKxpsLLIS9+mosZtg4olL7tMPJklx5ZaeMFaKRDq4Gdxkbw4+O4vRgNm3Z8AXWKknOdfgdpqLUPPhRcP4v1lhy71EhBuXXwRQJry0lTdF+w=="]
}
}
}
}
}
}]
}]
}
}
},
"tls": {
"automation": {
"policies": [{
"issuers": [
{
"module": "acme",
"ca": "https://pebble:14000/dir",
"email": "invalid@invalid"
}
]
}]
}
}
}
}Panic:
panic: interface conversion: interface {} is nil, not *caddy.Replacer
goroutine 1 [running]:
github.com/caddyserver/caddy/v2/modules/caddytls.(*TLSConfig).makeTLSClientConfig(0x40003d5ae0, {{0x1c758d8, 0x400061ce10}, 0x40002e6f30, 0x40003f2f80, {0x40002f2740, 0x4, 0x4}, {0x0, 0x0, ...}, ...})
github.com/caddyserver/caddy/[email protected]/modules/caddytls/capools.go:503 +0x450
github.com/caddyserver/caddy/v2/modules/caddytls.(*HTTPCertPool).Provision(0x40006309c0, {{0x1c758d8, 0x400061ce10}, 0x40002e6f30, 0x40003f2f80, {0x40002f2740, 0x4, 0x4}, {0x0, 0x0, ...}, ...})
github.com/caddyserver/caddy/[email protected]/modules/caddytls/capools.go:574 +0xf0
...
Removing the innermost ca resolves the issue, but prevents bootstrapping. Since this is only intended for test environments anyway, insecure_skip_verify can be used as a workaround. Even an empty ca directive will trigger the panic.
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
No response