Maybe this is more of a home lab question, but I’m utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I’ve tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let’s Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don’t have to fiddle with every machine that uses every service I’m hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
I use Caddy for this. I’ll leave links to the documentation as well as a few examples.
Here’s the documentation for wildcard certs. https://caddyserver.com/docs/automatic-https#wildcard-certificates
Here’s how you add DNS providers to Caddy without Docker. https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148
Here’s how you do it with Docker. https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modules
Look for the DNS provider in this repository first. https://github.com/caddy-dns
Here’s documentation about using environment variables. https://caddyserver.com/docs/caddyfile/concepts#environment-variables
Docker
A few examples of Dockerfiles. These will build Caddy with DNS support.
DuckDNS
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/duckdns FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyCloudflare
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/cloudflare FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyPorkbun
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/porkbun FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyConfigure DNS provider
This is what to add the the Caddyfile, I’ve used these in the examples that follow this section. You can look at the repository for the DNS provider to see how to configure it for example.
DuckDNS
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
tls { dns duckdns {env.DUCKDNS_API_TOKEN} }CloudFlare
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples Dual-key
tls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } }Single-key
tls { dns cloudflare {env.CF_API_TOKEN} }PorkBun
https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples Global
{ acme_dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }or per site
tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }Caddyfile
And finally the Caddyfile examples.
DuckDNS
Here’s how you do it with DuckDNS.
*.example.org { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.example.org handle @hass { reverse_proxy home-assistant:8123 } }Also you can use environment variables like this.
*.{$DOMAIN} { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }CloudFlare
*.{$DOMAIN} { tls { dns cloudflare {env.CF_API_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }Porkbun
*.{$DOMAIN} { tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }I do the same!
I have a provider that is not supported by caddy, but I can still use it via duckdns delegation!
https://github.com/caddy-dns/duckdns?tab=readme-ov-file#challenge-delegation
Challenge delegation
To obtain a certificate using ACME DNS challenges, you’d use this module as described above. But, if you have a different domain (say,
my.example.com) CNAME’d to your Duck DNS domain, you have two options:my.example.com.Thanks for being so detailed!
I use caddy for straightforward https, but every time I try to use it for a service that isn’t just a reverse_proxy entry, I really struggle to find resources I understand… and most of the time the “solutions” I find are outdated and don’t seem to work. The most recent example of this for me would be Baikal.
Do you have any recommendations for where I might get good examples and learn more about how do troubleshoot and improve my Caddyfile entries?
Thanks!
Ah, PHP, there’s your problem. 😀
Honestly, I just proxy to a separate nginx server to handle the PHP bits, it’s not worth cluttering up my nice, clean Caddy setup with that nonsense.
thank you for providing such a thorough reply, good shit
The advice I needed and have not been able to find. I could kiss you. Or at least give you a fond nod.
I did basically this w/ Cloudflare, and it worked perfectly. I used to do ACME requests, but this is simpler and doesn’t require me to route traffic into my LAN. I now expose a handful of services, but I used to have to expose all services for TLS cert renewal to work.