I’ve been trying to get a wildcard certificate for my domain for use in Caddy…

i’ve got caddy installed and working fine but it seems i need to build caddy manually to include the cloudflaredns module?

My issue is that i installed caddy using apt… so i’m not really sure what i’m meant to do now…

Does anyone have any suggestions?

  • poVoq@slrpnk.net
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Wildcard SSL certs are usually generated via a DNS-01 challenge, which are unrelated to the web-server you are using. Maybe Caddy has a special function for it, but normally it wouldn’t be involved at all.

    • Perhyte@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Caddy does have special support for DNS-01, but only if you compile in a module for your DNS provider.

  • terribleplan@lemmy.nrd.li
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The whole “build it yourself” strategy with plugins and stuff is why I moved over to Traefik. I think you’ll basically need to follow this doc to build it yourself while still using the apt package for all the niceties like Systemd units and such.

    • cnschn@lemmy.cnschn.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I was a bit weirded out by this as well, but honestly - it’s pretty straightforward and has been working just fine for me. shrug

    • Perhyte@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      You usually don’t actually need to build it yourself: you can get a binary with that module from the official download page which automates (and IIRC caches) the build.

      However, as noted at the top of that page, there’s currently an issue where that page occasionally fails, which is unfortunate.

      • D4NM3D@reddthat.comOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        If the download actually works… which i’ll try in a minute… how can i move from my apt installed version to using this binary?

        Edit… so i’ve ended up with a file with no extension…

        caddy_linux_amd64_custom
        
        • Perhyte@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          That file is your new binary Caddy binary, assuming your server is an x64 Linux machine.

          Using that should follow mostly the same procedure as if you’ve built it yourself, following the doc @terribleplan@lemmy.nrd.li posted above, except you probably need to chmod +x that first, and maybe chown it too. (This is because your browser wisely does not mark files downloaded from the Internet as executable, and almost certainly does not run as root either)

          Disclaimer: I’ve always used docker images instead and have not tested this. But I think it should work, assuming those docs are correct for the self-built case.

          Move that file to your server (if necessary) and open a terminal in the directory where you’ve placed it. Then execute these commands:

          chmod +x caddy_linux_amd64_custom
          sudo chown root:root caddy_linux_amd64_custom
          sudo dpkg-divert --divert /usr/bin/caddy.default --rename /usr/bin/caddy
          sudo mv ./caddy_linux_amd64_custom /usr/bin/caddy.custom
          sudo update-alternatives --install /usr/bin/caddy caddy /usr/bin/caddy.default 10
          sudo update-alternatives --install /usr/bin/caddy caddy /usr/bin/caddy.custom 50
          

          If Caddy is already running you’ll probably want to restart it using sudo systemctl restart caddy.


          When a new version of Caddy comes out it won’t update the binary (because it has been diverted), so to update it manually you’ll need to redo a few of the steps:

          Download (and transfer if necessary) a new binary, then from a terminal:

          chmod +x caddy_linux_amd64_custom
          sudo chown root:root caddy_linux_amd64_custom
          sudo mv ./caddy_linux_amd64_custom /usr/bin/caddy.custom
          

          (Plus again sudo systemctl restart caddy if it’s already running)


          Typing all this out makes me so glad Watchtower exists for my Docker containers. I just made a Github Action to do a daily rebuild of Caddy with my modules, put that image name in my docker-compose.yaml, and Watchtower takes care of the rest.

          • D4NM3D@reddthat.comOP
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Thank you for this… i need to take some time to read it more thoroughly… though your approach with Docker though will likely make a lot more sense for my environment.

            • Perhyte@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Docker is also a bit tricky, because to use a custom binary you need to build a custom image. But if you don’t mind manually installing updates it’s not too bad.

              • D4NM3D@reddthat.comOP
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                I had it running but it didn’t seem to be issuing wildcards… but afterwards i realised that whilst i had told it to use the cloudflare API… i don’t think at any stage i’d actually told it to issue wildcards… i guess i need to figure out how to do that…

                I’m questioning my need though really… i think the docs say it’s not recommended unless you’re dealing with thousands of subdomains…

                • Perhyte@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  It will only issue wildcards if you have any sites named like *.yourdomain.com, i.e. it needs to see the *. to know to issue wildcards.

                  The relevant parts of my Caddyfile look like this:

                  {
                  	# TLS settings.
                  	acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
                  	email {env.ACME_EMAIL}
                  }
                  
                  # Proxy a subdomain to a backend server.
                  # Usage: `import proxy subdomain backendHost`
                  (proxy) {
                  	@sub-{args.0} host {args.0}.{$DOMAIN}
                  	handle @sub-{args.0} {
                  		reverse_proxy http://{args.1}
                  	}
                  }
                  
                  # Put everything in the same block to get a wildcard certificate.
                  *.{$DOMAIN} {
                  	# Handle particular subdomains.
                  	import proxy changedetection changedetection:5000
                  	import proxy uptime uptime-kuma:3001
                  	import proxy whoami whoami
                  
                  	# Fallback message (unknown subdomain).
                  	handle {
                  		error "This subdomain is not currently in use." 404
                  	}
                  }
                  

                  The (alias) snippet at the top is used in the site block to tell it how to use a particular subdomain.

                  (I’ve removed some Authelia stuff and handling the apex domain)

                  {$DOMAIN} fills in my base domain from the environment, and {env.*} does the same for my credentials (but without putting it in the JSON config).