Applying Wildcard Cert to Caddy


(Paul Rubens) #1

Thank you in advance!


(Matthew Fay) #2

Put them anywhere on your file system that is secure.

Refer to that location when you declare your cert and key with the tls directive.

Don’t forget to set your ports and HTTP->S upgrade redirection explicitly; bringing your own keys disables Automatic HTTPS, which usually takes care of this for you.


(Paul Rubens) #3

Thank you for the help. I’m pretty new to this, do you know what I would use for the tls command? Also, does it matter what the cert format is? .pem .cer, etc.?

For the https can I just disable iptables?


(Matthew Fay) #4

The documentation for the TLS directive explains how to specify your cert/key and what format they should take.

https://caddyserver.com/docs/tls

I would not recommend disabling iptables. If you’re not comfortable manipulating iptables directly, consider installing ufw.


(Paul Rubens) #5

Can you explain how to check this? I can’t find anything.

Also, can you look at how I have it in the Caddy file and see if it’s correct?

Caddyfile

Thank you!


(Matthew Fay) #6

Not much to check, you’d know if you had configured it already.

The Automatic HTTPS feature does a few things for you, namely:

By default, Caddy will bind to ports 80 and 443 to serve HTTPS and redirect HTTP to HTTPS.

https://caddyserver.com/docs/automatic-https#faq

But it only does this if you aren’t providing your own cert/key:

Caddy automatically enables HTTPS for all your sites, given that some reasonable criteria are met:

  • […]
  • Certificates and keys are not provided by you

https://caddyserver.com/docs/automatic-https

Since you are providing your own cert, the site will be served over HTTPS on port 2015 by default instead.

If you want to change that so Caddy serves HTTP on port 80 and HTTPS on port 443, you’ll need to specify the scheme/port. You can do that in the site label:

https://caddyserver.com/docs/http-caddyfile#addresses

And if you want to redirect HTTP traffic to upgrade them to HTTPS, you’ll need to add a redirect to your HTTP site pointing to the HTTPS site:

https://caddyserver.com/docs/redir


(Paul Rubens) #7

Thank you again for all the information but after a lot of time spent trying to figure it out, I just decided to go with Nginx. Do you know how I can uninstall/completely remove Caddy?

Thank you


(Matthew Fay) #8

Depends on how you installed it and ran it - normally, it’s a single binary, and it places certificate data in $CADDYPATH (defaults to ~/.caddy). So:

  1. Delete the caddy binary
  2. Delete the Caddyfile you were using
  3. Delete the $CADDYPATH

And there won’t be any trace left of Caddy on your system.


(Paul Rubens) #9

I installed with Snap. Would that be a different install?


(Matthew Fay) #10

Refer to Snap documentation.

https://tutorials.ubuntu.com/tutorial/basic-snap-usage#3
https://docs.snapcraft.io/reference/snap-command