Automatic Certificate Provisioning on non standard ports


(Gustavo Hoirisch) #1

I am running through an ISP that does not allow me to use ports 80/443 so I have been using 9080/9443 and am unsure how to get the automatic certificate provisioning working. Everytime I enable tls in my Caddyfile I end up with an error.

I am running Caddy via docker with the abiosoft/caddy image.

docker run -it \
    -p 9080:80 \
    -p 9443:443 \
    -v $(pwd)/Caddyfile:/etc/Caddyfile \
    -v $(pwd)/.caddy:/root/.caddy \
    -e ACME_AGREE=true \
    abiosoft/caddy

Caddyfile

redacted.com:9443 {
	tls 
	proxy /requests 192.168.1.110:3579/ {
		transparent
	}
}

Logs

Activating privacy features... 2019/03/31 09:57:25 [INFO][FileStorage:/root/.caddy] Started certificate maintenance routine
2019/03/31 09:57:26 [INFO] [redacted.com] acme: Obtaining bundled SAN certificate
2019/03/31 09:57:27 [INFO] [redacted.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/__redacted__
2019/03/31 09:57:27 [INFO] [redacted.com] acme: use tls-alpn-01 solver
2019/03/31 09:57:27 [INFO] [redacted.com] acme: Trying to solve TLS-ALPN-01
2019/03/31 09:57:42 [redacted.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[redacted.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url:
exit status 1

Any suggestions on how to proceed?


(Gustavo Hoirisch) #2

By reading the documentation, the DNS challenge is my only alternative, is this correct? Further, is it possible use it with a DNS provider without a plugin available?


(Matt Holt) #3

Yes, the DNS challenge is the only one that does not require an open port on your server.

As of now, no DNS provider plugins come standard with Caddy (to avoid playing favorites, etc.) – but you can easily add them!


(Gustavo Hoirisch) #4

What I meant was that my current DNS provider has no plugin available. Is it possible to get it to work in that case?


(Matthew Fay) #5

I’m afraid it’s not possible to have Caddy automatically provision a cert with a manual DNS verification process. Some interactive scripts and programs can do this, but Caddy has to be able to complete the process unattended, such as during renewals.

You could use one of those other methods to acquire your certificate and then give the resulting cert and key to Caddy using tls cert key in your Caddyfile.

But the best I can do is recommend Cloudflare as a free, very high quality DNS-only provider that’s supported for Caddy DNS challenges. No need to move the actual domain around, etc, and when you add your site they do a scan to copy most of your current zone, which reduces the effort of copying records across.