I’ve been playing a bit with Caddy looking at replacing my current nginx setup with Caddy+LE. My nginx is working nicely with TLS and stuff but as I used Startssl for my certs, it is beginning to fall over.
is there support for specifying a file for passwords for basicauth? I do not feel like putting passwords directly in the clear in the Caddyfile for some reasons
can we have a dual key setup (RSA+P-384) for a site, both handled by LE?
is it possible to have some kind of “hook” after the LE exchange? My goal would be to update the TLSA records I have in the DNS to match the new/updated key(s) so even just running a script would be nice
I see that reloading the config has already been asked, I’d like that too
As per the basicauth docs, support for a htpasswd file is deprecated but available.
I don’t believe Caddy does this. You have to select a single key type. This is true of Caddy’s dependency, lego, but I imagine Caddy could be modified your desired behaviour.
I don’t believe this exists currently but again I imagine this behaviour could be added if needed. inotify-tools might be the right tool for this job, though.
Caddy reloads its config when given a USR1 signal (if the updated config is valid).
OK, for some reason, I read this and decided that because it was mentioning .htpasswd it was not what I was looking for, silly me. Speading .htpasswd around is not what I want of course and not having support for this is fine (using Nginx right now so it is the same). A central htpasswd (i.e. outside htdocs) password file is more useful and I hope this will be kept.
While it is more of a transition mechanism toward EC, I’m using that with Nginx and it works fine.
As a general mechanism it could be useful I think. Using inotify-tools would add another external dependency and would not work on all systems (FreeBSD has kqueue, not inotify for example). I like the integrated way of Caddy.
