Basicauth — TLS dual-key mode — hook after Let's Encrypt new/updated keys?


I’ve been playing a bit with Caddy looking at replacing my current nginx setup with Caddy+LE. My nginx is working nicely with TLS and stuff but as I used Startssl for my certs, it is beginning to fall over.

  • is there support for specifying a file for passwords for basicauth? I do not feel like putting passwords directly in the clear in the Caddyfile for some reasons :slight_smile:
  • can we have a dual key setup (RSA+P-384) for a site, both handled by LE?
  • is it possible to have some kind of “hook” after the LE exchange? My goal would be to update the TLSA records I have in the DNS to match the new/updated key(s) so even just running a script would be nice
  • I see that reloading the config has already been asked, I’d like that too


1 Like

As per the basicauth docs, support for a htpasswd file is deprecated but available.

I don’t believe Caddy does this. You have to select a single key type. This is true of Caddy’s dependency, lego, but I imagine Caddy could be modified your desired behaviour.

I don’t believe this exists currently but again I imagine this behaviour could be added if needed. inotify-tools might be the right tool for this job, though.

Caddy reloads its config when given a USR1 signal (if the updated config is valid).

OK, for some reason, I read this and decided that because it was mentioning .htpasswd it was not what I was looking for, silly me. Speading .htpasswd around is not what I want of course and not having support for this is fine (using Nginx right now so it is the same). A central htpasswd (i.e. outside htdocs) password file is more useful and I hope this will be kept.

While it is more of a transition mechanism toward EC, I’m using that with Nginx and it works fine.

As a general mechanism it could be useful I think. Using inotify-tools would add another external dependency and would not work on all systems (FreeBSD has kqueue, not inotify for example). I like the integrated way of Caddy.


1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.