Bind two certs to the same ip?

Richard_Stupek · April 17, 2018, 9:13pm

How do you get multiple certificates for multiple domains to bind to the same IP/port

> www.domain1.com:443 {
>    bind 10.1.2.222
>    tls key1.pem cert1.pem
>    proxy / 10.1.2.111 {
>        transparent
>        }
> }
> www.domain2.com:443 {
>    bind 10.1.2.222
>    tls key2.pem cert2.pem
>    proxy / 10.1.2.111 {
>        transparent
>        }
> }

this reports an error:

2018/04/17 15:46:40 listen tcp 10.1.2.222:80: bind: Only one usage of each socket address (protocol/network address/port) is normally permitted.

also could you then bind a wildcard auto tls config to the same port

> *:440 {
>     bind 10.1.2.222
>     tls {
>         max_certs 10
>     }
> }

matt · April 17, 2018, 9:50pm

Hmm, this should work. Can you open a bug report on GitHub? Be sure to follow the issue template.

tobya · April 18, 2018, 7:41pm

Is it possible that :80 is in use by another process on your machine?

Richard_Stupek · April 19, 2018, 3:03pm

tobya that was the issue. I had gone back after matt indicated it should work and found it was trying to use an already bound port.

Richard_Stupek · April 19, 2018, 3:40pm

I do think that you can’t have one hard coded certificate and also use letsencrypt auto tls on the same ip for any domains not specified as caddy will only use the certificate from the hard coded cert?

www.domain2.com:443 {
   bind 10.1.2.222
    tls key2.pem cert2.pem
    proxy / 10.1.2.111 {
        transparent
        }
 }
*:443 {
    bind 10.1.2.222
    tls {
        max_certs 10
    }
}

Richard_Stupek · April 26, 2018, 6:31pm

I’m guessing there’s no way to bind “static” certificates to the same IP ad dynamic let’s encrypt certificates?

matt · April 26, 2018, 7:21pm

I don’t know what you mean. You want to use both on-demand, managed certificates together with certificates you provide? That works. Caddy will only get certificates from Let’s Encrypt if it doesn’t already have one for the name provided.

Richard_Stupek · April 30, 2018, 6:16pm

Hi Matt,

Then I’m not sure what I’m doing wrong as I cannot get it to work.

punchablekeytags.com:443 www.punchablekeytags.com:443 {
  errors stdout
  log stdout
  tls /ezot/10247713.cert /ezot/10247713.key
  proxy / http://69.7.164.168 {
     transparent
  }
}

*:443 {
   errors stdout
   log stdout
   tls {
      max_certs 10000
   }
   proxy / http://69.7.179.238 {
       transparent

   }
}

This configuration will only return the certificate provided for the managed certificate. It will not fall through and use letsencrypt certificates for other domains which work if I remove the managed certificate. Browsing to any other domain gets the managed certificate

matt · April 30, 2018, 6:53pm

It’s probably because the domains don’t match the pattern * – since the wildcard character is for just a single label of a domain name, so * will match localhost, but not example.com.

Try using just :443 as your site label.

Richard_Stupek · April 30, 2018, 7:09pm

that did it, thanks