Bind two certs to the same ip?

(Richard Stupek) #1

How do you get multiple certificates for multiple domains to bind to the same IP/port

> www.domain1.com:443 {
>    bind 10.1.2.222
>    tls key1.pem cert1.pem
>    proxy / 10.1.2.111 {
>        transparent
>        }
> }
> www.domain2.com:443 {
>    bind 10.1.2.222
>    tls key2.pem cert2.pem
>    proxy / 10.1.2.111 {
>        transparent
>        }
> }

this reports an error:

2018/04/17 15:46:40 listen tcp 10.1.2.222:80: bind: Only one usage of each socket address (protocol/network address/port) is normally permitted.

also could you then bind a wildcard auto tls config to the same port

> *:440 {
>     bind 10.1.2.222
>     tls {
>         max_certs 10
>     }
> }
(Matt Holt) #2

Hmm, this should work. Can you open a bug report on GitHub? Be sure to follow the issue template.

(Toby Allen) #3

Is it possible that :80 is in use by another process on your machine?

1 Like
(Richard Stupek) #4

tobya that was the issue. I had gone back after matt indicated it should work and found it was trying to use an already bound port.

1 Like
(Richard Stupek) #5

I do think that you can’t have one hard coded certificate and also use letsencrypt auto tls on the same ip for any domains not specified as caddy will only use the certificate from the hard coded cert?

www.domain2.com:443 {
   bind 10.1.2.222
    tls key2.pem cert2.pem
    proxy / 10.1.2.111 {
        transparent
        }
 }
*:443 {
    bind 10.1.2.222
    tls {
        max_certs 10
    }
}
(Richard Stupek) #6

I’m guessing there’s no way to bind “static” certificates to the same IP ad dynamic let’s encrypt certificates?

(Matt Holt) #7

I don’t know what you mean. You want to use both on-demand, managed certificates together with certificates you provide? That works. Caddy will only get certificates from Let’s Encrypt if it doesn’t already have one for the name provided.

(Richard Stupek) #8

Hi Matt,

Then I’m not sure what I’m doing wrong as I cannot get it to work.

punchablekeytags.com:443 www.punchablekeytags.com:443 {
  errors stdout
  log stdout
  tls /ezot/10247713.cert /ezot/10247713.key
  proxy / http://69.7.164.168 {
     transparent
  }
}

*:443 {
   errors stdout
   log stdout
   tls {
      max_certs 10000
   }
   proxy / http://69.7.179.238 {
       transparent

   }
}

This configuration will only return the certificate provided for the managed certificate. It will not fall through and use letsencrypt certificates for other domains which work if I remove the managed certificate. Browsing to any other domain gets the managed certificate

(Matt Holt) #9

It’s probably because the domains don’t match the pattern * – since the wildcard character is for just a single label of a domain name, so * will match localhost, but not example.com.

Try using just :443 as your site label.

1 Like
(Richard Stupek) #10

that did it, thanks

1 Like