Bypass LetsEncrypt for Subdomain

Hi all,

I’m a web/networking noob so forgive me in advance for any murdering of terms or standards I do, most of my expertise is servers and endpoints etc.

I host a ton of homelab stuff that i make internet accessible to learn as much as I can about the end-to-end of it all. I have just enabled and configured IPv6 addressing at home so I have some more public addresses but to access my lab stuff from work (IPv4 only) I need to dual stack (I think I’m using the term right), which means keeping the reverse proxy active to proxy the v4 requests through the v4 interfaces.

I have an RDS farm which, long story short, I need to use my proper cert for. It all works on v6 but via Caddy functionality breaks because its using the LetsEncrypt cert and its expecting my signed cert.

Is there a way to tell caddy to just forward requests for a subdomain without attaching a LetsEncrypt cert to it? I’ve tried the tls tag but that only works for port 80, when the RDS servers redirect to 443 the client gets a 404 back (because according to Caddy it doesn’t exist).

I’m assuming I could get Caddy to use my signed cert for that one subdomain but I still dont know how the double encryption etc affects it.

If you need any more info let me know.

Hi @Runear, welcome to the Caddy community!

If you can pull the cert and key from your RDS farm and supply it to Caddy, it can present that to your clients. The double encryption shouldn’t be a problem, you’ll just have to make sure that Caddy trusts the RDS farm’s certificate for valid HTTPS all the way through. Caddy effectively acts as a (authorized) man in the middle between the RDS farm and the client.

You’ll want to use the syntax tls cert key for this subdomain.

Feel free to post the Caddyfile you’re using if you need someone to take a look.

Alright cool, I’ll give that a shot.

I’m already a little lost on how to get the cert into the bundle Caddy wants (I hate certificates) but will see how I go :stuck_out_tongue:


You’ll need the CA certificate, assuming your RDS farm has its own CA.

On Linux it’s as simple as cat website.crt RDS-CA.crt > bundle.crt, the Powershell equivalent is cat website.crt RDS-CA.crt | sc bundle.crt.

Then: tls bundle.crt website.key

The RDS Farm is using the wildcard cert I bought, so no internal CA there.

I put in the subdomain in as below. The root is displaying IIS standard page but with the LetsEncrypt cert (probably because the root isn’t encrypted on the server??), trying to navigate to the RDS Login page /RDWeb/ gives me an ERR_TOO_MANY_REDIRECTS error. {
tls cert.pem key.key
proxy / { #not real ip :slight_smile:

No internal CA - no worries. No concatenation needed, just use the wildcard.

Is your RDS farm trying to redirect the client to HTTPS? I note that you’re hosting the site on HTTPS but proxying to HTTP.

Excellent point, I am a muppet.

Should that be https://IP or IP:443? Does it matter?

I tried both and now still get the IIS Root page ok with the LetsEncrypt cert but trying to access /RDWeb redirects to /RDWeb/Pages as expected and then throws a 502.

Is Caddy generating the 502 or is it passing on a 502 from RDS?

Caddy… Its the plain text version.

Throw errors /path/to/error.log in your Caddyfile for this site, reproduce the 502, and let us know what shows up in that log.

28/Mar/2019:14:50:45 +1100 [ERROR 502 /] read tcp> wsarecv: An existing connection was forcibly closed by the remote host.

28/Mar/2019:14:50:45 +1100 [ERROR 502 /favicon.ico] read tcp> wsarecv: An existing connection was forcibly closed by the remote host.

28/Mar/2019:14:50:51 +1100 [ERROR 502 /rdweb/webclient/] read tcp> wsarecv: An existing connection was forcibly closed by the remote host.

28/Mar/2019:14:50:51 +1100 [ERROR 502 /favicon.ico] read tcp> wsarecv: An existing connection was forcibly closed by the remote host.

Is the RDS address or the client’s address?

Thats the address of the Windows Server caddy sits on.

Edit: 250.66 is the RDWeb server.

Oof, 2/3 possibilities guessed and got em both wrong. Classic.

So that’s Caddy connecting to your RDS server and trying to read its response in order to pass it back to the client. The RDS server is closing the connection on Caddy.

Does the RDS server work if you point your client directly at its IP address?

Yep that was the first thing I tried when I got the 502.

The caveat is, Caddy is running on a Server Core install so i can’t check whether the page loads on the caddy box specifically. However, a test-netconnection succeeds and a connection from another machine in the same subnet (to rule out firewall) to that IP works.

Edit: Given the client (work PC) gets the redirect it (caddy) must be connecting, at least to start, which made the test-netconnection useless but /shrug

If you need to rule out the Server Core host as the issue, could you grab a caddy.exe binary and run it on your own machine?

Can give it a shot, will need to update port forwards and stuff so might be a little bit before I can get it done.

Thanks for all the help so far regardless :slight_smile:

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.