1. The problem I’m having:
I would like to deploy certificates to internal servers.
I saw that caddy can act as an internal CA, but I would like more.
I’m wondering if it can act as a challenge proxy to external CAs?
So I can point internal servers certificate manager (caddy, lego, …) to this relay.
Like this tutorial, but with a ‘tls relay’ instead of ‘tls internal’.
This Wiki explains how to enable https connections between hosts in a LAN with automatically renewed certificates. Just scroll down and go over the example Caddyfiles. They hopefully have enough comment to understand the idea
If you have successfully followed the Wiki Using Caddy as a reverse proxy in a home network by @Matt, you have setup a reverse proxy that provides a TLS encrypted connection from the internet to that reverse proxy. This is mandatory and you shou…
2. Error messages and/or full log output:
3. Caddy version:
2.7.4 with caddy plugin
4. How I installed and ran Caddy:
Installed in /usr/local/bin and started from systemd
a. System environment:
I’m not sure what you mean by “relay”. Please elaborate in more detail.
The internal server would ask for a certificate to the ‘relay’ caddy server.
The ‘relay’ caddy server would obtain a valid certificate from a public provider, eg LE.
The ‘relay’ caddy server would provide the certificate to the internal server.
On the ‘relay’ caddy server, you would have:
and on the internal server, something like:
Is that clearer?
Are you talking about like an ACME proxy? Like this?
GitHub - mdbraber/acmeproxy: Proxy server for ACME DNS challenges written in Go
What is the motivation for such a feature – your use case?
Yes, exactly like acmeproxy.
I want it mostly for the same reason the project highlights.
Internal servers would need external access, with a common API token, which is a security risk, or one token each, which is a lot of work to manage.
If I go with a custom CA, like in the tutorial, it means deploying the CA cert on every internal servers AND on every computer contacting those internal servers.
At the moment, we do not have the infrastructure to fully automate such a deployment.
If I could deploy certs from public CA, most, if not all, computers would trust the internal servers by default.
I see; do you think this plugin would help you?
i.e. you set up your credentialed client using
at your edge, and then your internal systems use that.
I can test it. Thanks for the pointers.
It seems to be limited on access control.
And to my original question, the answer is : No, caddy does not support it.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.