Caddy as a challenge relay

1. The problem I’m having:

I would like to deploy certificates to internal servers.

I saw that caddy can act as an internal CA, but I would like more.

I’m wondering if it can act as a challenge proxy to external CAs?

So I can point internal servers certificate manager (caddy, lego, …) to this relay.

Like this tutorial, but with a ‘tls relay’ instead of ‘tls internal’.

2. Error messages and/or full log output:


3. Caddy version:

2.7.4 with caddy plugin

4. How I installed and ran Caddy:

Installed in /usr/local/bin and started from systemd

a. System environment:

Almalinux 9

I’m not sure what you mean by “relay”. Please elaborate in more detail.

The internal server would ask for a certificate to the ‘relay’ caddy server.

The ‘relay’ caddy server would obtain a valid certificate from a public provider, eg LE.

The ‘relay’ caddy server would provide the certificate to the internal server.

On the ‘relay’ caddy server, you would have: {
	tls relay

and on the internal server, something like: {
	tls {

Is that clearer?

Are you talking about like an ACME proxy? Like this? GitHub - mdbraber/acmeproxy: Proxy server for ACME DNS challenges written in Go

What is the motivation for such a feature – your use case?

Yes, exactly like acmeproxy.

I want it mostly for the same reason the project highlights.

Internal servers would need external access, with a common API token, which is a security risk, or one token each, which is a lot of work to manage.

If I go with a custom CA, like in the tutorial, it means deploying the CA cert on every internal servers AND on every computer contacting those internal servers.
At the moment, we do not have the infrastructure to fully automate such a deployment.

If I could deploy certs from public CA, most, if not all, computers would trust the internal servers by default.

I see; do you think this plugin would help you?

i.e. you set up your credentialed client using

at your edge, and then your internal systems use that.

I can test it. Thanks for the pointers.

It seems to be limited on access control.

And to my original question, the answer is : No, caddy does not support it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.