Caddy as a challenge relay

mazwak · September 20, 2023, 6:52am

1. The problem I’m having:

I would like to deploy certificates to internal servers.

I saw that caddy can act as an internal CA, but I would like more.

I’m wondering if it can act as a challenge proxy to external CAs?

So I can point internal servers certificate manager (caddy, lego, …) to this relay.

Like this tutorial, but with a ‘tls relay’ instead of ‘tls internal’.

2. Error messages and/or full log output:

None

3. Caddy version:

2.7.4 with caddy plugin

4. How I installed and ran Caddy:

Installed in /usr/local/bin and started from systemd

a. System environment:

Almalinux 9

francislavoie · September 20, 2023, 7:47am

I’m not sure what you mean by “relay”. Please elaborate in more detail.

mazwak · September 20, 2023, 8:03am

The internal server would ask for a certificate to the ‘relay’ caddy server.

The ‘relay’ caddy server would obtain a valid certificate from a public provider, eg LE.

The ‘relay’ caddy server would provide the certificate to the internal server.

On the ‘relay’ caddy server, you would have:

acme.mycompany.com {
	acme_server
	tls relay
}

and on the internal server, something like:

myservice1.mycompany.com {
	tls {
		relay acme.mycompany.com
	}

Is that clearer?

matt · September 20, 2023, 11:01pm

Are you talking about like an ACME proxy? Like this? GitHub - mdbraber/acmeproxy: Proxy server for ACME DNS challenges written in Go

What is the motivation for such a feature – your use case?

mazwak · September 21, 2023, 6:41am

Yes, exactly like acmeproxy.

I want it mostly for the same reason the project highlights.

Internal servers would need external access, with a common API token, which is a security risk, or one token each, which is a lot of work to manage.

If I go with a custom CA, like in the tutorial, it means deploying the CA cert on every internal servers AND on every computer contacting those internal servers.
At the moment, we do not have the infrastructure to fully automate such a deployment.

If I could deploy certs from public CA, most, if not all, computers would trust the internal servers by default.

matt · September 21, 2023, 6:25pm

I see; do you think this plugin would help you?

i.e. you set up your credentialed client using

at your edge, and then your internal systems use that.

mazwak · September 25, 2023, 8:14am

I can test it. Thanks for the pointers.

It seems to be limited on access control.

And to my original question, the answer is : No, caddy does not support it.

system · October 25, 2023, 8:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.