Caddy is unaffected by Let's Encrypt disabling the TLS-SNI challenge

(Matt Holt) #1

I just want to clarify that with Let’s Encrypt disabling the TLS-SNI challenge (one of the 3 ways the Caddy uses ACME to verify your ownership of your domain name to obtain certificates), Caddy is unaffected and you do not need to take any action as long as Caddy can still use the HTTP challenge on your server. Meaning, if port 80 is available to Caddy or forwarded to Caddy, you’re fine. Otherwise, you will need to configure the DNS challenge. This is easy to do with plugins and only requires 1 line of Caddyfile and probably environment variables for DNS provider credentials.

Anyway, if you do encounter a bug in Caddy (it’s possible – this is new ground after all) file an issue and we will look into it together! But Caddy and its underlying ACME implementation, lego, was designed for situations such as these and should not require any changes or action on your part.

Update: Caddy now supports the TLS-ALPN challenge, TLS-SNI’s replacement, so it no longer relies solely on the HTTP challenge and once again, supports two challenge types by default, automatically.

3 Likes