I’m setting up several caching nodes to serve OS images and driver packs locally at various locations.
I plan to keep the content synchronized with rsync and ionotifywait (or lsyncd).
I would also like to use a wildcard certificate to prevent host names from appearing publicly in places such as https://crt.sh/
Traditionally our company has only managed one wildcard cert, but given the fact that there are two valid certs at renewal time, I’m under the impression that we can manage as many wildcard certs as we would like (within reason and threshold limits of course).
I’ve read about running Caddy with shared storage using one of the third party modules. We have a MinIO S3 instance at our disposal that we could use, but I was hoping not to use xcaddy to integrate any plugins unless necessary.
That said, given that the nodes are running on Ubuntu Server 24.04, I would prefer to use a Caddy module than a shared SMB mount (were mostly a Windows Server environment).
What is the most common approach to keeping a Caddy Cluster synchronized? Would I be best served by a shared NFS mount shared from the primary server, one of the S3 modules, or some other shared storage method?
The most common approach is using a common storage driver with proper locking capabilities for atomic operations. I know Redis is popular. I’ve used PostgreSQL for one-off project. I remember reading NFS and S3 don’t have proper atomic locking guarantees, so I wouldn’t be comfortable recommending either.
Our public facing name servers are currently hosted from Windows. I had assumed there was a Windows Server module to handle the DNS-01 challenge, but I can’t find it. Does one exist?
If not, I suppose I could make use of Posh-ACME (which has a Windows-Only DNS plugin), and then manually point Caddy to the .crt and .key files. This would then allow me to use rsync for cert distribution, and I would not need Redis. Of course, I would also need to use Cygwin or cwRsync, or some other creative method to get the certs distributed from Windows to Linux.
Yes. That is correct. DNS is hosted on-premises at the moment.
We do plan to transition to cloud hosting. It just keeps getting delayed…this would be a good reason to bump it up the priority list.
I suppose I should have asked: “Is there a Caddy module to interface with Windows DNS Servers”.
There isn’t. I searched, and it appears Windows DNS server is only manageable via the command line. This is what Posh-ACME does. Someone could port the logic into a lib-dns module, and subsequently a Caddy DNS provider, but nobody has taken that up yet.
I might take a look at this, sounds like a fun problem! The good news is I think the Windows Server DNS service is manageable via WMI, and Microsoft “maintains” a WMI golang module.
I’m spinning up a Server 2022 VM and I’ll see if I can push records into it. If there’s meaningful progress, I’ll open up a new CertMagic/libdns thread in the coding section.