Caddy on the Edge

1. The problem I’m having:

We have a tricky situation we’re trying to address. Our application deployment necessitates being able to operate even when there is no Internet. Usually no device will go more than 24-72 hours without Internet access. As a result, we cannot guarantee that Let’s Encrypt, or whatever ACME CA, will be accessible by the edge systems.

Here are our questions:

  • How would Caddy handle this?
  • Would the cert validation still succeed, even when the host can’t reach the Internet?

Hi Josh, welcome!

Caddy will need Internet access to some extent in order to obtain an initial certificate. But for renewals, Caddy can tolerate being offline up to 1/3 of the certificate lifetime. For Let’s Encrypt certificates, which are valid for 90 days, that’s 30 days of downtime. It should fall back and retry with exponential decay.

Although you will need Internet access to initiate and finalize an “order” (for a cert), the actual validation can be done without the host having external Internet access with the DNS challenge. The DNS challenge requires you set a DNS record, and the ACME CA doesn’t need to actually contact your server.

That said, the actual Caddy instance doesn’t necessarily need to be the one to have external access (but something on your edge will). I think this plugin helps with that:

By the way, I would highly recommend a sponsorship to support your deployment :100:. Available tiers are here along the right:

This way we can help you before things go wrong, and you can help ensure ongoing maintenance of the project. :+1:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.