Caddy2 ssl on demand from caddyfile and cloudfare from caddyfile

Is it possible to configure ssl on demand for all domains from caddyfile and also cloudfare dns for one domain from caddyfile as well.

If not, can I use caddyfile for configuring domain and servers and json just for aal on demand and cloudfare, can caddy2 work with both config adapters?

Unfortunately, on-demand TLS isn’t supported via the Caddyfile yet, only via JSON. See here for config info: JSON Config Structure - Caddy Documentation

I think what you’ll want to do is create two different policies (see JSON Config Structure - Caddy Documentation), one with the domain you want to enable the DNS challenge for (setting "host" to ["yourdomain.com"] to only enable it for that domain), and the other with on_demand enabled (and with "host" being empty, which I think is catch-all but I’m not 100% certain here, @matt could clarify).

So the way Caddy deals with config internally is entirely using JSON. So what you could do is load an initial Caddyfile config, then use the admin API to push any modifications you wish to make after running it. Or, you can just use caddy adapt to get the underlying JSON representation the Caddyfile would map to, then make your modifications to that (you could script it with jq for example).

Is there maybe any caddyfile to json converter out there?

That’s the caddy adapt command built into the binary! :stuck_out_tongue:

2 Likes

What is wrong with this config?

Error that caddy is reporting is:

Blockquote 2020/03/17 15:47:11.183 INFO http enabling automatic HTTP->HTTPS redirects {“server_name”: “srv0”} run: loading initial config: loading new config: loading app modules: module name ‘tls’: decoding module config: tls: json: unknown field “on_demand”

"tls":{
      "automation":{
         "policies":[
            {
               "hosts":[
                  "private"
               ],
               "management":{
                  "challenges":{
                     "dns":{
                        "provider":"cloudflare",
                        "api_token":"private"
                     }
                  },
                  "module":"acme",
                  "email": "private"
               },

               "on_demand":false
            },
            {
                "hosts":[],
                "on_demand":true
             }
         ],
         "on_demand": {
            "rate_limit": {
                "interval": 0,
                "burst": 0
            },
            "ask": ""
        }
        
      } 
   }

but in official documentation there is on_demand field in policies?

Not sure… without the whole config file to reproduce the problem (without redactions).

Try taking out on_demand keys until it works, then you’ll know which one is the problematic one.

Here is my config without cloudflare, i am just trying to catch all domains right now but it is unsuccesfull:

{
"apps":{
   "http":{
      "servers":{
         "srv0":{
            "listen":[
               ":443"
            ],
            "routes":[
               {
                  "match":[
                     {
                        "host":[
                           "*.*"
                        ]
                     }
                  ],
                  "handle":[
                     {
                        "handler":"subroute",
                        "routes":[
                           {
                              "handle":[
                                 {
                                    "handler":"vars",
                                    "root":"/usr/share/caddy"
                                 }
                              ]
                           },
                           {
                              "handle":[
                                 {
                                    "handler":"rewrite",
                                    "uri":"{http.matchers.file.relative}"
                                 }
                              ],
                              "match":[
                                 {
                                    "file":{
                                       "try_files":[
                                          "{http.request.uri.path}.html",
                                          "{http.request.uri.path}"
                                       ]
                                    }
                                 }
                              ]
                           },
                           {
                              "handle":[
                                 {
                                    "handler":"headers",
                                    "response":{
                                       "set":{
                                          "Cache-Control":[
                                             "max-age=3600,stale-while-revalidate=86400"
                                          ],                    
                                          "Vary":[
                                             "x-fh-requested-host, accept-encoding"
                                          ]
                                       }
                                    }
                                 },
                                 {
                                    "encodings":{
                                       "brotli":{

                                       },
                                       "gzip":{

                                       },
                                       "zstd":{

                                       }
                                    },
                                    "handler":"encode"
                                 },
                                 {
                                    "handler":"file_server",
                                    "hide":[
                                       "Caddyfile"
                                    ]
                                 }
                              ]
                           }
                        ]
                     }
                  ],
                  "terminal":true
               }
            ],
            "experimental_http3":true
         }
      }
   },
   "tls":{
    "automation":{
       "policies":[
          {
             "hosts":[
                "*.*"
             ],
             "on_demand":true
          }
       ],
       "on_demand": {
          "rate_limit": {
              "interval": 0,
              "burst": 0
          },
          "ask": ""
      }
      
    } 
 }
}

}

That configuration works for me:

$ caddy validate --config ~/Desktop/caddy_dejan.json
2020/03/17 16:35:40.650 INFO    using provided configuration    {"config_file": "/Users/matt/Desktop/caddy_dejan.json", "config_adapter": ""}
2020/03/17 10:35:40 [INFO][cache:0xc0005925f0] Started certificate maintenance routine
2020/03/17 16:35:40.652 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/03/17 16:35:40.652 WARN    http    most clients do not trust second-level wildcard certificates (*.tld)    {"domain": "*.*"}
2020/03/17 16:35:40.652 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/03/17 10:35:40 [INFO][cache:0xc0005925f0] Stopped certificate maintenance routine
Valid configuration

it is returning:

 2020/03/17 16:40:52 http: TLS handshake error from IP: no certificate available for 'domain.tld'

for all domains.

It works fine when you specify full domain name, like doman1.tld, domain2.tld, it just wont work with catch all domains with ssl on demand.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.