Can Caddy be used in this case?

HaJu · April 21, 2025, 11:27am

Hi,

first of all, I’m not a network engineer or system admin, so I don´t have much background knowledge about these things. I’m a (some kind of super-) user in first place, but I am faced with some questions nobody could answer in my corp.

We just get a new software with is build up from a couple of containers providing web apps, all running on docker. In order to get rid of security warnings about unsecure certificates the software vendor told me to optain certificate for the services via Lets encrypt via DNS challenge, and put a proxy in front of them. They gave me the advice to use Caddy because it is “super simple”.

I asked our it supporter for help on this, but the answer was, that wouldn’t work, because of restrictions to our network internet connection.

“The firewall blocks all DNS traffic except from an internal DNS server, which is forwarding all requests via DNSSEC to the provider DNS. So all internal systems have to use this DNS server, including the containers. And because Caddy needs to talk to the “authorative dns”(?) directly to get the certificates, that will not work.”

I’ve read a lot of documentation about Caddy and some topics here in the last days, but I still have no clue whether Caddy can handle the certificates in this environment or not.

Can anyone give me some advice or links to more specific informations about it?

Thanks in advance.

matt · April 21, 2025, 3:35pm

Great question, welcome to the community!

I’m not 100% sure what is exactly allowed or not in your company, but here’s what Caddy needs for the DNS challenge and how it can be flexible:

Caddy needs to make requests out to your DNS provider (the service where your nameservers are) to create and clean up a DNS record. These are typically normal HTTPS requests that involve a DNS lookup themselves (since the requests are typically to a domain name).
Caddy needs to be able to look up DNS records itself with an authoritative lookup. The resolvers for this lookup are configurable, so you can use your own.
No inbound external connections are needed.

I would be surprised if Caddy can’t do what you need, but the best way to find out is to try it. Make sure to configure your internal DNS resolver for that authoritative lookup.

HaJu · April 22, 2025, 2:28pm

Hi Matt,

thanks for your response, I’ve tried to dig into these things further.

The restrctions are very high:

traffic from external is only allowed for vpn, which is routed to our vpn gateway
outgoing is allowed for https from all clients and from servers which are whitelisted
dns, ntp, smtp, etc. are only allowed to internal servers
these servers are allowed to connect to the provider servers

I figured out that the domains are registered and hosted via netcup, so I asume the authorative server is sitting there.

I’ve asked our it supporter for the configuration to be customized to have authoritative lookup to work, but instead I got an offer about a standard certificate with 1 year lifetime for nearly 400€. As far as I understood the software vendor support, I would need a minimum of three of those certificates to get everything working as expected.

But if I understand it correct, there is only the need to allow the caddy container to do dns lookups by itself, so only outgoing traffic from this container to the hosting provider dns (netcup) is required to get caddy working. I think this is not really a security issue if this would be allowed, is it?

I’ve also looked into the docs on how to setup up a caddy container and even found an image with netcup module bundled, so I will give it a try, hopefully I get the container to talk to the provider dns, when the it support allows it.

Thanks again!

matt · April 23, 2025, 2:32am

That sounds like it should work, right?

No incoming connections necessary. (DNS challenge.)
Outgoing HTTPS is allowed (if whitelisted – I presume you can add to that list?)
DNS is allowed to internal servers (Caddy allows you to configure the DNS resolvers.)
Connections to provider servers are allowed.

I think that should be fine.

Yeah that should be fine.

Let us know how it goes. If you hit bumps maybe we can overcome them.

HaJu · April 25, 2025, 2:32pm

Hi Matt,

i spend a couple of hours to figure out how setting up a docker container with caddy, and the whitelisting for the container ip to get https working was just a ticket to the it support and the change in local dns to send the requests to the caddy server instead of the app containers was just another one.

I set the local dns server in that container, and so far this was working.

For the netcup module I needed to get some more informations, but the staff from netcup was very helpful here, they showed me where to get the api key and all the other stuff I need, like IPs of the NS servers. So I put this all into the docker compose and even this worked.

But then it came to the real challenge here, to get the firewall set up to allow the dns lookups from the caddy container to the netcup ns servers - wow, I never thought it would be such a pita.

I called to our it support, telling the guy what I need, and he told me, I had to open a ticket for that, explaining my needs. Ok, so I did. After a half day without any response, the ticket was closed with the remark “not part of contract”. So I called them again. The guy told me, that custom firewall rules are not part of our sla, so he can´t do that. I tried to explain, that even if it is not part of our sla, we are willing to pay for that, but this guy just hanged up!

So I did another call to our sales contact there, but this guy just told me they did send us an offer for they “premium class certificates”, and that’s all he can do for us. If we are willing to use “some crappy rubbish certs” from elsewhere, it is our turn to get there, no support from them for this way.

I talked to our boss about this, he was surprised about their behaviour and he did a call there again. Today we had an online meeting with the sales und tech staff of our it supporter, and we discussed over 2 hours with seven!! people of them, for a simple rule to be added to the firewall. Jesus! Now I know why the Internet is still “Neuland” in Germany!

After this change was done, I’ve restarted the caddy container and YES, we got the certs we need from LE without any problems.

I’m just curious about the bill they will send us for this… but we will cancel the contract with them anyway now and choose a new supporter next month.

matt · April 27, 2025, 1:52pm

Wow, that’s wild!

Thanks for sharing your experience and … sorry that was so difficult. (Glad it wasn’t really a Caddy problem though.)

I would also definitely fire that team and get a new one. Geez.