1. Output of caddy version:
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I run Caddy:
I run Caddy with my main Caddyfile in /srv/Caddyfile and an import /srv/Caddyfile in the default /etc/caddy/Caddyfile. Reason is that I store all my infrastructure details in /srv to make moving servers a little easier and administration streamlined. Docker container data - like Docker Compose files etc. - also live there. If it’s a server, it goes there.
a. System environment:
root@birb:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@birb:~# cat /etc/debian_version
11.5
root@birb:~# which caddy
/usr/bin/caddy
root@birb:~# dpkg -l | grep -i caddy
ii caddy 2.6.2 amd64 Caddy - Powerful, enterprise-ready, open source web server with automatic HTTPS written in Go
root@birb:~# cat /etc/apt/sources.list.d/caddy-stable.list
# Source: Caddy
# Site: https://github.com/caddyserver/caddy
# Repository: Caddy / stable
# Description: Fast, multi-platform web server with automatic HTTPS
deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
deb-src [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
b. Command:
I use the SystemD unit.
c. Service/unit/compose file:
SystemD
d. My complete Caddy config:
This is actually what I am asking about. 
3. The problem I’m having:
I am preparing to build a new network infrastructure for my home network with the grand idea to link my home network to my remote VPS using a VPN - both to secure what goes in and out, but also to expose local services to the internet and to just make them generally more accessible when I am not at home.
I asked a question on Github with a similiar topic and was pointed to transport http and it’s TLS CA option.
Here are my questions:
- Which root CA does Caddy use to make self-signed certs so I know which one to copy over?
- Would it actually be possible to just generate a wildcard cert and instead copy it “down” into the home network? I plan on using my
birb.itdomain as the local DNS and lookup domain, meaning that it’d be neat to have a properly signed HTTPS cert that i could use on my local network and during remote access; using my DNS nameservers to resolve to the network local IP when at home and the public IP when I am not. This, however, would mean that I would have to stop Caddy to generate certificates on my local network - and instead use one provided by my “upstream”.
Here is a bit of a mock-config of what I would like to achieve:
# On the VPS:
*.birb.it {
reverse_proxy * $home_network_vpn_ip
}
# On my NanoPi at home:
{
disable_auto_cert_gen
use_cert_from $cert_downloaded_from_vps
}
jellyfin.birb.it {
reverse_proxy * localhost:9000
}
paperless.birb.it {
reverse_proxy * localhost:9001
}
# $device.local.birb.it -> resolves to individual devices through mDNS/DHCP, does not need TLS cert and probably no Caddyfile either.
I have yet to figure out the proper solution I want to use for the link between my home network and the VPS - but I am guessing to either use Wireguard or OpenVPN. But, this is not in the scope of this… so, just assume I have “a VPN” set up.
4. Error messages and/or full log output:
None, my NanoPi is still shipping… ^^’
5. What I already tried:
I did read the transport http documentation and tried to find which default CA is used when generating self-signed certificates. But either I looked wrong or oversaw it, I couldn’t find it…
6. Links to relevant resources:
- My previous github issue: Caddy to Caddy reverse proxy with self-signed SSL? · Issue #5220 · caddyserver/caddy · GitHub