Controlling certificate management for VPS<->VPN link

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

I run Caddy with my main Caddyfile in /srv/Caddyfile and an import /srv/Caddyfile in the default /etc/caddy/Caddyfile. Reason is that I store all my infrastructure details in /srv to make moving servers a little easier and administration streamlined. Docker container data - like Docker Compose files etc. - also live there. If it’s a server, it goes there.

a. System environment:

root@birb:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION="11 (bullseye)"
root@birb:~# cat /etc/debian_version
root@birb:~# which caddy
root@birb:~# dpkg -l | grep -i caddy
ii  caddy                         2.6.2                                  amd64        Caddy - Powerful, enterprise-ready, open source web server with automatic HTTPS written in Go
root@birb:~# cat /etc/apt/sources.list.d/caddy-stable.list
# Source: Caddy
# Site:
# Repository: Caddy / stable
# Description: Fast, multi-platform web server with automatic HTTPS

deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] any-version main

deb-src [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] any-version main

b. Command:

I use the SystemD unit.

c. Service/unit/compose file:


d. My complete Caddy config:

This is actually what I am asking about. :slight_smile:

3. The problem I’m having:

I am preparing to build a new network infrastructure for my home network with the grand idea to link my home network to my remote VPS using a VPN - both to secure what goes in and out, but also to expose local services to the internet and to just make them generally more accessible when I am not at home.

I asked a question on Github with a similiar topic and was pointed to transport http and it’s TLS CA option.

Here are my questions:

  1. Which root CA does Caddy use to make self-signed certs so I know which one to copy over?
  2. Would it actually be possible to just generate a wildcard cert and instead copy it “down” into the home network? I plan on using my domain as the local DNS and lookup domain, meaning that it’d be neat to have a properly signed HTTPS cert that i could use on my local network and during remote access; using my DNS nameservers to resolve to the network local IP when at home and the public IP when I am not. This, however, would mean that I would have to stop Caddy to generate certificates on my local network - and instead use one provided by my “upstream”.

Here is a bit of a mock-config of what I would like to achieve:

# On the VPS:
* {
  reverse_proxy * $home_network_vpn_ip

# On my NanoPi at home:
  use_cert_from $cert_downloaded_from_vps
} {
  reverse_proxy * localhost:9000
} {
  reverse_proxy * localhost:9001
# $ -> resolves to individual devices through mDNS/DHCP, does not need TLS cert and probably no Caddyfile either.

I have yet to figure out the proper solution I want to use for the link between my home network and the VPS - but I am guessing to either use Wireguard or OpenVPN. But, this is not in the scope of this… so, just assume I have “a VPN” set up. :slight_smile:

4. Error messages and/or full log output:

None, my NanoPi is still shipping… ^^’

5. What I already tried:

I did read the transport http documentation and tried to find which default CA is used when generating self-signed certificates. But either I looked wrong or oversaw it, I couldn’t find it…

6. Links to relevant resources:

Caddy uses its own root CA, which it generates.

The certs and keys are in Caddy’s storage location, which should be /var/lib/caddy/.local/share/caddy if you’re running with the deb package and systemd. The root cert will be at pki/authorities/local/root.crt

Or you can fetch the root cert from the API if you’re feeling fancy:

I wouldn’t recommend it. The certs are managed, and they renew every ~60 days, so it would mean you’d need to copy the new ones by hand regularly (or set up sidecar scripts to do that for you) which is not very nice.

Maybe you could just not run a Caddy instance on your VPS, and instead just route all HTTP/HTTPS traffic over a tunnel (SSH or WireGuard I guess, there’s other options too) to your home server. Then you pretty much need no funny business, other than I guess a local DNS server to make your domains resolve to your LAN IPs. ACME issuance will still happen properly because ACME issuers’ challenge requests would be routed to your home Caddy instance, and it would own the certificates.