Define ACME Servers locations for Certs request

1. The problem I’m having:

I want to restrict incoming traffic to my network from the GeoIP white list in my firewall. As I have no requirements to allow incoming connections from USA, I want to block this country as well. (Current log analysis shows that most traffic to brute-force known vulnerabilities comes from CN, USA and ru)
My problem however is that Caddy is requesting new certificates from ACME servers and I am getting requests from USA ACME servers which do not work if I block USA incoming traffic.

2. Error messages and/or full log output:

Error message is clear, where ACME says that it can not reach my server thus could not issue cert.

3. Caddy version:

v2.9.1

4. How I installed and ran Caddy:

a. System environment:

Debian, Proxmox, LXC container

b. Command:

/usr/bin/caddy run --environ --config /etc/caddy/Caddyfi

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

mysrv1 {
        reverse_proxy 192.168.x.x:pppp
}

mysrv2 {
        reverse_proxy 192.168.x.x:pppp
}

mysrv3 {
        handle {
                reverse_proxy 192.168.x.x:pppp {
                        header_down Strict-Transport-Security "max-age=15552000; includeSubDomains"
                }
        }
}

5. Links to relevant resources:

Check the documentation on configuring a different ACME provider, if you found one in a nation more to your preferences. Buypass, perhaps? Another alternative might be using DNS challenges which would let you to keep your Caddy server entirely inaccessible.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.