How do I achieve Caddy auto-TLS via Let's Encrypt without DNS?

pinoyyid · January 15, 2017, 2:57pm

I’m sure this is a typical scenario, but I can’t find the appropriate sequence of steps.

I have an existing www_dot_example_dot_com server at (say) 1.1.1.1 running Apache. I am building a new server at 2.2.2.2 using Caddy. For testing, I put 2.2.2.2 www.[details=Summary]This text will be hidden[/details]example.com in my local /etc/hosts. Once all is working, I will repoint the www_dot_example_dot_com DNS entry from 1.1.1.1 to 2.2.2.2.

The problem is I can’t start Caddy on 2.2.2.2 to serve www_dot_example_dot_com.

I get

[wwwdotexampledotcom] failed to get certificate: acme: Error 403 - urn:acme:error:unauthorized - Invalid response from wwwdotexampledotcom/.well-known/acme-challenge/6Xc4_oq6r0de25CtrYIw59YeVHvUWQ9Ag6H3XbGx8y0:

which I assume is caused by the DNS entry for www_dot_example_dot_com pointing to 1.1.1.1, not 2.2.2.2

So how do I get certs and start Caddy so I can test www_dot_example_dot_com on 2.2.2.2 before updating the public DNS entry?

matt · January 15, 2017, 4:09pm

You can’t. The point of domain validation is to verify that you control the DNS for the domain, and the machine the domain points to. You’ll have to run Caddy on the machine the DNS is pointing to. (Unless you use the DNS challenge, but that still uses DNS.)

pinoyyid · January 15, 2017, 4:23pm

So how do I resolve this catch 22 situation? I don’t want to disrupt the existing live service, and I don’t want to switch to the new service without testing it first.

matt · January 15, 2017, 4:56pm

Set up a different domain name for testing, or use the DNS challenge.