How do I tell Caddy which sub domain to use?

I am trying to use Caddy for the first time. I want to be able to serve several subdomains. Caddy requests SSL certificates from Let’s Encrypt. I have managed to get this to work ok with only one domain name in the caddyfile.

However, suppose I have

www.example.com, test.example.com {
    ...  lots of settings
}

I am relying on the Let’s Connect server calling back into one of those subdomains (i.e. not using DNS TXT records). But this raises questions:

  • Which one does Caddy use when it requests a certificate?
  • Is there a way to specify which one I want it to use?

(In the example above there are just two subdomain, but actually I’d like to know how to get it to work with more than two.)

When I try this on test.example.com, I get an error (note: I have concealed my actual domain names):

Activating privacy features...2016/11/21 07:47:41 [www.example.com] failed to get certificate: acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://www.example.com/.well-known/acme-challenge/ALmqQ8Vl5fvPF91tvqw2zigHlPoRRgTGR2GaLtgX3-A [134.82.242.68]: 404

Caddy prints some more detail essentially repeating the same information, then it terminates.

[This question is also on Stackoverflow]

Can you provide the full log output and your full Caddyfile please? (You can redact the private info, but I really need to see what your domains are – or at least subdomains relative to their TLDs.) Also explain how you’ve run Caddy and what kind of environment it is in (load balancer?, system info, etc.).

PS. Redacting the domain names isn’t very useful if you’re using Let’s Encrypt, since your domains get sent to public CT logs anyway. :slight_smile:

Hi Matt,

Here’s the Caddyflle

www.spikeislandband.uk, vm08.spikeislandband.uk {
    root /home/websites/spikeislandband/htdocs

    gzip

    log  /var/log/spikeislandband/access.log {
      rotate size 100 # Rotate after 100 MB
    }

    errors {
      log /var/log/spikeislandband/error.log {
        rotate {
          size 100 # Rotate after 100 MB
        }
      }
      404 e404.html
    }
}

And full log output, please.

Activating privacy features...2016/11/21 14:29:49 [www.spikeislandband.uk] failed to get certificate: acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://www.spikeislandband.uk/.well-known/acme-challenge/HT3jaw11FvqWs19gLhKFCrVsSOw5GX9-dmhhF8Fip8E [91.134.240.68]: 404
Error Detail:
	Validation for www.spikeislandband.uk:80
	Resolved to:
		91.134.240.68
	Used: 91.134.240.68

Note that in my case, the DNS resolution for www.spikeislandband.uk is different from vm08.spikeislandband.uk.

I am running my tests on vm08, but I plan to commission the production server when it’s working on vm08 and I’d hoped they would share the same Caddyfile.

R.

DNS validation would allow you to requisition LetsEncrypt certificates without having the domain resolve to the individual server in question. It would let you to deploy the same Caddyfile to two separate servers with the Caddyfile having one domain from each.

Does that mean that I have to use DNS validation if I want test & production servers to share the same Caddyfile?

Can I do this using the ACME challenge instead?

Thanks for the info. (I thought you said the log output was longer than that? Maybe I misunderstood.)

That’s really weird, I’ve never seen a 404 error here before. I’ll try to reproduce this behavior locally…

That was all the console log stuff I got. :slight_smile:

As I understand it, the ACME challenge has to be able to retrieve the known response from the domain the certificate is requested for.

If one of the domains you’re requesting is pointing to one server, and the other domain is pointing to a different server, and both servers are trying to request certificates for the other, neither will be able to actually complete the challenge, no? As the other server will not know the correct response for the server making the request.

Yes, quite so.

I’d like to include aliases in my Caddyfile where only a subset of them are in use on a particular server. That would avoid me having to maintain multiple Caddyfiles. I do this with Nginx, but obviously Let’s Encrypt isn’t relevant there.

Hence the original question: how do I tell Caddy which sub domain(s) to use?

I think I was hoping I’d missed something obvious.

I believe if you have multiple subdomains in your Caddyfile, Caddy will try to get a certificate for each one. For each server, you’ll need to remove the subdomains it can’t serve from the Caddyfile (or otherwise disable automatic HTTPS for these subdomains).

Alternately, using DNS validation you could bypass the requirement for the domain to be pointed at the actual server in question and have each server get its own set of certificates for the same set of subdomains. I don’t otherwise see how you could use Caddy, with automatic HTTPS enabled, to successfully request the same set of certificates on different servers with the same Caddyfile.

OK thanks. That’s clear enough.

I don’t know how to set up DNS challenges for my domains yet (DomainMonster).

DomainMonster looks like a registrar, and they will have their own DNS servers you’re probably using already, but it should be simple to point your domain to another provider’s nameservers (such as CloudFlare, who provide their DNS services for free and are supported by Caddy’s DNS validation).

Check out the list of supported DNS providers on the automatic HTTPS page, which should also give you an idea of what each one requires in terms of API/auth tokens/keys for Caddy to configure the DNS zone for the ACME challenge (which I believe involves adding a temporary TXT record).

1 Like

Oh, I missed this part:

So, this isn’t a Caddy bug. You need to point your DNS to where your server is…

Yes apologies if that was misleading.

It seems that the simplest way for me to achieve what I want without using DNS challenges (which are a topic for future work) would be to use the import directive to share common settings between several caddyfiles.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.