I am trying to use Caddy for the first time. I want to be able to serve several subdomains. Caddy requests SSL certificates from Let’s Encrypt. I have managed to get this to work ok with only one domain name in the caddyfile.
However, suppose I have
www.example.com, test.example.com {
... lots of settings
}
I am relying on the Let’s Connect server calling back into one of those subdomains (i.e. not using DNS TXT records). But this raises questions:
Which one does Caddy use when it requests a certificate?
Is there a way to specify which one I want it to use?
(In the example above there are just two subdomain, but actually I’d like to know how to get it to work with more than two.)
When I try this on test.example.com, I get an error (note: I have concealed my actual domain names):
Activating privacy features...2016/11/21 07:47:41 [www.example.com] failed to get certificate: acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://www.example.com/.well-known/acme-challenge/ALmqQ8Vl5fvPF91tvqw2zigHlPoRRgTGR2GaLtgX3-A [134.82.242.68]: 404
Caddy prints some more detail essentially repeating the same information, then it terminates.
Can you provide the full log output and your full Caddyfile please? (You can redact the private info, but I really need to see what your domains are – or at least subdomains relative to their TLDs.) Also explain how you’ve run Caddy and what kind of environment it is in (load balancer?, system info, etc.).
PS. Redacting the domain names isn’t very useful if you’re using Let’s Encrypt, since your domains get sent to public CT logs anyway.
I am running my tests on vm08, but I plan to commission the production server when it’s working on vm08 and I’d hoped they would share the same Caddyfile.
DNS validation would allow you to requisition LetsEncrypt certificates without having the domain resolve to the individual server in question. It would let you to deploy the same Caddyfile to two separate servers with the Caddyfile having one domain from each.
As I understand it, the ACME challenge has to be able to retrieve the known response from the domain the certificate is requested for.
If one of the domains you’re requesting is pointing to one server, and the other domain is pointing to a different server, and both servers are trying to request certificates for the other, neither will be able to actually complete the challenge, no? As the other server will not know the correct response for the server making the request.
I’d like to include aliases in my Caddyfile where only a subset of them are in use on a particular server. That would avoid me having to maintain multiple Caddyfiles. I do this with Nginx, but obviously Let’s Encrypt isn’t relevant there.
Hence the original question: how do I tell Caddy which sub domain(s) to use?
I think I was hoping I’d missed something obvious.
I believe if you have multiple subdomains in your Caddyfile, Caddy will try to get a certificate for each one. For each server, you’ll need to remove the subdomains it can’t serve from the Caddyfile (or otherwise disable automatic HTTPS for these subdomains).
Alternately, using DNS validation you could bypass the requirement for the domain to be pointed at the actual server in question and have each server get its own set of certificates for the same set of subdomains. I don’t otherwise see how you could use Caddy, with automatic HTTPS enabled, to successfully request the same set of certificates on different servers with the same Caddyfile.
DomainMonster looks like a registrar, and they will have their own DNS servers you’re probably using already, but it should be simple to point your domain to another provider’s nameservers (such as CloudFlare, who provide their DNS services for free and are supported by Caddy’s DNS validation).
Check out the list of supported DNS providers on the automatic HTTPS page, which should also give you an idea of what each one requires in terms of API/auth tokens/keys for Caddy to configure the DNS zone for the ACME challenge (which I believe involves adding a temporary TXT record).
It seems that the simplest way for me to achieve what I want without using DNS challenges (which are a topic for future work) would be to use the import directive to share common settings between several caddyfiles.