How to add Google Certificate Manager to the Caddyfile?

job_noam · October 4, 2023, 6:51am

Hi,

Today, Caddy works with those certificate managers automatically:

Let’s encrypt.
ZeroSSL

I want to add another big certificate manager:

How can I do that? Also, maybe it will be an excellent option to add it by default to the next Caddy version.

Thanks

matt · October 4, 2023, 7:12pm

If you want to use a specific ACME CA like Google Trust Services, put this at the top of your Caddyfile:

{
    acme_ca https://dv.acme-v02.api.pki.goog/directory
    acme_eab {
        key_id  <key_id>
        mac_key <mac_key>
    }
    email <contact_email>
}

(Same instructions as here because this works for all ACME CAs)

If you want to use multiple ACME CAs for redundancy, just use the slightly longer form instead:

{
	cert_issuer acme https://dv.acme-v02.api.pki.goog/directory {
		eab <key_id> <mac_key>
	}
	cert_issuer acme https://acme.zerossl.com/v2/DV90
	cert_issuer acme https://acme-v02.api.letsencrypt.org/directory
	cert_issuer internal
	email <contact_email>
}

Just for kicks, that last one will issue self-signed certificates if all other CAs fail to provide one.

EDIT: The ZeroSSL issuer might require an EAB as well, I forget (you can actually replace that one with cert_issuer zerossl since Caddy has a prefabricated EAB for default use).

Unfortunately we can’t use GTS by default because it requires an external Google account, which we can’t know until the user specifies their EAB credentials.

job_noam · October 4, 2023, 7:20pm

Amazing! Does Caddy will know how to renew those certificates automatically?

matt · October 5, 2023, 1:56am

Yes, if Caddy can obtain a certificate it knows how to renew it; it is the same no matter where the certificates come from

job_noam · October 6, 2023, 4:27am

So I tried it, and it worked terrific!

But when I tried this one:

matt:

{
	cert_issuer acme https://dv.acme-v02.api.pki.goog/directory {
		eab <key_id> <mac_key>
	}
	cert_issuer acme https://acme.zerossl.com/v2/DV90
	cert_issuer acme https://acme-v02.api.letsencrypt.org/directory
	cert_issuer internal
	email <contact_email>
}

I got an error that I don’t understand.
This is my Caddyfile:

{
        debug

        # TLS Options
        cert_issuer acme https://dv.acme-v02.api.pki.goog/directory {
                eab key key
        }
        cert_issuer zerossl
        cert_issuer acme https://acme-v02.api.letsencrypt.org/directory

        email noam@example.com

        on_demand_tls {
                ask https://www.example.com/isDomainValid-nonWWW.asp
        }

        # Disable redirect
        auto_https disable_redirects
}

:443 {
        tls noam@example.com {
                on_demand
        }
        #redir http://www.{host}{uri}
        respond "Welcome to the clean page!"
}

:80 {
        #redir http://www.{host}{uri}
        respond "Welcome to the clean page!"
}

And this is the error I’m getting when using “caddy validate”:

Error: adapting config using caddyfile: automation policy from site block is also default/catch-all policy because of key without hostname, and the two are in conflict: []certmagic.Issuer{(*caddytls.ACMEIssuer)(0xc00029cfc0), (*caddytls.ZeroSSLIssuer)(0xc0000bc570), (*caddytls.ACMEIssuer)(0xc00029d340)} != []certmagic.Issuer{(*caddytls.ACMEIssuer)(0xc00029d500), (*caddytls.ZeroSSLIssuer)(0xc0000bcbd0)}

francislavoie · October 6, 2023, 4:54am

Remove the email address here, it’s in conflict with the one in your global options, I think.

job_noam · October 6, 2023, 8:33am

You’re right, thx!

system · November 5, 2023, 8:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.