How to bundle certs asked to LE

(Rémy) #1


I’m using caddy as the reverse proxy for a “standalone environment”, aka. our whole apps & infra stack. It combines known hosts (couchdb.domain, mailhog.domain, …) and some generated hosts (app1.userA.stack.domain, app2.userA.stack.domain, app1.userB.stack.domain …).

My issue is it might be a lot for let’s encrypt, I just hit the 50 / week for our domain. A production problem since we might not be able to pop up stuff with a valid certificate until it reset. I’ll move it to a secondary domain, but still.

Is there a way to configure caddy to limit the number of cert required ? As let’s encrypt doc says, boundled certificate is a way. Can I, on one side list the known hosts so Caddy will ask for all of them at once, and on the other side have my wildcard confiuration to serve *.stack.domain “on demand” ?

Here’s an example of my configuration

5 *.cloudery.four.standalonenv-01.domain *.stack.four.standalonenv-01.domain *.four.standalonenv-01.domain {
7   proxy / {
8     transparent
9     try_duration 5s
10   }
12   tls {
13     max_certs 1000
14   }
16   log /var/log/caddy/four.access.log {
17     rotate_age 1
18     rotate_keep 15
19     rotate_compress
20   }
21   errors /var/log/caddy/four.error.log {
22     rotate_age 1
23     rotate_keep 15
24     rotate_compress
25   }
26 }

(Matthew Fay) #2

Hi @rgarrigue,

In your example, you’ve already configured wildcard site labels in Caddy; all you’d need to do to serve those three labels with three wildcard certificates is to enable the DNS challenge.

Caddy doesn’t bundle certificates, though, I’m afraid. It handles one certificate for each label it needs to manage HTTPS for. Wildcarding is the closest to bundling that you’ll get.

(Rémy) #3

I’m trying to avoid the DNS challenge way. That requires a bunch of scripting, hooking etc since each instance of our stack requires a wildcard, involving a token to be able to edit our DNS zone, hence security concern on alpha / beta products env.

So my bad. I though caddy was, for a given configuration, getting one certificate with all the required subject alternative names. At least for all entries without wildcard.

(Matthew Fay) #4

Getting one cert with a bunch of SANs would be trivially easy for someone to pull the cert and inspect all the different domains you’re serving it to.

Given the amount of aggression from security types for a similar information “leak”, I can only imagine the Caddy project would cop more ire if that were standard behaviour.

(Lewis De Payne) #5

Excellent point, @Whitestrake.

(Rémy) #6

Could be a non standard option though