I have a caddy server running as a primary reverse proxy with public DNS records pointing to it. I would like to setup private DNS records on my network to point to each service directly so that I can keep the load off my primary reverse proxy.
However, those caddy servers that are running on the local servers also need to be able to get TLS certs and of course, they aren’t accessible from the Internet.
So, I would like to, somehow, copy the certs from the main server to each of the local servers.
Can this be done? And if so, how?
Well, considering the fact that you didn’t think I included enough information for a complete answer, you sure gave me a good answer!
Use an automated script to copy certificates from your primary Caddy reverse proxy to the local Caddy instances.
Configure the DNS module on the local Caddy instances so they can obtain their own certificates.
Use the Caddy Redis Storage module to share certificates across the local Caddy instances.
Use tls internal on the local Caddy instances.
Since I’ve got about 6 different servers, for ease of manageability, I’m going to constrain myself to just the out-of-the-box capabilities. So, the DNS and Redis methods are out.
Since some of the use cases include my Fire stick needing to contact my Jellyfin server, the internal tls method probably won’t work since I don’t know if the fire stick will honor a self-signed cert.
So, I’m left with the scripted copy method. And since I can get Ansible to do the copy (as root) this is the right way to go for me. For the record, I did find that the certs are stored in:
You can make your script compare the certificate hash on your local server and reverse proxy, and then deploy and restart only when they differ. That way you won’t be restarting your servers every day.
