How to use the Caddyfile to keep a specific domain renewed?

{
  auto_https off
  servers {
    protocol {
      experimental_http3
    }
  }
}
:80 {
  redir https://{host}{uri}
}
aero.xyz:443, cdn.aero.xyz:443 {
  tls /etc/caddy/aero.xyz.crt /etc/caddy/aero.xyz.key
  # other stuff
}

The above code is my Caddy file, I only want to keep aero.xyz renewed automatically since cdn.aero.xyz is on cloudflare and it manages the certificate for me.

I see it is possible to do it with tls configuration here: Using Caddy to keep certificates renewed

But is it possible while I am running a https server? If it is, how do I modify the tls setting? Or how exactly should I change the Caddyfile?

Hi Aeroxy,

I’m not entirely sure since you didn’t fill out the help template, but maybe something like this?

{
  servers {
    protocol {
      experimental_http3
    }
  }
}

aero.xyz, http://cdn.aero.xyz {
  # other stuff
}

Please fill out the help template and provide more details for a more precise answer.

If I turn the auto_https on then it would start to manage cdn.aero.xyz OR as in your example, it would allow the http protocol when visiting cdn.aero.xyz - this is undesirable considering currently cdn.aero.xyz only allows secure visits.

So you’re saying you want aero.xyz managed by Caddy via ACME, but cdn.aero.xyz to use the cert/key you provide?

Then you’ll need to split up your site blocks:

aero.xyz {
	...
}

cdn.aero.xyz {
	tls /etc/caddy/aero.xyz.crt /etc/caddy/aero.xyz.key
	...
}

You can use Caddyfile snippets to import common config into the two site blocks if you need.

I see, the problem of this setup being I would have duplicated block (quite large). Also if I do not have tls setting in a domain would it fall automatically back to auto_https even if I have it turned off globally?

Hi :wave:

That’s why @francislavoie suggested the Caddyfile snippets with the import directive.
See Caddyfile Concepts — Caddy Documentation

Would you mind sharing your reasons why you disabled auto_https?

Automatic HTTPS — Caddy Documentation states:

[…] the following will prevent automatic HTTPS from being activated, either in whole or in part:

So caddy’s auto_https feature will not issue or renew a certificate for vhosts that have an explicit tls directive that loads a certificate from your specified location.
Take for example the Caddyfile @francislavoie posted:

With auto_https enabled (on [default] or disable_redirects), Caddy will issue/renew a certificate for aero.xyz, but not for cdn.aero.xyz, because the cdn.aero.xyz explicitly loads a certificate from the file system :innocent:

2 Likes

Would you mind sharing your reasons why you disabled auto_https?

Cool, because the certificate for cdn.aero.xyz is really on cloudflare’s CDN instead of on my origin server (I use non-strict tls connection between cloudflare and my origin server).

I think with @import it would work. I missed his last statement.

However, it looks like with that configuration, caddy would try to manage cdn.aero.xyz even tho I have given it a self-signed certificate.

2022/06/06 11:22:14.404	INFO	http	enabling automatic TLS certificate management	{"domains": ["cdn.aero.xyz"]}
2022/06/06 11:22:14.405	INFO	autosaved config (load with --resume flag)	{"file": "/root/.config/caddy/autosave.json"}
2022/06/06 11:22:14.405	INFO	serving initial configuration
2022/06/06 11:22:14.408	INFO	tls	cleaning storage unit	{"description": "FileStorage:/root/.local/share/caddy"}
2022/06/06 11:22:14.408	INFO	tls	finished cleaning storage units
2022/06/06 11:22:14.419	INFO	tls.obtain	acquiring lock	{"identifier": "cdn.aero.xyz"}
2022/06/06 11:22:14.427	INFO	tls.obtain	lock acquired	{"identifier": "cdn.aero.xyz"}
2022/06/06 11:22:15.763	INFO	tls.issuance.acme	waiting on internal rate limiter	{"identifiers": ["cdn.aero.xyz"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/06/06 11:22:15.764	INFO	tls.issuance.acme	done waiting on internal rate limiter	{"identifiers": ["cdn.aero.xyz"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2022/06/06 11:22:16.349	INFO	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "cdn.aero.xyz", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2022/06/06 11:22:17.114	INFO	tls.issuance.acme	served key authentication	{"identifier": "cdn.aero.xyz", "challenge": "http-01", "remote": "172.69.134.35:58924", "distributed": false}
2022/06/06 11:22:17.164	INFO	tls.issuance.acme	served key authentication	{"identifier": "cdn.aero.xyz", "challenge": "http-01", "remote": "108.162.245.75:16698", "distributed": false}
2022/06/06 11:22:17.210	INFO	tls.issuance.acme	served key authentication	{"identifier": "cdn.aero.xyz", "challenge": "http-01", "remote": "172.70.174.233:37872", "distributed": false}
2022/06/06 11:22:17.217	INFO	tls.issuance.acme	served key authentication	{"identifier": "cdn.aero.xyz", "challenge": "http-01", "remote": "172.70.242.35:38522", "distributed": false}
2022/06/06 11:22:17.837	INFO	tls.issuance.acme.acme_client	validations succeeded; finalizing order	{"order": "https://acme-v02.api.letsencrypt.org/acme/order/576284036/95296487896"}
2022/06/06 11:22:19.056	INFO	tls.issuance.acme.acme_client	successfully downloaded available certificate chains	{"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/04c518d20d5dd95b367a446a27ab82c1ff78"}
2022/06/06 11:22:19.056	INFO	tls.obtain	certificate obtained successfully	{"identifier": "cdn.aero.xyz"}
2022/06/06 11:22:19.057	INFO	tls.obtain	releasing lock	{"identifier": "cdn.aero.xyz"}

Make sure the TLS cert you load in Caddy has cdn.aero.xyz in its SAN field. If the cert doesn’t have the right SAN, then Caddy will ignore it when looking to manage that domain name.