How to use two different SSL cert for LAN & WAN

patachi · April 24, 2024, 7:50am

1. The problem I’m having:

I want to use a self-signed SSL cert if the request is from LAN like https://192.168.1.10
And server default let’s encrypt if the request is from WAN like https://website-name.com

francislavoie · April 24, 2024, 11:57pm

Please fill out the help topic template as per the forum rules. Without seeing your version, config, or logs, we have to make assumptions, and that’s a waste of time (both yours and ours).

You can just set up two separate site blocks with different tls config.

But if you actually want to choose certs based on the remote IP of the client, then that’s not possible via Caddyfile, but via JSON config you can configure TLS connection policies that match by remote IP JSON Config Structure - Caddy Documentation

patachi · April 26, 2024, 10:21am

@francislavoie
Sorry I thought It was a simple question

So there is no way to use Caddyfile like this

website-name.com {
  ...
}

192.168.1.10:443 {
  tls ssl.crt ssl.key
  ...
}

And when we use :port { ... }, it overrides all other name-based configs.

website-name.com {
 ...
 # never gets SSL cert from Let's Encrypt
}

:443 {
 tls ssl.crt ssl.key
 ...
 #  serves provided ssl.crt for all requests regardless of name-based config 
}
:80 {
 redir https://{host}{uri}
}

Is this how it is supposed to work or am I missing something?
Is there any way to set a priority in Caddyfile for each config?

francislavoie · April 26, 2024, 3:24pm

FYI, they’ve been called TLS certs since 1999. SSL is dead.

You can use auto_https ignore_loaded_certificates to get that behaviour

Thing is though, TLS certs need to contain the domain names they’re valid for. So it’s not possible to have a TLS cert that’s valid for all domains. I’m not sure what you’re trying to achieve here.