Manage certs for MQTT server

Beginner question: It sounds like, from this thread, that I can use Caddy to manage TLS certificates/handling for a MQTT server using the tls app. How do I specify which port handles this stuff? A reverse_proxy setup is pretty easy to understand, as the subdomain/port are right there in the JSON you stick in the Caddyfile. But for the MQTT over TLS example, I would need subdomain.server.com to map to port 8883 where MQTT is listening for TLS connections.

Again, I’m just starting with Caddy, so I may be misunderstanding something fundamental.

Hello Andrew,

the idea proposed here is to only use Caddy to obtain certificates in the file system. Your other daemon, e.g. MQTT, would read the certificate (both public and private part) from the filesystem and use it to provide a TLS endpoint itself.

Ah ok, that’s more clear to me. So as long as I can create symlinks to, or point the MQTT server to those certs, I should be good to go?

I would just include the json that @matt listed up top in my Caddyfile, and restart the service?

Seems too simple. :slight_smile:

This is how it would work, but see other answers regarding file permissions.

I think I spoke too soon with “too simple.” Where is the JSON config file? I know where the Caddy file is, but where do I add that JSON that matt has up top?

edit I think I figured it out. I change the service (/lib/systemd/system/caddy.service) to use any json file (for example, /etc/caddy/caddy.json) instead of Caddyfile. I copied the parsed JSON for my current Caddyfile (located at /var/lib/caddy/.config/caddy/autosave.json) into caddy.json and then added the bit that Matt posted up top.

Then “systemctl daemon-reload”
Then “systemctl restart caddy”

I’m on Ubuntu 22.04.

I split this out of the wiki topic because wiki threads should stay “evergreen”. Help questions should go in their own topic.

The TLS section is added to my caddy.json file.
Service is restarted.
When/How will the required certificates show up in ~/.local/share/caddy/certificates/ ?

(This thread branches from Is it possible to use caddy to retrieve a LE certificate for something else than a web site?)

They would appear in the HOME of the user Caddy runs as, which is /var/lib/caddy, not your own user’s HOME.

Check Caddy’s logs.

There they are! Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.