I have a machine A and a machine B. I have a floating IP that can I assign to either machine.
Machine A is running caddy with a valid acme cert. Now I want to switch over to caddy running on machine B with only little interruption. This is a blue/green deployment between two clusters.
What are the best options?
a) backup the certs from machine A and transfer them to the caddy instance on machine B.
b) build an xcaddy, add DNS ACME, give the machine access to manage the DNS records (meh) so new certs are ready on machine B before the switch
c) have some kind of storage backend for the certs that is shared between the two caddy instances
I myself do store certs in redis and use DNS challenges to not need the IP up and running to generate certs via caddy. This way I can quickly remap a service via DNS to whatever of my VPSes is running the container currently. I have documented this caddy-docker-proxy-redis here.
Yeah, I am just really not keen on handing out write access to the DNS records to a server.
It would amplify the consequences in case of a security breach.
The main idea is more that you do not have anything to do to share any certificate - all certificates are available to all caddy instances using the same Redis storage. So you actually do not concern yourself with certificates any longer, only which hosts in your fleet runs which containers.
For just files the export option does not really make sense. But if you want to transfer the certificates from one host to another, it makes sense. It also makes sense if you use one of the other storage providers like Redis or Postgres, in this case you can make a backup of your certs in one canonical format or even import existing certs from file storage to Redis. I did this to consolidate all my file based certs by importing them all into one Redis storage. I also do export all my certs into the canonical caddy format as part of the daily backup procedure for disaster recovery.
I do build my own caddy with my selection of modules (just two, a dns module and the Redis storage) into a docker container and just use that for running on my machines. This actually is far easier for me to update.
Yeah, I use ACME-DNS specifically for that purpose. My DNS delegates _acme-challenge.MYDOMAIN to ACME-DNS instance, and Caddy can update only that. No write access to MYDOMAIN.