Need your feedback: How should Caddy handle different ACME CAs?

I’m working on Caddy 0.9 and making some changes to how it stores TLS certificates on disk. When Caddy creates a user account with an ACME CA or obtains a certificate from an ACME CA, it puts them in a folder called “letsencrypt”.

The default CA is Let’s Encrypt’s production endpoint. You could use the -ca flag to change that, for example, to use Let’s Encrypt’s staging endpoint for testing. The problem is that the user accounts and certificates are still stored in the same place, and using a user account from one CA doesn’t work on another CA.

So Caddy 0.9 will organize users/accounts and certificates by the hostname of the CA, so acme-staging users and certs will go in a different place from acme-v01 users and certs. This makes it possible to switch back and forth without having to delete (!) your files. Also, in the future, Let’s Encrypt won’t be the only ACME provider, I’m very hopeful of that.

Anyway, this new behavior introduces some difficult questions. I need your feedback!! (Don’t mind my own votes. I’ve thought a lot about this, but I want to make sure all the reasons are considered.)

Scenario 1

You’ve already got a user account and some certificates on disk from a previous run of Caddy. You run Caddy anew with the -ca flag and specify a different ACME CA that you have never used before, but your Caddyfile (the list of sites, etc) is the same. Caddy cannot use the same user account; it will definitely have to register a new account with the new CA. But how should Caddy handle the certificates, and why (please comment)?

Please keep in mind that one CA may be a test server and only issues fake certificates, and the other CA might be a real one with real certificates. Or they could both be real or both be for testing.

  • Use the certificates already obtained from the other CA (and keep it renewed using that CA)
  • Obtain new certificates from the new CA

0 voters

Scenario 2

Like the previous scenario, you’ve just started Caddy with a new CA using the -ca flag. You already have a user account on disk (that’s the part where you provide an email address and agree to the terms) that’s registered with that CA, but nothing for this new CA. Caddy will need to register a new user with this new CA. How should it get the email address to use for the account?

  • Prompt me for email. (I might use a different one.) Prompt me to agree to potentially same or different Subscriber Agreement. (I want to be extra sure I’ve read it.)
  • Do NOT prompt me for email. (Use my email address that’s already on disk from the other CA.) Prompt me to agree to a potentially different, or potentially same, Subscriber Agreement. (So I can be sure I’ve read it.)
  • Do NOT prompt me for email (Use my previous email already on disk.) Do NOT prompt me to agree to subscriber agreement. (I’ll agree whatever it is, and it might be the same. Just don’t bother me!)

0 voters

Explain your reasoning in replies, if you could please! Thank you!

(Note that even if the majority votes one way I may still choose another – this is about discussion with sound reasoning more than an actual vote.)

Is the CA always going to be a process wide setting? Is it possible to have my public domains use LE, and some private domains using an internal CA or something?

On #1 I figure if they specify a new CA they want to use that. Maybe switching staging to prod or something where I need new certs.

I never run caddy in an interactive mode, so I really can’t have any prompts.

Great questions. 1) No 2) Yes. Caddy 0.9 makes it possible to scope the CA to an individual site address. However I have not yet decided to expose this degree of control. (Maybe just a ca property in the tls directive?)

If you can still use the -email and -agree flags to bypass prompts, does that sway your opinion at all?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.