Hi. In my home network scenario, I already have a service using 443. When deploying caddy for another use I “loaned” 443 to the new deployment to ensure certificates get issued without a hitch. Once setup, I rename my domain name to include a non-standard port such as 4439. When time comes for caddy to renew my certificates will I be Ok? Thanks!
No, Caddy needs to be accessible on both port 80 and 443 (unless you use the DNS challenge) to renew certificates. Certs from Let’s Encrypt expire after 90 days, and Caddy attempts to renew them when they get to about 60 days old.
Caddy can act as a reverse proxy, so you could run it in front of your other service, running the other service on a different port than 443, so that Caddy can use 443.
The other service was Home Assistant that; in the form of add-ons, has its own reverse proxy, Duck DNS and certificate maintenance built in.
Had to work out how to disable all that and put Candy in front of it. All sorted now and Caddy owns 443!
Thanks for the push in the right direction.
To clarify, ports 80 and 443 are required by the ACME spec; Caddy actually lets you change them to whatever you want, but you still have to forward ports 80 and 443 to your internal alternate ports then.
Or set up the DNS challenge which does not require any external ports.
But anyway, it’s worth noting that this is not a requirement unique to Caddy. If you let Caddy manage your certificates (recommended), then it will need 80 and 443 exclusively (if you don’t set up the DNS challenge).