Obtaining and renewing SSL/TLS certificates when Caddy sits behind an IP whitelist

1. The problem I’m having:

I want to use Caddy to expose some endpoints used for metrics over HTTPS. I would like to expose these endpoints behind a firewall that only allows requests from whitelisted IP addresses. When doing so, I will face an issue with TLS certificates, as the certification authority wouldn’t be able to access the web server to perform the authentication and renewal of the certificate. This is so far pretty logical. Is there some sort of solution to this, as I have no other way of setting this up and I must have these HTTPS web pages behind this IP whitelist. I’d like to avoid managing the renewal of the certificates manually, as it is a lot of work for all the machines I’d like to install this setup on.

2. Error messages and/or full log output:

There are no error messages. I simply know that I will encounter this problem, and I am coming to this forum for suggestions on how to tackle it. If I set things up in this way, Caddy wouldn’t be able to get the certification authority to verify the ownership of the server as it’s not whitelisted on the firewall.

3. Caddy version:


4. How I installed and ran Caddy:

a. System environment:

Caddy is installed on several Windows, macOS and Linux machines. Each installation serves the exact same purpose (GET requests for metrics).

On Windows I have just downloaded the executable from your website and added it as a service.
On macOS, I am using the package provided in Homebrew and use it as a brew service.
On Linux, I installed the package following the installation instructions for Debian machines and run it as a systemd service.

b. Command:


sc.exe start caddy


brew services start caddy

Linux (Debian):

sudo systemctl start caddy

c. Service/unit/compose file:

Not applicable.

d. My complete Caddy config:

I am not allowed to give you the real domain name. I am sorry about that.

xxx.example.com {
    redir /prom /prom/
    handle_path /prom/* {

    redir /4D /4D/
    handle_path /4D/* {

5. Links to relevant resources:

Hi @dmarinov, I suggest using the DNS-01 challenge of the Challenge Types - Let's Encrypt.
Also consider using a DNS providers who easily integrate with Let's Encrypt DNS validation - Issuance Tech - Let's Encrypt Community Support.

1 Like

This wiki post should come in handy for you


Also be aware Let’s Encrypt offers Domain Validation (DV) certificates. You cannot get a certificate issued from them for an IP Address.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.