Re-issuing certificates using dns challenge

1. Caddy version (caddy version): v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=. This is a custom caddy build with the duck dns plugin.

2. How I run Caddy:

I mounted the custom caddy binary inside the docker container. I’m using docker desktop to run a compose file for each of my services (including one for caddy). I initially used the acme http-01 challenge to get certs. I setup port forwarding on my router to my computer. This worked flawlessly.

a. System environment:

I’m using docker desktop on macos, and aim to transfer my setup to a raspberry pi.

b. Command:

I’m using docker compose, see next section

c. Docker compose file:

version: '3'

services:
  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80 # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy:/data
      - ./caddy_linux_arm64_custom_duckdns:/usr/bin/caddy
    networks:
      - caddy
      - vaultwarden
      - libreddit
      - bibliogram
    env_file: ./caddy.env
    environment:
      - LOG_DIR=/data

networks:
  caddy:
    name: caddy
  vaultwarden:
    external: true
  libreddit:
    external: true
  pihole:
    external: true
  bibliogram:
    external: true
volumes:
  caddy:
    external: true

d. My complete Caddyfile or JSON config:

https://reddit.hybras.dev:443 {
	log {
		level INFO
		output file {$LOG_DIR}/reddit.log {
			roll_size 10MB
			roll_keep 10
		}
	}

	# Use the ACME HTTP-01 challenge to get a cert for the configured domain.
	tls {$EMAIL}

	# This setting may have compatibility issues with some browsers
	# (e.g., attachment downloading on Firefox). Try disabling this
	# if you encounter issues.
	encode gzip

	# Proxy everything else to Rocket
	reverse_proxy libreddit:8080 {
		# Send the true remote IP to Rocket, so that vaultwarden can put this in the
		# log, so that fail2ban can ban the correct IP.
		header_up X-Real-IP {remote_host}
	}
}

https://vault.hybras.dev:443 {
	log {
		level INFO
		output file {$LOG_DIR}/vaultwarden.log {
			roll_size 10MB
			roll_keep 10
		}
	}

	# Use the ACME HTTP-01 challenge to get a cert for the configured domain.
	tls {$EMAIL}

	# This setting may have compatibility issues with some browsers
	# (e.g., attachment downloading on Firefox). Try disabling this
	# if you encounter issues.
	encode gzip

	# Notifications redirected to the WebSocket server
	reverse_proxy /notifications/hub vaultwarden:3012

	# Proxy everything else to Rocket
	reverse_proxy vaultwarden:80 {
		# Send the true remote IP to Rocket, so that vaultwarden can put this in the
		# log, so that fail2ban can ban the correct IP.
		header_up X-Real-IP {remote_host}
	}
}

3. The problem I’m having:

I no longer want my services to be public. I’m mostly following the directions here to setup https with my private services. I changed my public domains from A records to CNAMES pointing to a duck dns domain so I can use ddns. I’m also following this section of caddy’s duckdns module.

4. Error messages and/or full log output:

{"level":"info","ts":1654547160.0730753,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1654547160.091791,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1654547160.0922208,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
{"level":"info","ts":1654547160.09224,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1654547160.0922606,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1654547160.0942128,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x4000510690"}
{"level":"info","ts":1654547160.1001198,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1654547160.10068,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["reddit.hybras.dev","vault.hybras.dev","insta.hybras.dev"]}
{"level":"info","ts":1654547160.119333,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1654547160.128496,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1654547160.1285338,"msg":"serving initial configuration"}

5. What I already tried:

I tried replaces the tls sections of my caddyfile with the following to use the new challenge type. Caddy didn’t do anything however. I wanted to confirm before deleting caddy’s data dir, or if some other step was required, since the docs caution against doing so.

tls {
	dns duckdns <token> {
		override_domain hybras.duckdns.org
	}
}

6. Links to relevant resources:

[1]: https://github.com/dani-garcia/vaultwarden/wiki/Running-a-private-vaultwarden-instance-with-Let%27s-Encrypt-certs
[2]: https://github.com/caddy-dns/duckdns#challenge-delegation

Delete the certificates from Caddy’s storage, then reload Caddy.

Since you’re running in Docker, you can use the docker inspect command to find the actual location of the files on your host machine, or you can get a shell into your Caddy container with docker-compose exec caddy /bin/sh to delete the files from /data.

If you plan to move your setup to another machine, then there’s nothing to do, really. You could just do that, since the storage won’t be carried over when you do.

Thank you for confirming that deleting is the right step. I mentioned transferring just in case, but is wasn’t relevant to this problem. I have physical access to my machine so I was going to transfer caddy’s data volume over a usb stick. I was just going to do this so I don’t have to needlessly reacquire certs.

Reissuing certs is cheap, don’t worry too much about it. It’s fast, and as long as you’re not doing it way too much, it’s not a problem. Let’s Encrypt has quite generous rate limits.

You’ll spend more time copying the certs from one machine to another and making sure they’re in the right location etc, than just making Caddy reissue them.