SSL certs over nonstandard ports for unsupported DNS provider

1. Caddy version (caddy version):

/srv # caddy version
v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

I can only manually update A/CNAME of my primary DNS provider. To be clear my primary DNS provider is unsupported by Caddy (no plugin exists)
Caddy has to be reached by the ACME provider over non-standard ports - say 81, 444 - this requires me to use DNS challenge - which I don’t think I can do manually?

Can I?

So I was thinking I would solve this the following way:

  1. Use duckdns to host the A record. Enable and use the duckdns Caddy plugin to solve the DNS challenge
  2. Create a manual CNAME at my primary DNS provider to point to this duckdns entry

If the free Cloudflare tier will provide me the same benefits as duckdns - I am happy to skip duckdns and start using Cloudflare directly - never used Cloudflare but familiar with duckdns and find it simple.
Would appreciate any feedback.

Does all if this sound reasonable? Are there better solutions?

Background:

I want to be able to host multiple docker “stacks” on the same VM where each stack has its own Caddy for ingress. As a result, it’s not possible to have all the Caddy instances listen on the same 80, 443 (this is a temp. challenge until I get more comfortable with the Caddy API where I will have one Caddy for ingress and add/remove entries as these stacks come and go)

1 Like

I am curious to know which DNS/Nameserver provider you are using, if you’d like to share it :slight_smile:

Yes. Both the HTTP (:80) and TLS-ALPN (:443) acme challenges have to be externally reachable on :80 and :443 respectably.

And yes, there is no manual DNS challenge mode.

This is called DNS challenge delegation, as you might already know :innocent:
And you don’t need to host your A record there for that. All you have to add is a CNAME to _acme-challenge.example.com (where example.com is your domain) and point that to duckdns.

The caddy duckdns provider (dns.providers.duckdns) used to be the only DNS provider which supported that use-case (afaik).
But with the upcoming Caddy v2.5.0, including the first beta (v2.5.0-beta.1) released just 5 days ago, this will be/is possible with all DNS providers using dns_challenge_override_domain.
So if you like, you could try out the beta and use any DNS provider, including Cloudflare - if you like - with a CNAME record.

You could however also use Cloudflare directly, without the use of DNS challenge delegation, if you change your Nameserver to Cloudflare’s. That’s fairly straight forward and quickly done.

Well uhm, this will work just fine. But giving each Docker stack its own Caddy is really odd.
If you use Caddy to proxy your Docker services/containers, you will almost certainly like GitHub - lucaslorentz/caddy-docker-proxy: Caddy as a reverse proxy for Docker

With that, you only need to run a single Caddy for all your Docker containers and will be able to dynamically add or alter vhosts/domains via Docker labels from within your Stack config (docker-compose I assume).
And as a bonus, you don’t need to use the DNS acme challenge all together because you are using :80 and :443 again :slight_smile:

3 Likes

This is such a well written, easy to understand, extremely comprehensive answer that I think you should turn this into a blog

I would actually like to split this up into 2 threads, but I can’t seem to do that, so I will create 2 different replies

I don’t - where can I read more about it?

I was hoping for some more details than DNS Zone Setup — Certhub documentation

3 Likes

I would like to do that. Do I use the xcaddy, pull the latest code from git and build a custom docker image or is there an image that already does that?

Spot on - I have it in my reading list - it seems like it uses the labels to create the Caddyfile?

I am definitely interested in learning more about it - is this the right forum to ask about it?

A couple links I can give:

There’s a builder Docker image variant that you can use to build your image. See Docker Hub, the section “Adding custom Caddy modules”.

The caddy-docker-proxy project’s README also mentions how to use the builder image to run with CDP.

3 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.