Storing TLS certificates

Moe · April 12, 2020, 10:08pm

New to Caddy and love it so far!

I’m reading through many support articles some of which are old and closed trying to figure out the best approach to store certificates when multiple servers are being used behind a load balancer for automatic HTTPS. (Automatic HTTPS — Caddy Documentation).

I did find this (About multiple hosts sharing the same TLS certificates storage - #3 by pteich) which Matt was saying he hopes to “make storage class plugin more first class.” Wondering if this is already implemented?

My main question is, is there a way to use something like Amazon S3 bucket to store the Let’s Encrypt certificates? In the storage docs I’m not seeing any other details other than fileSystem.

francislavoie · April 12, 2020, 10:16pm

I don’t think there are any other storage plugins implemented yet, but that might be possible to implement.

If you’re proficient in Go, you could write a plugin to do this:

If that’s not possible, you could also use something like CEPH or GlusterFS to share the filesystem between machines, then point Caddy to use that storage instead.

matt · April 12, 2020, 11:40pm

There is an S3 storage backend for CertMagic, sort of: GitHub - securityclippy/magicstorage: storage backends for certmagic

I say “sort of” because it doesn’t provide atomic operations, which are necessary for safe coordination in a cluster: Locking implementation does not appear to be atomic · Issue #3 · securityclippy/magicstorage · GitHub

Feel free to contribute to it though!

There are Redis, DynamoDB, and Consul storage backends as well, that AFAIK do support locking.

Moe · April 13, 2020, 5:02am

Thanks so much. I’m looking into both options now. Seems that some of this might be a bit too advanced for my pay grade.

frenchvandal · April 14, 2020, 3:15pm

I am stepping in the conversation since I was wondering a similar question today.

I have a Redis instance in my Docker stack I use for caching and queueing a Laravel PHP app. If I use Redis for storing TLS certificates, I guess I should install this extension with the Caddy builder image.

And then is there something specific to configure with the API? What should I put as a value in the storage field?

Thanks!

francislavoie · April 14, 2020, 3:28pm

Unfortunately that’s a Caddy v1 plugin. I’m not aware of an equivalent for v2 yet, but it’s just a matter of time for someone to write one!

matt · April 14, 2020, 3:35pm

They’re easy to write, since they just translate from one struct type to another. Should take about 10-30 minutes.

frenchvandal · April 14, 2020, 3:54pm

I saw a commit for the v2 on the Redis plugin, this is why I asked

francislavoie · April 14, 2020, 4:04pm

Interesting! Nice that work is being done there already!

So yes, it’ll likely just be a matter of configuring the storage like this JSON Config Structure - Caddy Documentation

{
  "storage" : {
    "module": "redis",
    "address": "your-redis-address:6379"
  }
}

In Caddyfile, it’ll be a global option (at the top of the file) https://caddyserver.com/docs/caddyfile/options:

{
  storage redis {
    address your-redis-address:6379
  }
}

I didn’t dig into what options are required or available, but it’ll look something like that.

system · October 9, 2020, 10:08pm

This topic was automatically closed after 180 days. New replies are no longer allowed.