Storing TLS certificates

New to Caddy and love it so far!

I’m reading through many support articles some of which are old and closed trying to figure out the best approach to store certificates when multiple servers are being used behind a load balancer for automatic HTTPS. (https://caddyserver.com/docs/automatic-https#storage).

I did find this (About multiple hosts sharing the same TLS certificates storage) which Matt was saying he hopes to “make storage class plugin more first class.” Wondering if this is already implemented?

My main question is, is there a way to use something like Amazon S3 bucket to store the Let’s Encrypt certificates? In the storage docs I’m not seeing any other details other than fileSystem.

I don’t think there are any other storage plugins implemented yet, but that might be possible to implement.

If you’re proficient in Go, you could write a plugin to do this:

If that’s not possible, you could also use something like CEPH or GlusterFS to share the filesystem between machines, then point Caddy to use that storage instead.

1 Like

There is an S3 storage backend for CertMagic, sort of: https://github.com/securityclippy/magicstorage

I say “sort of” because it doesn’t provide atomic operations, which are necessary for safe coordination in a cluster: https://github.com/securityclippy/magicstorage/issues/3

Feel free to contribute to it though!

There are Redis, DynamoDB, and Consul storage backends as well, that AFAIK do support locking.

1 Like

Thanks so much. I’m looking into both options now. Seems that some of this might be a bit too advanced for my pay grade.

I am stepping in the conversation since I was wondering a similar question today.

I have a Redis instance in my Docker stack I use for caching and queueing a Laravel PHP app. If I use Redis for storing TLS certificates, I guess I should install this extension with the Caddy builder image.

And then is there something specific to configure with the API? What should I put as a value in the storage field?

Thanks!

Unfortunately that’s a Caddy v1 plugin. I’m not aware of an equivalent for v2 yet, but it’s just a matter of time for someone to write one!

They’re easy to write, since they just translate from one struct type to another. Should take about 10-30 minutes.

I saw a commit for the v2 on the Redis plugin, this is why I asked :slight_smile:

2 Likes

Interesting! Nice that work is being done there already!

So yes, it’ll likely just be a matter of configuring the storage like this https://caddyserver.com/docs/json/storage/

{
  "storage" : {
    "module": "redis",
    "address": "your-redis-address:6379"
  }
}

In Caddyfile, it’ll be a global option (at the top of the file) https://caddyserver.com/docs/caddyfile/options:

{
  storage redis {
    address your-redis-address:6379
  }
}

I didn’t dig into what options are required or available, but it’ll look something like that.

1 Like