Temporarily listen on port while doing ACME challenge

Is it possible to have Caddy listen on a port temporarily only while doing the ACME challenge?

Scenario: private HTTPS server on LAN that needs a valid TLS certificate. Nothing outside the private LAN needs to connect to it except for the ACME servers when the cert needs to be renewed. My idea is to forward router port 80 to internal server port 8888 that Caddy listens on only when it needs to do ACME, otherwise nothing listens on that port (Caddy would always listen on 443 so that internal clients can use it).

Any alternatives to keep this as secure as possible? I know there’s the DNS challenge but that doesn’t work as I use a custom bind9 server, there is no DNS API. It does not appear that Caddy supports nsupdate.

Listening on a port only for a few seconds instead of longer will not really make you more secure.

But as it stands, if you disable auto HTTPS redirects, Caddy won’t listen on port 80 except when solving the HTTP ACME challenge.

1 Like

Any plans for Caddy to support nsupdate to dynamically update Bind9 records? I could allow the named server to accept dynamic TXT updates for _acme-challenge using a TSIG key.

I also just discovered acme-dns which may do what I need in a somewhat secure way. But also unclear whether Caddy can work with it.

It’s up to the community to write a libdns plugin for it.

What other choices do I have here? Are there any Caddy hooks available where I can script either nsupdate or interacting with acme-dns or am I just better off doing it all outside of Caddy?

Why is the libdns package not an acceptable solution? :thinking: That would be the right way to do it, as it integrates directly with Caddy, makes it possible for all other users to benefit, and gives you the best performance and reliability.

Are you saying it’s already supported in Caddy or that someone needs to write a provider to make it happen?

It’s supported, but needs to be written. Either you’ll write a script and glue together a bunch of pieces or you’ll write a little bit of Go code that benefits everyone and works natively for your solution. :man_shrugging: I would recommend and request the latter :wink:

This topic was automatically closed after 30 days. New replies are no longer allowed.