Is it possible to have Caddy listen on a port temporarily only while doing the ACME challenge?
Scenario: private HTTPS server on LAN that needs a valid TLS certificate. Nothing outside the private LAN needs to connect to it except for the ACME servers when the cert needs to be renewed. My idea is to forward router port 80 to internal server port 8888 that Caddy listens on only when it needs to do ACME, otherwise nothing listens on that port (Caddy would always listen on 443 so that internal clients can use it).
Any alternatives to keep this as secure as possible? I know there’s the DNS challenge but that doesn’t work as I use a custom bind9 server, there is no DNS API. It does not appear that Caddy supports nsupdate.
Why is the libdns package not an acceptable solution? That would be the right way to do it, as it integrates directly with Caddy, makes it possible for all other users to benefit, and gives you the best performance and reliability.
It’s supported, but needs to be written. Either you’ll write a script and glue together a bunch of pieces or you’ll write a little bit of Go code that benefits everyone and works natively for your solution. I would recommend and request the latter