Is it possible to have Caddy listen on a port temporarily only while doing the ACME challenge?
Scenario: private HTTPS server on LAN that needs a valid TLS certificate. Nothing outside the private LAN needs to connect to it except for the ACME servers when the cert needs to be renewed. My idea is to forward router port 80 to internal server port 8888 that Caddy listens on only when it needs to do ACME, otherwise nothing listens on that port (Caddy would always listen on 443 so that internal clients can use it).
Any alternatives to keep this as secure as possible? I know there’s the DNS challenge but that doesn’t work as I use a custom bind9 server, there is no DNS API. It does not appear that Caddy supports nsupdate.
Any plans for Caddy to support nsupdate to dynamically update Bind9 records? I could allow the named server to accept dynamic TXT updates for _acme-challenge using a TSIG key.
I also just discovered acme-dns which may do what I need in a somewhat secure way. But also unclear whether Caddy can work with it.
What other choices do I have here? Are there any Caddy hooks available where I can script either nsupdate or interacting with acme-dns or am I just better off doing it all outside of Caddy?
Why is the libdns package not an acceptable solution? That would be the right way to do it, as it integrates directly with Caddy, makes it possible for all other users to benefit, and gives you the best performance and reliability.
It’s supported, but needs to be written. Either you’ll write a script and glue together a bunch of pieces or you’ll write a little bit of Go code that benefits everyone and works natively for your solution. I would recommend and request the latter
That would be the right way to do it, as it integrates directly with Caddy, makes it possible for all other users to benefit, and gives you the best performance and reliability.
I would recommend and request the latter 