TLS certificate

Help
1

1. Caddy version (caddy version):

2.4.6

2. How I run Caddy:

Currently, I only have www.rupel.org active as a site. I have not activated plex.rupel.org but I included it in the Caddyfile below for help. See item 3.

a. System environment:

Raspberry Pi OS

b. Command:

none

c. Service/unit/compose file:

n/a

d. My complete Caddyfile or JSON config:

www.rupel.org {
        tls /home/gmichaelr/Caddy/server.pem /home/gmichaelr/Caddy/key.pem
        reverse_proxy /tautulli* 192.168.55.205:8181
        reverse_proxy /radarr* 192.168.55.207:7878
        reverse_proxy /sonarr* 192.168.55.207:8989
        reverse_proxy 192.168.55.205:5055
       import /home/gmichaelr/Caddy/caddy_security.conf
}

plex.rupel.org {
        reverse_proxy 192.168.55.205:32400
}

3. The problem I’m having:

I am looking at having two sites and want to use my own certificate from a CA that covers the two sites (SAN cert). If my cert covers both sites, how do i get caddy to use it on both if it were not a wildcard?

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

2

Hi :slight_smile:

There are quite a few ways to accomplish that, but I would argue the most straight forward is specifying your certificate multiple times (or via snippets).
Might be a bit redundant, but it’s way more declarative.

For that, you would either need to add something like

  www.rupel.org {
-     tls /home/gmichaelr/Caddy/server.pem /home/gmichaelr/Caddy/key.pem
      reverse_proxy /tautulli* 192.168.55.205:8181
      reverse_proxy /radarr* 192.168.55.207:7878
      reverse_proxy /sonarr* 192.168.55.207:8989
      reverse_proxy 192.168.55.205:5055
      import /home/gmichaelr/Caddy/caddy_security.conf
+     tls cert.pem key.pem
  }

  plex.rupel.org {
      reverse_proxy 192.168.55.205:32400
+     tls cert.pem key.pem
  }

or

+ (your_custom_certificate) {
+   tls cert.pem key.pem
+ }

  www.rupel.org {
-     tls /home/gmichaelr/Caddy/server.pem /home/gmichaelr/Caddy/key.pem
      reverse_proxy /tautulli* 192.168.55.205:8181
      reverse_proxy /radarr* 192.168.55.207:7878
      reverse_proxy /sonarr* 192.168.55.207:8989
      reverse_proxy 192.168.55.205:5055
      import /home/gmichaelr/Caddy/caddy_security.conf
+     import your_custom_certificate
  }

  plex.rupel.org {
      reverse_proxy 192.168.55.205:32400
+     import your_custom_certificate
  }

where cert.pem and key.pem are paths on your file system.

:warning: Edit after this thread has been solved: I overlooked that you already had tls /home/.. in your first block. Sorry^^
The following is redundant, then, I guess.

For example, somewhere like /etc/caddy/cert.pem and /etc/caddy/key.pem or in /etc/ssl or /var/lib/caddy or whatever. You get the idea :innocent:

The tls directive docs show [perma link]:

tls [internal|<email>] | [<cert_file> <key_file>] {

  • <cert_file> and <key_file> are the paths to the certificate and private key PEM files. Specifying just one is invalid.

and the little example I used above

tls cert.pem key.pem
3

I already have the tls cert in the first one I was just not sure about having it be used on the second site (plex.rupel.org). I did not know if you had to add the tls to each site or you add it once outside of the brackets.

4

I attempted to use these and both attempts failed. FYI I am going through Cloudflare as DNS proxy. So, when comment out one of the sites, it works fine. If I have both sites enabled, it does not work.

Update: I tried to do it again with both active and I removed Cloudflare out of the picture. No go. As soon as i commented out one of the site it worked instantly.

5

I figured it out.

Instead of separating the two sites like I did above, I decided to just use a wildcard site and then use the handle and host matchers to distinguish my plex.rupel.org service from my normal www.rupel.org.

2 Likes
6

This topic was automatically closed after 30 days. New replies are no longer allowed.