Use both ACME and internal

1. Caddy version (caddy version):

2.5.0

2. How I run Caddy:

I am running Caddy on docker-compose

a. System environment:

Docker version 20.10.15, build fd82621
docker-compose version 1.28.5, build c4eb3a1f

d. My complete Caddyfile or JSON config:

*.dominio.com {
        tls {
                dns cloudflare mytoken
                resolvers 1.1.1.1
        }
        @portainer host test.dominio.com
        handle @portainer {
                @blocked not remote_ip 192.168.1.0/24
                respond @blocked "Nope" 403
                reverse_proxy 192.168.1.2:9000
        }
        @photos host test2.dominio.com
        handle @photos {
                reverse_proxy test2:1787
        }
}

test3.server.local {
	tls internal {
		on_demand
		resolvers 192.168.1.2
	}
	reverse_proxy 192.168.1.2:8085
}

3. The problem I’m having:

I am trying to use Caddy as reverse proxy running into docker both for accessing some services from outside my local network and also access some other services only inside my network (but with SSL)

4. Error messages and/or full log output:

Error during parsing: cannot create both ACME and internal certificate issuers

Is there a way this can be achieved or i need to use @blocked not remote_ip 192.168.1.0/24 respond @blocked "Nope" 403 this block and use all subdomains in ACME?

The comment in the code around that error message is:

// some tls subdirectives are shortcuts that implicitly configure issuers, and the
// user can also configure issuers explicitly using the issuer subdirective; the
// logic to support both would likely be complex, or at least unintuitive

I think the problem maybe your combining resolvers with internal, since resolvers configures an ACME issuer, and internal configures a self-signed issuer. Which one do you mean to use there? That is why there is an error. The implicit configuration is contradictory or at least confusing.

(You can specify multiple issuers, but you have to do it explicitly using the issuer sub-directive.)

Hey Matt! thanks for your answer.

I would like to use both exactly

for this domain and subdomains I want to get certificates from let’s encrypt and it will be resolved by cloudflare pointing to my public IP

*.dominio.com {
        tls {
                dns cloudflare mytoken
                resolvers 1.1.1.1
        }
        @portainer host test.dominio.com
        handle @portainer {
                @blocked not remote_ip 192.168.1.0/24
                respond @blocked "Nope" 403
                reverse_proxy 192.168.1.2:9000
        }
        @photos host test2.dominio.com
        handle @photos {
                reverse_proxy test2:1787
        }
}

for this part I would like to get services inside my lan certificates (self-signed) and I have an record in my local dns pointing .server.local to the IP in the reverse_proxy section

test3.server.local {
	tls internal {
		on_demand
		resolvers 192.168.1.2
	}
	reverse_proxy 192.168.1.2:8085
}

in general I am not sure this is possible.
is it?

tls internal doesn’t care about DNS at all, it will just create a cert for you no matter how the domain resolves.

You only need on_demand if you don’t know the domains up-front, but in this case you told Caddy specifically of the domain it should issue, as the site address.

Just do tls internal and remove both on_demand and resolvers there.

1 Like