Using caddy certificates for TLS

1. The problem I’m having:

I am trying to use the caddy certificates for, which are used for the nginx admin portal and roundcube webmail via the reverse proxy shown below. Caddy, the reverse proxy and the admin portal and roundcube are all working perfectly.

My issue is working out HOW to use the working certificates with SMTP TLS.

2. Error messages and/or full log output:

Please use the preview pane to ensure it looks nice.

3. Caddy version:

unknown - literally returns “unknown,” i’m guessing a bug in the current release for alpine.

4. How I installed and ran Caddy:

apk add caddy

a. System environment:

alpine amd64

b. Command:

service caddy start

c. Service/unit/compose file:


name="Caddy web server"
description="Fast, multi-platform web server with automatic HTTPS"
description_checkconfig="Check configuration"
description_reload="Reload configuration without downtime"

: ${caddy_opts:="--config /etc/caddy/Caddyfile --adapter caddyfile"}

command_args="run $caddy_opts"

depend() {
	need net localmount
	after firewall

checkconfig() {
	ebegin "Checking configuration for $name"
	su ${command_user%:*} -s /bin/sh -c "$command validate $caddy_opts"
	eend $?

reload() {
	ebegin "Reloading $name"
	su ${command_user%:*} -s /bin/sh -c "$command reload $caddy_opts"
	eend $?

stop_pre() {
	if [ "$RC_CMD" = restart ]; then
		checkconfig || return $?

d. My complete Caddy config:

        admin localhost:2019 {
                origins localhost:2019
} {
        root * /var/www/
        @post {
                method POST
        reverse_proxy @post localhost:3000
} {
        header Content-Type text/plain
        header Access-Control-Allow-Origin *
        respond "{{.RemoteIP}}"
} {
	reverse_proxy localhost:9000
} {
	reverse_proxy localhost:8000
} {
	reverse_proxy localhost:8065

5. Links to relevant resources:

The readme with the vague explaination:

cat /opt/poste/ssl/ 
This directory is supposed to have 3 keys which are copied to various places to mailserver.
 - ca.crt
   Certification authority public keys (or "intermediate certificate"). There is 
   "-----BEGIN CERTIFICATE-----" once or more times.
 - server.crt
   Your public key generated by your CA. It should have one "-----BEGIN CERTIFICATE-----"
   in it
 - server.key
   Your private key, it should have "-----BEGIN RSA PRIVATE KEY-----" in it

There is also
 - dh1024.pem
   Its generated Diffie-Hellman paramaters. File is generated once at first container startup - there is no need to manipulate with that file even if you changi

I’ve tried the appropriate as both/ either the ca.crt and server.crt and as the server.key.

I tried Steps to convert certificates generated by Caddy Server to certificates that Nginx can use · GitHub suggestion of using the pem from LE as both/ either the the ca.crt and server.crt as well. I also tried combining them just in case the actually wanted the full chain.

I noticed the readme asks for “-----BEGIN RSA PRIVATE KEY-----” but instead the key from caddy is “-----BEGIN EC PRIVATE KEY-----” i don’t feel like this should be an issue.

I will be posting where i can for as well, i just know there are some very switched on people here who may have an idea.

I’m going to spitball a possible solution without knowing too much about your underlying infrastructure setup. So, please take it with a grain of salt. There’s probably a more elegant solution already out there.

Depending of your Caddy deployment (mine sits in a Docker container), find the location of your Caddy obtained certificates and their respective keys. For example:

find / | grep ''

In the default Caddy container, they all sit in their respective subfolders inside


Then, you could, for example, create a scheduled script that would copy and from that location to your poste folder and post-process them as needed. Caddy certificate contains the entire chain, i.e. leaf and intermediates, in a specific order, which looks similar to this:

This is leaf cert for your

This is Intermediate1

This is intermediate2

So, strictly based on the you’ve posted and without knowing much about poste, you would need to split as follows:

  • server.crt:
This is leaf cert for your
  • ca.crt:
This is Intermediate1

This is intermediate2
  • server.key: would be just a content of your Caddy
1 Like

I can’t test this response at the moment as i am using a different solution however the certificate formatting described solves the underlying issue.