You can use Caddy as an automated certificate manager to keep certificates renewed without having to run an HTTPS server [1]. This way, the certificates can be used by other programs that need them.
Caddy’s tls
app can be configured without the need for an HTTP server. It can keep certificates renewed. Without additional configuration, assets (certificates, keys, and metadata) are stored in a data directory on the local file system at a location dependent upon your OS.
The simplest form is to just list the domain names you want to automate certificates for:
{
"apps": {
"tls": {
"certificates": {
"automate": [
"example.com",
"example.net"
]
}
}
}
}
However, we recommend specifying an email address so the CA can contact you if anything goes wrong:
{
"apps": {
"tls": {
"certificates": {
"automate": [
"example.com",
"example.net"
]
},
"automation": {
"policies": [
{
"issuers": [{
"module": "acme",
"email": "you@yours.com"
}]
}
]
}
}
}
}
If you need certificates provisioned through the DNS challenge for internal certificates or to be shared across services for common usage, the following config can serve as the basis for such use case and may be extended:
{
"apps": {
"tls": {
"certificates": {
"automate": [
"*.example.com"
]
},
"automation": {
"policies": [
{
"issuers": [
{
"module": "acme",
"challenges": {
"dns": {
"provider": {
"name": "cloudflare",
"api_token": "YOUR_CLOUDFLARE_API_TOKEN"
}
}
}
}
]
}
]
}
}
}
}
If you’re just setting up your server for the first time, you should use a staging endpoint for testing. Set the ca
field of the ACME issuer to Let’s Encrypt’s staging endpoint so you don’t get rate limited.
Internal-only certificates
Caddy can also be a certificate authority that is trusted only locally or internally. With it, you can get certificates for any subject because no validation occurs. This can be slightly dangerous if you start trusting this CA certificate everywhere and if your private key is stolen/leaked, so make sure not to share it, mkay?
Using it is very easy:
{
"apps": {
"tls": {
"certificates": {
"automate": [
"*.example.com",
"example.test",
"localhost",
"127.0.0.1",
"::1"
]
},
"automation": {
"policies": [
{
"issuers": [{"module": "internal"}]
}
]
}
}
}
}
[1]: Solving the ACME challenges may require use of the HTTP and/or HTTPS ports. If they are used by another program, you will need to configure the DNS challenge or ensure that the other program can solve the ACME challenges…