Using Caddy to keep certificates renewed

You can use Caddy as an automated certificate manager to keep certificates renewed without having to run an HTTPS server [1]. This way, the certificates can be used by other programs that need them.

Caddy’s tls app can be configured without the need for an HTTP server. It can keep certificates renewed.

The simplest form is to just list the domain names you want to automate certificates for:

{
	"apps": {
		"tls": {
			"certificates": {
				"automate": [
					"example.com",
					"example.net"
				]
			}
		}
	}
}

However, we recommend specifying an email address so the CA can contact you if anything goes wrong:

{
	"apps": {
		"tls": {
			"certificates": {
				"automate": [
					"example.com",
					"example.net"
				]
			},
			"automation": {
				"policies": [
					{
						"issuer": {
							"module": "acme",
							"email": "you@yours.com"
						}
					}
				]
			}
		}
	}
}

If you’re just setting up your server for the first time, you should use a staging endpoint for testing. Set the ca field of the ACME issuer to Let’s Encrypt’s staging endpoint so you don’t get rate limited.

Internal-only certificates

Caddy can also be a certificate authority that is trusted only locally or internally. With it, you can get certificates for any subject because no validation occurs. This can be slightly dangerous if you start trusting this CA certificate everywhere and if your private key is stolen/leaked, so make sure not to share it, mkay?

Using it is very easy:

{
	"apps": {
		"tls": {
			"certificates": {
				"automate": [
					"*.example.com",
					"example.test",
					"localhost",
					"127.0.0.1",
					"::1"
				]
			},
			"automation": {
				"policies": [
					{
						"issuer": {"module": "internal"}
					}
				]
			}
		}
	}
}

[1]: Solving the ACME challenges may require use of the HTTP and/or HTTPS ports. If they are used by another program, you will need to configure the DNS challenge or ensure that the other program can solve the ACME challenges…

2 Likes

A post was split to a new topic: Can the TLS app be configured with the Caddyfile?

A post was split to a new topic: Managing certificates for Jellyfin server

A post was split to a new topic: Recommended editor for JSON?

A post was split to a new topic: Can I run my own CA with Caddy?