Where does Caddy keep their certificates?


(Cows) #1

I run my server in a practically immutable FreeBSD Jail (it can get recreated at any time).

Where does Caddy store all the cert info, where I can copy and paste it outside the Jail?


(Magikstm) #2

https://caddyserver.com/docs/automatic-https

The .caddy folder

Caddy will create a folder in your home directory called .caddy . It uses this to store and manage cryptographic assets required to serve your site privately over HTTPS. Your sites’ certificates and private keys are stored here. Take care to back up and protect this folder. If there is no home folder, the .caddy folder is created in the current working directory unless $CADDYPATH is set. The home folder is learned from the environment ( $HOME or %HOMEPATH% ). Multiple Caddy instances can use or mount the acme subfolder as a disk and Caddy will automatically share the certificates and coordinate maintenance between them.


(Lewis De Payne) #3

Hello, I’m a fellow FreeBSD user (since 1997). Take a look at /usr/local/etc/rc.d/caddy and you’ll see the following rc variable:

# caddy_env (str)  Set to "" by default.
#                  This allows environment variable to be set that may
#                  be required, for example when using "DNS Challenge"
#                  account credentials are required.

Meanwhile, in the Caddy command-line interface (CLI) docs, you’ll find (under Environment Variables):

CADDYPATH

If set, Caddy will use this folder to store assets instead of the default $HOME/.caddy. When running multiple Caddy instances serving unrelated sites (e.g. as part of a hosting service shared among many users), it is strongly recommended for each Caddy instance to have its own CADDYPATH so that instances aren’t stepping on each other and sharing state.

Therefore, all you need do is something similar to this in your /etc/rc.conf:

caddy_enable=“YES”
caddy_user=“www”
caddy_group=“www”
caddy_cert_email="lew.payne@freebsd.org"
caddy_config_path="/www/webconf/caddy.conf"
caddy_env=“CADDYPATH=/www/webconf” <<<SEE HERE

The last line will cause Caddy to create an “acme” directory in the stated CADDYPATH. Note that the acme directory will only be created when needed. If you’re only running non-SSL domains, the subdir won’t be created. If you make a mistake and need to reissue your certificates, back up the “acme” folder, delete it, then restart caddy (i.e., “service caddy restart”).

Note that I’ve renamed my Caddyfile to caddy.conf, because I adhere to FreeBSD conventions when it comes to configuration files. If you want other jails to have access to this, there are various strategies you can deploy (depending on your level of patience and fondness for wasting time). While you can’t symlink from within a jail to the OS, you can create a mountpoint for the shared-resource acme folder (I’ve never tried it - just read about it on here). Another basic strategy is to create a shell script that runs rsync across all such folders, and run the shell script (as root) via cron every day or so (or a minute after the jail starts up - so that Caddy has updated the certs), depending on need. Of course, if you’re running Consul you can simply register the certs and be done with it. Hope that helps.