Caddy: Force SSL verification challenge over HTTPS in v2?
I'm a new user for Caddy so this might be somewhere in the v2 docs but I couldn't find it.
What I'm trying to do is to get Caddy to use its automatic HTTPS certificate management to get a HTTPS certificate for a ddns that I have. The problem is that the HTTPS verification challenge is done using port 80 and I would rather it be done through HTTPS only so that I don't need to open multiple ports.
There is a post on the caddy community forum about this but it appears to only apply for caddy v1 (uses the -disable-http-challenge parameter).
Is there an equivalent option for caddy v2? And if not, what are my options if I would like to only open port 443?
vari
All 5 comments
You can disable the http challenge via JSON configuration. See here: https://caddyserver.com/docs/json/apps/tls/automation/policies/issuer/acme/
Currently this isn't possible via Caddyfile configuration.
francislavoie
on 17 Apr 2020
Yep, that's precisely how to do it. For now. Maybe we'll make this possible in the Caddyfile later.
mholt
on 17 Apr 2020
Is it possible to use JSON configs for Caddy without using the API? E.g. have similar behavior as the Caddyfile approach where I can specify the path to the config file that Caddy should use when running Caddy? NVM, this is possible as per the --config argument when used with caddy run
Also, for using the acme module configuration, if I want to use defaults for everything except disable the http challenge mechanism, I would simply need to have the following in the JSON config right (other than the settings for my site)?
{
"module": "acme",
"challenges": {
"http": {
"disabled": true
}
}
}
@vari Yep, I believe that is all correct.
mholt
on 17 Apr 2020
@mholt Thanks!
For completeness (and to help out anyone else who is new to Caddy) here is some extra information about what I did to get everything working:
Forward the SSL port through your router as appropriate for your network setup. (Make sure that you have done this correctly - I thought I did this but I forgot to hit save in the router so when I got around to starting up Caddy with the correct settings, I was seeing errors)
(Optional) If you have been using a Caddyfile, convert it to a JSON file using the
adaptcommand (e.g.caddy adapt --config <path_to_Caddyfile> --pretty).
This should give you a human readable JSON output - copy this into a new JSON file (I'll useCaddyfile.jsonfor the rest of the steps).Edit your Caddy JSON config to disable verification using HTTP:
At the same level of indentation as the"http"key (under the"apps"key) in your JSON, add the following:
"tls": {
"automation": {
"policies": [{
"issuer": {
"module": "acme",
"challenges": {
"http": {
"disabled": true
}
}
}
}]
}
}
- Run using the new config:
caddy run --config Configfile.json. ReplaceConfigfile.jsonwith the path to your config file as relevant.
Complete example config contents (for a reverse proxy):
{
"logging": {
"logs": {
"log0": {
"writer": {
"filename": "<path to log file>",
"output": "file",
"roll_keep": 2,
"roll_keep_days": 7,
"roll_size_mb": 5
},
"include": ["http.log.access.log0"]
}
}
},
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [":443"],
"routes": [
{
"match": [
{
"host": ["<your domain (e.g. example.ddns.com)>"]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"encodings": {
"gzip": {}
},
"handler": "encode"
}, {
"handler": "reverse_proxy",
"upstreams": [
{
"dial": "<the location the reverse proxy should forward to (e.g. localhost:8080)>"
}
]
}
]
}
]
}
],
"terminal": true
}
],
"logs": {
"logger_names": {
"<your domain (must match the value used in <host> above>": "log0"
}
}
}
}
},
"tls": {
"automation": {
"policies": [{
"issuer": {
"module": "acme",
"challenges": {
"http": {
"disabled": true
}
}
}
}]
}
}
}
}
Related issues
klaasel
路
3Comments
treviser
路
3Comments
mikolysz
路
3Comments
SteffenDE
路
3Comments
ericmdantas
路
3Comments
Most helpful comment
@mholt Thanks!
For completeness (and to help out anyone else who is new to Caddy) here is some extra information about what I did to get everything working:
Forward the SSL port through your router as appropriate for your network setup. (Make sure that you have done this correctly - I thought I did this but I forgot to hit save in the router so when I got around to starting up Caddy with the correct settings, I was seeing errors)
(Optional) If you have been using a Caddyfile, convert it to a JSON file using the
adaptcommand (e.g.caddy adapt --config <path_to_Caddyfile> --pretty).This should give you a human readable JSON output - copy this into a new JSON file (I'll use
Caddyfile.jsonfor the rest of the steps).Edit your Caddy JSON config to disable verification using HTTP:
At the same level of indentation as the
"http"key (under the"apps"key) in your JSON, add the following:caddy run --config Configfile.json. ReplaceConfigfile.jsonwith the path to your config file as relevant.Complete example config contents (for a reverse proxy):