Caddy LE - SSL Only? No port 80

[j-mcnally]

Hey Matt,

Im trying to get Caddy to work over 443 with lets encrypt, we have a different server running on port 80.

I saw something in the docs about tls-sni-01, anyway to force that?

[mholt]

Not yet, but wait for the 0.8.1 release (or 0.8.2 for what you want - not sure yet how this'll play out) - we're working on that right now.

In other words, the underlying library, lego, will allow customizing which challenges are used by 0.8.1, but whether we make a way for caddy users to set those customizations at the same time is unclear depending on a few other factors. We'll see; might not make it in till the next release.

[j-mcnally]

k, ive worked around it with some proxying from my other nginx instances.

[pwFoo]

Is that fixed? because the issue ist closed. Tried to start 0.8.1 with port 443 only, but doesn't work. At the moment an apache is listening at port 80.

[mholt]

Caddy needs port 80 to solve the http-01 challenge, which is the only challenge that works after the server has started (without implementing custom SNI which I'm not planning on doing). So if I were you I would relinquish port 80 to Caddy and proxy to Apache or something.

[pwFoo]

Ok. Should be a quick solution with caddy https only. I have to move it to another host / ip. Thanks for your fast reponse! :)

[seanhealy]

Is there any way to use the tls-sni-01 challenge instead of http-01?

Sorry for sort of re-asking the above question but I wasn't totally clear given the above conversion. :smile:

[mholt]

No, because Caddy need to guarantee port 80 in order to not break reloads. So right now we still don't let the user disable http-01 challenge or the HTTP->HTTPS redirects.

[heri16]

This ticket should be reopened. It should be possible now to disable port 80.

[mholt]

@heri16 What do you mean? (Did I miss something?)

[Place1]

I'd like to know what's happening with this issue as well. Having caddy work with letsencrypt using only 443 would be amazing as my ISP blocks port 80

[mholt]

@Place1 There are issues #918 and #1293 that I think are both different ways to address this.

[mholt]

@Place1 the patch I submitted doesn't disable the HTTP-01 challenge, but that can come in another patch.

[Place1]

right, so if i've read these correctly they're about moving caddy to different ports and having something else proxy traffic to them.

my reason for getting caddy to to TLS-SNI-01 only is because my ISP blocks inbound connections to port 80 meaning I can't do an http challenge. Basically my server is 443 only and so the only challenge I can do (that isn't DNS) is TLS-SNI-01.

[mholt]

@Place1 @j-mcnally @seanhealy The HTTP and TLS-SNI challenges can now be disabled with command line flags -disable-http-challenge and -disable-tls-sni-challenge. Don't disable both. ;) (Unless you configure the DNS challenge in your Caddyfile, but then disabling the other challenges is NOT necessary! Caddy will do that for you.)

https://github.com/mholt/caddy/commit/6bc3e7536e915c0f7dd0c22be36201760e9d816d

[Place1]

Using it now. Thank you SOO much. This is a game changer for me. I really appreciate the effort!

[MisterDuval]

Hi Matt, maybe you could add this feature in the online documentation as this is pretty useful when port 80 is already binded.... Thanks 👍

[My1]

any update to this perhaps? especially with ALPN, caddy really doesnt need port 80 for an HTTPS only setup

maybe caddy could have a quick nohttp or whatever in the caddyfile.

especially when you have a domain that is on preload anyway, the port80 straight isnt needed at least for semi-modern clients.

[mholt]

Caddy 2 will have an option to disable automatic HTTPS entirely.

[My1]

considering the issue author talks about running with LE and 443 only I doubt disabling autotls is an option for them, but basically just going with ALPN should be fine. as far as I remember the setup I have lying around is also without port 80 going anywhere, so I guess it's no problem.

but talking about caddy2 already, is caddy 1 even out yet? if yes then congratulations.

[francislavoie]

@My1 yes it is! https://github.com/mholt/caddy/releases/tag/v1.0.0

[My1]

oh lol. didnt even notice.

[Mart-Bogdan]

TLS-SNI-01 is no longer supported. In case anybody would stumble upon this thread March 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support

[francislavoie]

Yes, it was replaced by ACME TLS-ALPN. Caddy supports and enables that challenge automatically.

This issue was from Caddy v0/v1. Caddy v2 was a complete rewrite, this is no longer relevant at all. Please avoid posting on such old issues.