TLS: file with certificates dictionary

[vanodevium]

First of all, thank you for incredible project!

My server should listen for any requests on port 443. Domain names list can change runtime, but I already have ready-made certificates for each domain. The main question: is there an opportunity in the Caddyfile to specify the path to the file where there will be a list of the relationship between the domain and the certificate it needs.

I'll try to show examples:

• Caddyfile

  :443 {
  tls {
      get_certificate file /path/to/dictionary.file
  }
  }

• dictionary.file

  domain1.com    /etc/certificates/domain1.com.bundle
  domain2.org    /etc/certificates/domain2.org.bundle
  subdomain.domain3.info    /etc/certificates/subdomain.domain3.info.bundle

If this possibility already exists and I missed it, please forgive me and just link to the documentation.

[francislavoie]

Currently there's no such thing as file. See https://caddyserver.com/docs/json/apps/tls/automation/policies/get_certificate/ for the available modules for get_certificate.

You can certainly write your own module to do this though. See https://caddyserver.com/docs/extending-caddy. You just need to implement a module that implements the https://pkg.go.dev/github.com/caddyserver/certmagic#Manager interface, and register it as tls.get_certificate.file (and set up Caddyfile support, see https://caddyserver.com/docs/extending-caddy/caddyfile)

[vanodevium]

@francislavoie Thank you for the quick and clear answer. But I'm not sure that I can do such a thing myself. I don't have much experience in golang.

[francislavoie]

Trust me, it's easier than you think. Go is a pretty easy language to learn. Especially for what you're trying to do (file access and basic parsing).

Otherwise, you can just use the http module that's already built in. Write a tiny server in whatever language you prefer and point Caddy to it to request the info for a particular domain.

[vanodevium]

@francislavoie

You may not believe it, but I was able to do it. Certificates are read from files, everything works great! Thank you very much!

But the following questions arose:

1. it requires an ask directive. Is there any way to disable it? 2. if the certificate is not found in the files, the caddy tries to release it with acme. Please tell me if this can also be disabled and just return the certificate error to the browser?

[vanodevium]

Also there is strange behavior for me. Maybe I don't understand.

Caddyfile

{
    on_demand_tls {
        ask http://127.0.0.1:4444
    }
    auto_https off
}

:443 {
    tls {
        get_certificate file ./crt.list
    }
}

When ask response ok, but file manager returns error, why challenge is started even auto_https is completely disabled? What is behavior of get_certificate http http://127.0.0.1 if returned 404? This is a bit confusing.

Please explain this when you would have free time. Thank you!

[mholt]

@vanodevium When you specify a certificate manager, that manually enables on-demand TLS (so auto_https off has no effect). If the certificate manager can't return one, then a challenge is performed to try and obtain one.

[vanodevium]

@mholt @francislavoie

Thank you very much!

[mholt]

Nice job implementing your own module by the way!

Any chance of publishing it so it can be of use by others? 😁

[francislavoie]

To clarify, you can make it public and visible to other users via https://caddyserver.com/download by making an account at https://caddyserver.com/account/ and claiming the module.

[vanodevium]

I did my best Already registered on the main site.

@mholt @francislavoie Thanks to everyone!

[mholt]

Hey that's a good-looking Caddy module there! Nice job! :100: