Implement new version of Caddy (to enable IP address certs from LetsEncrypt)

[geoidesic]

Hi Kevin,

I was chatting to Matthew Holt, founder of Caddy. I identified a problem where Caddy was not fetching certificates for IP addresses, only for FQDNs. Here's Matthew's response via email:

That issue with the IP address trying to use a public certificate should be fixed here: https://github.com/caddyserver/caddy/commit/88fd5f3491ab888f69f0be02cea68a49164298eb (I used your Caddyfile as a sample)

Recently, I had to change CertMagic to not disqualify IP addresses from public certs, since now there are public CAs that issue IP certificates.

But Caddy didn't update its logic regarding that, since it would check with CertMagic whether a certain identifier qualified for a public certificate. (CertMagic now returns "true" to that inquiry.) With the above commit, Caddy only lets it have a public certificate if an automation policy is explicitly defined. Otherwise, without any configuring of certificate issuers (as with your config), it should make all IP addresses use self-signed certs.

I don't think this version has been implemented in frankenphp because I'm not seeing certs appear when I use IP address hosts in the Caddyfile.

[dunglas]

Hi,

FrankenPHP is currently using the latest stable version of Caddy.

A beta version of Caddy is available, we'll update as soon as it will be marked as stable.