Documentation for TLS certificates managed by Caddy

[skyfaller]

Use case

I use Caddy to manage my certificates. The documentation mentions how to work with Let's Encrypt and certbot and ACME.sh, but I don't use those and don't know how to use those.

Your idea for a solution

Could we please write some documentation on how to work with TLS certificates managed by Caddy? I'd be willing to help test the instructions as a clueless noob.

• [x] I'm willing to help with the implementation

[foxcpp]

1. Hard-link certificates from caddy's directory (CADDY_ROOT/certificates/acme-v02.api.letsencrypt.org-directory/DOMAIN) into some directory that is accessible for maddy (e.g. /etc/maddy). Using hard-links of symlinks simplifies step 2.
2. Ensure that maddy can read the certificate file. Either using extended ACLs (setfacl -m u:maddy:r /etc/maddy/tls.key) or by running maddy under caddy's group (probably www-data).
3. Set paths to hard-linked certs in maddy.conf: tls /etc/maddy/tls.crt /etc/maddy/tls.key

[Kinrany]

Is it possible in theory/in practice for maddy to delegate dealing with certificates to caddy, the same way one can use HTTPS between caddy and outside world and HTTP between caddy and local containers?

[foxcpp]

caddy would need to implement SMTP and IMAP proxy functionality with support for some reverse proxy indication (e.g. HAProxy PROXY or Postfix's XCLIENT extensions). maddy would need to support the latter.

[foxcpp]

Generic TLS/TCP reverse proxy is not enough for server-server SMTP.

[cypx]

Maybe you could have a look to Traefik Iit share a lot of commonalities with Caddy (Go, native let's encrypt support, API, docker integration, easy to use....) but also provide generic TCP (and UDP) support and not only HTTP. I use it as a reverse proxy for a Postfix/Dovecot/RoundCube server which i consider to migrate to Maddy (but for now the lack of IMAP support made me wait)

[foxcpp]

Traefik supports HAProxy's PROXY protocol for TCP proxy.