Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[Gryphon]

The email has been changed to required since there are two issuers inside. ZeroSSL requires an Email, Let's Encrypt does not. If one fails the other is tried automatically.

To keep it simple I required the Email. Just put in whatever ;D

Ah, that makes sense. Any idea why Let's Encrypt would be claiming I have no valid A or AAAA records? They're definitely there.

[Monviech (Cedrik)]

Sorry I'm not sure here, not so good with Lets Encrypt Troubleshooting. Maybe related to this?

https://github.com/opnsense/plugins/issues/4161

If in doubt, its /always DNS/™

If not maybe ask in the https://caddy.community and show your debug logs. They know this plugin exists.

[Baender]

I have a problem with a dockerized Unify Controller. I was able to set a subdomain to the web GUI of Unify (Port 8443) with Cuddy. The subdomain is unify.example.com. There is an option for the AP, to set  a domain instead of an IP, for the guest hotspot. Without the domain option active, connecting to the Guest WLAN opens 192.168.1.10:8080 (http). It is possible to enable https, however without a proper certificate, this will a valid option.

So I thought, it would be a good option to use Caddy and activate the domain option in the AP. The problem is, that the hotspot tries to resolve to https://unify.example.com:8843 for https and :8080 for http.
I guess, that this will not work with caddy, because it only listens on 80 and 443, right?

Is it possible, to use Caddy here? Do I need to add FW rules for WAN, that allow 8843 or 8080?

[Monviech (Cedrik)]

You can add the same domains multiple times, with different ports.

e.g.

example.com
example.com:8080
example.com:8443

and give each of them the right handler.

Thats a supported configuration.

And yes of course they need firewall rules.

[Baender]

Do I need a specific configuration for that? I mean in the WebGUI of OPNsense, I set a domain example.com and a wildcard domain *.example.com. All actual subdomains are a result of the wildcard domain. I ask, because the description of the port states, that all subdomains will listen on the same port as the domain..

[Monviech (Cedrik)]

You should be able to add the same wildcard domain with different ports multiple times, and then select the other wildcard domain with the different port in a handler in addition to the same already created subdomain.

Essentially I think that should work, I have never tested it before though.

I don't think you have to duplicate the subdomains in the subdomain tab. I think it should just work to add the existing ones with the different wildcard domain in a handler, since they will get added to it.

Just try it out and if you get strange results show me your Caddyfile.

[Baender]

Is it required to adjust the firewall rules? I ask, because the Caddy documentation assume, that Caddy uses Port 443 and 80 and so the firewall rules. If I add a domain with port 8843, is it required to add a corresponding firewall rule as well?

[Monviech (Cedrik)]

Yes you have to open all ports in firewall rules that Caddy uses. It does not open any ports for you automatically.

[Aergernis]

Hi,
Caddy is always adding new A records for * and @ even when update only is checked in settings

[Monviech (Cedrik)]

It depends on the provider, all of them are different, and all of the modules are written by different people so they do not all share the same featureset.

Best go to https://github.com/caddy-dns and find the provider you are using and open an issue where you also share part of your caddyfile.

[Baender]

This explains a lot. I noticed, that my A-records increased with old IP addresses, since I use Caddy. I deleted old entries by hand on the IONOS dashboard.

[Aergernis]

It depends on the provider, all of them are different, and all of the modules are written by different people so they do not all share the same featureset.

Best go to https://github.com/caddy-dns and find the provider you are using and open an issue where you also share part of your caddyfile.

Thanks for Info.

This explains a lot. I noticed, that my A-records increased with old IP addresses, since I use Caddy. I deleted old entries by hand on the IONOS dashboard.

It's the same for me with IONOS

[Monviech (Cedrik)]

Here is the issue where I implemented the "Update Only" checkbox. It seems like it was broken for Ghandi too with duplicate A records being created.

https://github.com/opnsense/plugins/issues/4036

https://github.com/caddy-dns/gandi/issues/9

I do not doubt that other modules suffer from the same jank sometimes. The Dynamic DNS is not a "core" module of Caddy. So only the DNS Challenge will always work correctly since that seems to be the main usecase.

[Baender]

I will open an issue for IONOS and see if it can be closed. In the meantime, I'll check whether setting the Update Only setting brings any improvement. It hasn't been active for me yet.

Btw. it would also be great if there was a link to the repository (https://github.com/caddy-dns) next to "DNS Provider". Because either I overlooked the solution or I couldn't find the way to enter the API key for IONOS straight away. In the end, I did find the solution, but it probably took me 15 minutes. A quick click on the repository now shows me that it's right there.

[Monviech (Cedrik)]

It is actually baked into the very helptext inside the plugin.

Reading the help text... helps. :)

https://github.com/opnsense/plugins/blob/f9610f33c559498a1354cb6ba3154aa26a828b21/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml#L6