Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[jimp180]

I have been trying to get this to work on my opnsense 25.1 install, i found this with a websearch about it;

"To configure Caddy on OPNsense for use with AWS, specifically for wildcard certificate generation via Route53, you can use the os-caddy plugin developed by Monviech.This plugin supports DNS-01 challenges using AWS Route53 through the caddy-dns/route53 module, which allows automatic certificate issuance and renewal for domains managed by AWS"

but when i tick the DNS-01 challenge box, save and apply I get this message;

Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': getting module named 'dns.providers.route53': module not registered: dns.providers.route53, at /usr/local/etc/caddy/Caddyfile:34

What am i doing wrong? is there a module i am supposed to install?

[Monviech (Cedrik)]

Its not included inside the standard caddy install anymore.

I also do not support 25.1 anymore, please update to latest version.

Then you can use this fork for the DNS provider subsystem:

https://github.com/Monviech/os-caddy

The opnsene provided plugin has all dns providers except cloudflare removed since 25.7 due to maintainability reasons (the build broke again and again...)

[jimp180]

OK, Finally after like three different upgrades i got to opnsense 25.7.5 then removed the caddy plugin and followed the install at https://github.com/Monviech/os-caddy. I selected these modules:

caddyserver/ntlm-transport
mholt/caddy-dynamicdns
mholt/caddy-l4
caddy-dns/route53

then I pushed the build button after a few minutes it quit and had a message that build failed check log at /var/log/xcaddy or some such file I have no idea of how to get to.
I did however find this in system/logfiles/backend;

Script action failed with Command 'cat /usr/local/etc/xcaddy/xcaddy_build.status' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 89, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command 'cat /usr/local/etc/xcaddy/xcaddy_build.status' returned non-zero exit status 1.

where did I go wrong?

ok I found /var/log/xcaddy
here are the last lines of the file
github.com/libdns/route53
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:114:31: invalid composite literal type libdns.Record
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:122:30: invalid composite literal type libdns.Record
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:140:16: record.Type undefined (type libdns.Record has no field or method Type)
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:143:17: record.Value undefined (type libdns.Record has no field or method Value)
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:144:43: record.Value undefined (type libdns.Record has no field or method Value)
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:146:31: record.Value undefined (type libdns.Record has no field or method Value)
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:160:29: record.Value undefined (type libdns.Record has no field or method Value)
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:260:16: record.Type undefined (type libdns.Record has no field or method Type)
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:272:62: record.Name undefined (type libdns.Record has no field or method Name)
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:274:47: record.TTL undefined (type libdns.Record has no field or method TTL)
/go/pkg/mod/github.com/libdns/route53@v1.5.1/client.go:274:47: too many errors
2025/10/08 13:41:49 [INFO] Cleaning up temporary folder: /tmp/buildenv_2025-10-08-1334.4138806976
2025/10/08 13:41:49 [FATAL] exit status 1
thanks

[Monviech (Cedrik)]

This is exactly one of the reasons I removed dns providers from the standard build.

You did most likely nothing wrong, the dns module just has compile errors.

You can try the route53 maintainer and provide your logs.

https://github.com/caddy-dns/route53

Yes I know, really fun. :(

[jimp180]

I havent gotten a response from the maintainer for caddy-dns/route53 but while i was there i saw this;

"Caddy 2.10 upgraded to libdns 1.0, which breaks compatibility with older DNS providers. To use Caddy 2.10 or newer, install version 1.6 or later. For earlier Caddy versions, use a corresponding older module release."
and
To compile this Caddy module, you can use xcaddy the following way:

$ xcaddy build \
    --with github.com/caddy-dns/route53@version

so I unchecked caddy-dns/route53 from the modules selection and put github.com/caddy-dns/route53@v1.6 in the custom modules box, this resulted in a version not found error. at this point I did a websearch for versions and found there was a v1.6-beta.2 version so I tried again with that and the build was successful. YAY so after filling in aws stuffs in the API fields and enabling caddy I now have a trust certificate. looks good, except nothing at all is being logged, logfile set to info and I see nothing! before I would at least see messages like it was doing something? also I dont appear to be getting to my internal server default apache page, just get a server stopped responding error on my phone.(possibly total fubared settings on my part, but i would think something would show up in the logs)

[Monviech (Cedrik)]

Hehe that sounds like quite the journey, for this reason this module input field exists.

Its weird there is no logging anymore, I have a report open here which says there is no logging... gotta find out why later.

https://github.com/opnsense/plugins/issues/4973

[Monviech (Cedrik)]

In my rather fresh test installation running 25.7.5 I do have logs in "Services: Caddy: Log File", and they also renew. It runs the same build from my own repository. So, no clue yet, other than maybe that the "Log Level" inside "Services: Caddy: Log File" is not set to e.g. Informational or Debug.

Or you just need a reboot?

[jimp180]

I have tried info and debug along with everything else. I will reboot and see if that helps

[Monviech (Cedrik)]

If you want to additionally debug look at the steps in the above ticket I wrote.

It's strange that there is no log for you.

[jimp180]

i did those steps and posted in the above ticket that after i still had no log.

prior to doing that i did this,

root@OPNsense:/var/log # cd caddy
root@OPNsense:/var/log/caddy # ls
access          caddy.log       latest.log
root@OPNsense:/var/log/caddy # cat access
cat: access: Is a directory
root@OPNsense:/var/log/caddy # cd access
root@OPNsense:/var/log/caddy/access # ls
root@OPNsense:/var/log/caddy/access # cd caddy
caddy: No such file or directory.
root@OPNsense:/var/log/caddy/access # cd /var/log/caddy
root@OPNsense:/var/log/caddy # ls
access          caddy.log       latest.log
root@OPNsense:/var/log/caddy # cat latest.log
cat: latest.log: No such file or directory

strange, that it showed the log file when i did "ls" but then when i tried to "cat" it i got no such file

after performing the steps you suggested i get this

root@OPNsense:/var/log/caddy # ls
access          caddy.log

no latest.log