Caddy DNS verification

I have a relatively simple setup to host services locally: One Caddy container acting as reverse proxy for all services. DNS is set up, containers talk via Docker networking and I run an ACME server for SSL certificates. The disadvantage of this is that each client needs to trust the root certificate. Easy on most desktops. Okay to do on mobile devices. The most painful thing I ever did on an Apple TV. But it is a bit inconvenient when we have visitors over, and on top of that my wife is really good at ignoring my suggestions to set the certificates up and rather does not use the services. So we have to fix this.

Services are only reachable locally or via VPN, so Caddy's regular HTTP challenge will not work and I refuse to open ports in the firewall. So DNS verification for certificates it is.

I got a new domain and put the DNS zone in a separate project on Hetzner. For some reason API keys are per project and cannot be scoped differently. Not necessarily required to do, but I sleep better with more fine grained access controls. Instead of each service requesting a certificate I wanted to use a wildcard domain. Not because I fear leaking which services I run (list somewhere on this blog incoming anyway) but because it is easier to manage and renew. Lastly I wanted to share the wildcard certificate across multiple Caddy instances so I can provision dev VMs on my workstation for example.

First we build a Docker image for Caddy with the Hetzner DNS plugin and Redis to share certificates.

FROM caddy:builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/hetzner/v2 \
    --with github.com/pberkel/caddy-storage-redis

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Once this is running the Caddyfile does not change much, except for the wildcard part and manually setting up the DNS challenge.

*.foo.bar.tld {
    tls {
        dns hetzner xyz
        propagation_delay 30s
    }

    @yarr host yarr.foo.bar.tld
    handle @yarr {
        reverse_proxy yarr:7070
    }
}

That is pretty much it. Caddy really makes life easy sometimes.

timo@alextrasza:~/compose$ ls | wc -l
38

I have been testing this with Yarr to make sure everything is working, the rest of the services will migrate to their new domains this weekend. Fun times ahead.