cross-posted from: https://discuss.online/post/41958206

Open to suggestions for managing Caddy for domains from Porkbun.

  • Porkbun itself is using Cloudflare.
  • Their Caddy module is confusing to setup due to API changes and older documentation.
  • I’d like to use a declarative json configuration, but first I just need Porkbun to play nice enough to work when adding subdomains via wildcard.

The Goal

Setup legit Let’s Encrypt as wildcard locally to test services at *example.domain.com, then put them into production on mainsite wildcard *.domain.com on VPS or similar.

Seeking Advice

Can anyone advise on setup recommendations. I’m currently using Nginx, which I had no difficulty setting up with ACME challenge. Perhaps I’m approaching Caddy in the wrong way. Thanks for any ideas!

  • SlowGoose6523@thelemmy.club
    link
    fedilink
    English
    arrow-up
    2
    ·
    22 hours ago

    I have Porkbun domains and am getting ready to try setting up Caddy so randomly stumbling onto this thread is serendipitous.

  • moonpiedumplings@programming.dev
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 day ago

    Setup legit Let’s Encrypt as wildcard locally to test services at *example.domain.com, then put them into production on mainsite wildcard *.domain.com on VPS or similar.

    Just to be clear, why wouldn’t simply provisioning a certificate for each subdomain under the wildcard work?

    Like, if you have a test site test.example.domain.com, you could have nginx (using acme) create a certificate for that. And then when you move to test.domain.com, nginx would do the same thing.

    Now, technically letsencrypt does have a rate limit, but it’s a fairly generous rate limit:

    Up to 50 certificates can be issued per registered domain (or IPv4 address, or IPv6 /64 range) every 7 days. This is a global limit, and all new order requests, regardless of which account submits them, count towards this limit. The ability to issue new certificates for the same registered domain refills at a rate of 1 certificate every 202 minutes.

    I would do my testing this way, and I didn’t hit any limits, although I was careful to keep certificates and reuse them, and to not spam.

    If you need more domains with SSL than that rate limit would provide, then it would make sense to investigate Caddy with porkbun, since DNS-01 challenges are the only way to get wildcard certificates, which apply to a whole wildcard.

    • Pika@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      23 hours ago

      I wasn’t aware of that they managed registered domains the way they do. I may need to reconcider my certificate setup currently, as I currently run a certificate per service because its more secure and looked cleaner, but if they count x.website.com certificates as website.com certificates, its entirely possible that when they switch to short lived certificate defaults I may come close to that rate limit.

      • i_am_not_a_robot@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        23 hours ago

        If they cut the validity time for certificates, I’d expect them to also increase the rate limits by a corresponding amount. It’s not like they have anything to gain by making it so regular users can’t use the service anymore. They can’t upsell you to Lets Encrypt Premium with a higher rate limit.

        • Pika@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          22 hours ago

          Yea hopefully. I know that short lived certs is currently an additional parameter when requesting, hopefully when the default changes they will have a higher rate limit. That won’t be for quite some time though I expect.

  • ransomwarelettuce@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    22 hours ago

    my homelab is using this setup, I configured porkbun API, compiled caddy with the DNS challenge plugin and configured it.

    I am using ansible with jinja templates there, if you are not familiar with it or have any doubt feel free to ask.

  • i_am_not_a_robot@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    23 hours ago

    Porkbun is a registrar that also has DNS hosting, and ACME DNS challenges just need DNS hosting. I also use Porkbun and I am happy with them as a registrar, but their DNS service wasn’t working out for me and I host my DNS records on Desec. It’s working well for me after I increased some timeouts in my ACME client configuration but I can’t recommend it if you’re having problems with Porkbun because the Desec rate limits are strict and their TTLs are high and if you don’t already know what you’re doing you’re likely to spend a lot of time waiting for propagation or rate limits.