How do I achieve Caddy auto-TLS via Let's Encrypt without DNS?

Question

I'm sure this is a typical scenario, but I can't find the appropriate sequence of steps.

I have a www.example.com server at (say) 1.1.1.1 running Apache. I am building a new server at 2.2.2.2 using Caddy. For testing, I put 2.2.2.2 www.example.com in my local /etc/hosts. Once all is working, I will repoint the www.example.com DNS entry to Caddy.

The problem is I can't start Caddy on 2.2.2.2 to serve www.example.com.

I get [www.example.com] failed to get certificate: acme: Error 403 - urn:acme:error:unauthorized - Invalid response from http://www.example.com/.well-known/acme-challenge/6Xc4_oq6r0de25CtrYIw59YeVHvUWQ9Ag6H3XbGx8y0:

which I assume is caused by the DNS entry for www.example.com pointing to 1.1.1.1, not 2.2.2.2

So how do I get certs and start Caddy so I can test www.example.com on 2.2.2.2 before updating the public DNS entry?

Answer 1

Firstly you really should only use private IP's for test / trial sites. You can use any of the following

• 10.x.x.x
• 192.168.x.x
• (there are also a few more)

so instead of

2.2.2.2 myexamplesite.com

use

10.2.2.2 myexamplesite.com

also and this answers your question, the caddy TLS using lets encrypt only works when the letencrypt site can access your site via the public ipaddress available from a DNS server that you don't control. This is for very basic security purposes.

You can generate self signed certificate and use that, but I'm afraid auto TLS with caddy is not possible the way you want.

Answer 2

1. Make up a new name for the test server, for example test.example.com.

2. Point the DNS A record for test.example.com to the same address as for www.example.com.

3. Get a Let's Encrypt certificate containing both names. Let's Encrypt lets you put how many names you want in the certificate.

4. Once you have the certificate, point the DNS A record for the test server to the new address. Now you can use the same certificate both in the production server and the test server.