Caddy-based Jails, Let's Encrypt, and Namecheap DNS plugin

[GJSchaller]

I'm working with the scripts created by @danb35 and @victort that makes jails with various apps in them, using Caddy as a webserver. Making the jails is working fine, and at the moment I have them all behind a Reverse Proxy that protects them / serves them up to the outside world. So far, so good.

One of the apps (ZenPhoto) is giving a warning when submitting passwords that the form is not secure, likely because the Jail itself is not running https, only the Proxy server. I'd like to correct this and get a Let's Encrypt SSL cert onto the Jail(s), so that 1) the Proxy is connecting to them securely, and 2) I can access them securely from within my home network without going through the proxy.

My Registrar is Namecheap. Because the jails are behind a proxy, I can't use the Stand-Alone LE method to generate a LE Cert, leaving me with DNS. I'm trying to figure out the exact syntax to generate the LE Cert when creating the jail using jailname-config - for this example, I'll use zenphoto.

I did look up the Namecheap plugin for Caddy, but documentation is a bit scant... I want to make sure this is correct. Is this the correct format for using Namecheap with the jail creation scripts? (I'm missing my Namecheap user name - not sure how to enter that?)

While my Registrar is Namecheap, my DNS for this domain is self-hosted, if that matters at all.

Code:

JAIL_IP="10.0.0.248"
DEFAULT_GW_IP="10.0.0.1"
POOL_PATH="/mnt/data"
HOST_NAME="zenphoto.aiskon.net"
DNS_CERT=1
DNS_PLUGIN=namecheap
DNS_TOKEN=(Namecheap API token)
CERT_EMAIL=gjschaller@gmail.com

 

[victort]

If you run the script with script zenphoto.log ./zenphoto-jail.sh you should get an output file that will give us some info as to if the plugin installed correctly.
Also /var/log/caddy/caddy.log will show if caddy is having issues getting a cert.

 

[GJSchaller]

Thank you - I did that, it looks like it worked (there's no errors in the log), but I'll have to verify once I am home from work and can try to browse it from my local network at home.

The one thing that's puzzling me is I don't see a way to pass the Namecheap Username to the jail script & caddy plugin in zenphoto-config - am I missing something, or is it not needed?

Edit: Here's the plugin on GitHub, if it helps: https://github.com/caddy-dns/namecheap

 

[danb35]

While my Registrar is Namecheap, my DNS for this domain is self-hosted, if that matters at all.

It matters greatly. Caddy doesn't care who your registrar is, because your registrar isn't at all involved in cert issuance in any way. If you're wanting to use DNS validation to get a cert, Caddy needs to be able to update your DNS records.

 

[GJSchaller]

It matters greatly. Caddy doesn't care who your registrar is, because your registrar isn't at all involved in cert issuance in any way. If you're wanting to use DNS validation to get a cert, Caddy needs to be able to update your DNS records.

Ah, OK - that now makes sense. I wasn't sure if the Namecheap Plugin was able to work by verifying domain ownership, but with that note - it looks like I'm in a bind with my current setup.

My DNS is local (hosted on the Virtualmin server that's acting as my Reverse Proxy)
My jails are behind a reverse proxy (preventing stand-alone cert, I believe)

I would either need to move my DNS back up to Namecheap, or find a way to be able to install a standalone LE cert from behind the proxy.

 

[victort]

From the docs you linked to it looks like it should work with DNS validation. Just edit the Caddyfile in the zenphoto jail and replace the tls section with this.

Code:

tls {
    dns namecheap {
        api_key yourapikeythatislong
        user yourapiuser
    }
}

 

[GJSchaller]

From the docs you linked to it looks like it should work with DNS validation. Just edit the Caddyfile in the zenphoto jail and replace the tls section with this.

From what Danb35 mentioned, this may not work if my DNS is not hosted with Namecheap directly.

Question regarding the Config file - can I comment out lines? That way, I can quickly modify which Cert option I am using without needing to add or remove whole lines when I re-create the jail. (Thinking of keeping STANDALONE_CERT, DNS_CERT, NO_CERT, etc. and their options all in the file but marked with a # if I am not using them, so I can quickly switch between them.)

 

[GJSchaller]

This may be relevant - the way the LE cert is called for may need to be changed to account for the fact it's behind a proxy:

Using certbot behind an SSL reverse proxy

Hello, I've an Apache instance serving as a reverse proxy for various LAN-only hosts. Connection between the reverse proxy and the servers behind is in an untrusted space, so http cannot be used, only https. Here's a sample VHost at the reverse proxy level: <VirtualHost *:443> ServerName...

community.letsencrypt.org

 

[victort]

From what Danb35 mentioned, this may not work if my DNS is not hosted with Namecheap directly.

Question regarding the Config file - can I comment out lines? That way, I can quickly modify which Cert option I am using without needing to add or remove whole lines when I re-create the jail. (Thinking of keeping STANDALONE_CERT, DNS_CERT, NO_CERT, etc. and their options all in the file but marked with a # if I am not using them, so I can quickly switch between them.)

Yes you can comment out lines.