Accessing Caddy on Non-80/443 Ports and Wildcard Domain Certificates

Background

Recently, I needed to connect a domain name with the public IP of residential broadband, which led to a series of issues.

Note: Machines within the country without registration cannot provide external services!

http://www.gov.cn/gongbao/content/2005/content_93018.htm
Non-commercial Internet Information Services Record Management Measures

Providing non-commercial Internet information services within the territory of the People's Republic of China must go through the record-filing procedures in accordance with the law. Without registration, one may not engage in non-commercial Internet information services within the territory of the People's Republic of China.

In domestic residential broadband, ports 80/443 are not open. However, Caddy requires these two ports to be accessed. If other ports are set, it will cause failure in issuing certificates by the TLS certificate provider, making it still inaccessible. Additionally, to issue a wildcard domain certificate for a public IP, DNS configuration is necessary; otherwise, a wildcard certificate cannot be granted.

{
	http_port 1080
	https_port 1443
}

For those looking to understand the principles, you can refer to this article:

https://ssine.ink/posts/caddy-non-443-port-https/

Changing the port leads to access issues because the TLS provider's domain verification method cannot access via 80/443.

The domain verification process includes:

• HTTP-01
• DNS-01
• TLS-SNI-01 (disabled)
• TLS-ALPN-01

Due to the port modification, the first method becomes infeasible. Therefore, the second method is required, which involves using the DNS plugin. This requires adding a TXT record to the domain registrar to prove ownership of the domain, but this process needs to be dynamic.

You can check the DNS creation supported by Caddy here:

https://caddyserver.com/docs/modules/

The author uses Tencent Cloud DNSPOD.

Caddy does not include these non-standard modules (NON-STANDARD modules) by default; therefore, these modules need to be installed as plugins. However, since Caddy is written in Go, there is no way to dynamically load assemblies, so it must be manually recompiled.

Packaging and Building the New Module

Download the source code of Caddy:

git clone https://github.com/caddyserver/caddy.git

Download xcaddy, a tool used to load modules into the Caddy source code and recompile Caddy. The version to download depends on the current machine, not the operating environment where it will run.

For instance, to compile for Linux under Windows, you should download the Windows version.

https://github.com/caddyserver/xcaddy/releases

After downloading, extract the compressed file, take out xcaddy.exe, and add its directory to the environment variable, allowing you to use this command (though not required).

Adding Plugins

The source code for the plugin we want to add is located at:

https://github.com/caddy-dns/dnspod

Since we need to compile a Linux program from Windows, we must set environment variables first.

Global setup:

go env -w CGO_ENABLED=0 GOOS=linux GOARCH=amd64   

Open the Caddy source directory and execute:

xcaddy build --with github.com/caddy-dns/dnspod

This is actually a Linux software, just that the name retains the .exe extension. You can rename it to caddy and upload it to your Linux system.

Obtaining DNSPOD Token

Since we are going to use DNSPOD, we first need to retrieve a token so that the plugin can dynamically modify TXT records.

Visit:

https://console.dnspod.cn/account/token/token

Create a Dnspod token.

Then copy the token.

Configuring Caddyfile

First, create an environment variable file to store it separately from the Caddyfile.

dnspod.env:

DNSPOD_TOKEN=1111

Replace 1111 with your actual token.

Then configure global ports and set up the website for TLS using DNS verification.

{
	http_port 1080
	https_port 1443
}

test.local.你的域名.com {
	respond "Hello, world!"
	tls {
		dns dnspod {env.DNSPOD_TOKEN}
	}
}

Starting Caddy

Startup command:

caddy run --config Caddyfile --envfile dnspod.env

If a token error occurs, that is normal, as there is an issue with the official library.

2022/10/18 00:22:52.389	ERROR	tls.obtain	will retry	{"error": "[test.local.nativet.cn] Obtain: [test.local.***.cn] solving challenges: presenting for challenge: adding temporary record for zone \"nativet.cn.\": Create record err.Zone:*.cn., Name: _acme-challenge.test.local, Value: 11-1, Error:could not get domains: The login token ID is invalid, { TXT _acme-challenge.test.local -** 0s 0} (order=https://acme.zerossl.com/v2/DV90/order/*-cWPoG4azrA) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 14.129376688, "max_duration": 2592000}

Replace dns dnspod {env.DNSPOD_TOKEN} with dns dnspod tokenId,token, for example:

dns dnspod 124,xxxxxx

Then start it with:

caddy run