Caddy DNS challenge and Porkbun

2 min read infrastructurehomelabnetworkselfhostingtechguideprivacy
A mural of a rabbit and birds in a tree, by Mariko Ando
Quite frankly it was ridiculous to try to make all my post photos thematically relevant, I give up

I have not yet completed the migration of my workloads - okay, okay, any of my workloads - from my VPS back to my home server. But for latency and simple laziness reasons, I never moved a VM that I use for work to a separate instance, connecting to it within the LAN. However, last week, the LetsEncrypt certificate for that VM expired, and I was forced to address the situation.

Since I'm not yet ready on a network infrastructure level to have any amount of live internet traffic into my LAN, I decided to try something I've always kind of thought about doing but seemed like - and was! - a lot more effort than it was worth: the ACME DNS challenge. With the DNS challenge, instead of having LetsEncrypt connect back over ALPN to the local server - which requires a firewall hole - Caddy automatically adds a TXT record to DNS to validate the domain name before LE issues the cert.

Today, I decided to test this out with my domain registrar Porkbun's hosted DNS via their API. Thankfully, someone has recently published a Caddy plugin for Porkbun - although their README is incorrect and I have PRed a fix, it seems to work great after some propagation delays.

I set up the global option in Caddyfile for Porkbun, as I know any workloads deployed locally will not be internet-accessible. In the future, I may split between Porkbun DNS for local resources and Cloudflare for internet-facing ones, to take advantage of Cloudflare's WAF services.

Another challenge I will solve another day is how to set up a build pipeline for the Porkbun DNS plugin. Because Caddy plugins have to be compiled into the caddy binary, you either need to build your own binary via xcaddy or manually download the bare binary and deploy it manually - neither of which work great with my OS update model of just running apt. This is not a huge problem for internal workloads, but is going to be tough when it comes to keeping Caddy patched on internet-facing workloads. Let me know if you have any thoughts on keeping Caddy up-to-date without having to manually deploy a binary.

Jordan Cooks

Jordan Cooks

Website Twitter More posts
Jordan listens to too many podcasts, has too many streaming subscriptions, loves dogs, is the Integration Engineer Team Lead at Bitwarden, and makes a mean vegan baked mac and cheeze.
North Bend, OR
Previous Post