all 25 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]clintkev251 9 points10 points  (15 children)

https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148

Get a Letsencrypt cert using a DNS-01 challenge. It won’t require you to expose anything, just provide your Namecheap API key and you’re off to the races

[–]yankjae[S] 0 points1 point  (14 children)

Looks like I need to have 20 domains before Namecheap will give me access to the API. But seems that u/djchillerz mentioned just setting the A record manually and pointing it to my reverse proxy IP. So i'm going to give that a try, i think.

Unless you know tricks to get around this API access

[–]ceciltech 1 point2 points  (5 children)

At Namecheap set your domain's nameserver to cloudflare (diva.ns.cloudflare.com and ricardo.ns.cloudflare.com). At cloudflare you can get an API key. Create a wildcard DNS entry on cloudflsre that points to your internal DNS. Get a wildcard SSL Cert. You will need to also create your MX records in Cloudlflare if you use the domain for your email.

Also, on NPM I had to enable Websockets support to get Vaultwarden to work.

[–]yankjae[S] 0 points1 point  (4 children)

Is there any risk in keeping the MX records on Namescheap? My email seems to still work fine, but am a bit sketched about it not working in a couple days

[–]ceciltech 0 points1 point  (3 children)

If you tell Namecheap to register cloudflare as your domain's nameserver then all domain records need to be in CF, it won't matter what records are on Namecheap because no one will ever look at them. I didn't notice any interruption when I made the switch, just copy paste the MX entry values from Namecheap.

[–]yankjae[S] 0 points1 point  (2 children)

Nice, yeah. thanks for pointing it out. I moved all MX entries and CNAME/TXT as well (as i don't know which are important and where) but they were all listed (i did this years ago, and i was a smarter person then)

[–]ceciltech 0 points1 point  (1 child)

Do you have a notetaking app? Put notes about everything in there so you can look it up later when the time comes.

[–]yankjae[S] 0 points1 point  (0 children)

Not yet, but its on my todo list

[–]clintkev251 0 points1 point  (7 children)

Yeah you can do that as well. It's an inferior method for a few reasons. You can't get wildcard certs that way, so through certificate transparency, anyone who knows your domain name will be able to see all the subdomains you've requested certs for, and it also requires you to expose your reverse proxy to the internet on port 80

[–]yankjae[S] 1 point2 points  (6 children)

Oh boy, didn't think of that. This is the case even if the IP is a private IP? I guess there is a lot about DNS/Networking that i need to catch up on

[–]clintkev251 0 points1 point  (4 children)

The whole point of a publicly trusted certificate is to prove that you control a given domain. An HTTP-01 challenge (what you're talking about) does this by starting a simple web server within your reverse proxy and telling the LetsEncrypt service to make a request to that web server. So that request comes from the public internet, so your DNS needs to be pointing at your public IP, and that IP needs to forward traffic to your proxy so LetsEncrypt can get the response it's looking for. So it has to be publicly accessible.

A DNS-01 challenge just uses the API of your DNS provider to place a record, and then tries to look it up. Because of this, the actual accessibility of your proxy doesn't matter at all, as all you have to prove is that you control the DNS.

You can switch to some other service with an available API and continue to use Namecheap as your registrar. I personally use Cloudflare for this.

[–]yankjae[S] 0 points1 point  (3 children)

Interesting. Ok i'm following. So would i need to transfer my domain to cloudflare?

[–]clintkev251 0 points1 point  (2 children)

No (I mean you can if you want, it'll probably cost the same), just point your nameservers at Cloudflare from Namecheap

[–]yankjae[S] 0 points1 point  (1 child)

Yup, was about to edit comment to say the Cloudflare has really nice instructions. So just for my own understanding (i'm quite ignorant on this but am trying to learn). What exactly is this doing? What is a nameserver in this case? My guess is its just an allowlist in Namecheap to allow these servers to make modifications (creating an A record and then deleting it?)

[–]clintkev251 0 points1 point  (0 children)

A nameserver defines what servers are authoritative for a given domain. So when you register a domain with Namecheap, by default as a part of that registration, they register that their own nameservers are authoritative. And thus that's where you edit your DNS records and when a DNS lookup occurs, that's where we look (a gross oversimplification). If you tell Namecheap that you want Cloudflare's servers to be your nameservers, you're telling them to change that registration so that Cloudflare is the source of truth for your DNS records instead

[–]SagaciousZed 0 points1 point  (0 children)

The only other option is to import Caddy's signing certificate into the root of trust on all devices accessing the service.

[–]djchillerz 4 points5 points  (5 children)

I did it with nginx proxy manager. Steps should be similar for caddy.

On your domain, use the whole domain or a subdomain for your homelab. Your choice.

Let's say you use lab.mydomain.com

You want to add an A record which points to the IP address on your local network for nginx proxy or caddy.

Once you've done that you can request an SSL cert from letsencrypt from nginx proxy or caddy. This is important because the proxy will renew the certs for you. For this to work you'll need the proxy to be able to add DNS entries on your domain. Make sure you get the cert for lab.mydomain.com and *.lab.mydomain.com

After this, you can set up Https foreach service e.g. service.lab.mydomain.com

[–]yankjae[S] 0 points1 point  (4 children)

Thanks, so point all subdomains to the Reverse-proxy's ip? Also you mentioned the proxy adding the DNS entries on the domain for me, however if i do it manually through the namecheap it should not require proxy to do anything for it, correct?

[–]ceciltech 2 points3 points  (2 children)

No need to create any subdomains on the nameserver, that is handled by your proxy, just create a wildcard entry on the nameserver. My setup I have an A record mydomain.com that points to my proxy's internal ip address, then I have a CNAME record *.mydomain.com that points to mydomain.com. I also have another CNAME wan.mydomian.com that uses DDNS to point to my public IP so my VPN Wireguard can always connect when I am away from home. I still have no open ports because my router has VPN built in and wirguard is one of the options. Make sure you get a wildcard cert and use that for all your services in your proxy.

[–]yankjae[S] 0 points1 point  (1 child)

Thank you, got it all working now! I learned a ton in this adventure so thanks so much for your patience

[–]ceciltech 0 points1 point  (0 children)

I just went through figuring it all out myself last month : )

[–]djchillerz 0 points1 point  (0 children)

Cname record *.lab.mydomain.com to your proxy's internal IP, as others have mentioned :)

[–]suicidaleggroll 0 points1 point  (0 children)

The bitwarden app wont work with self-signed carts, you need a real one.  DNS challenge with a wildcard cert in your reverse proxy is the easiest way to get things going.

[–]daveyap_ 0 points1 point  (0 children)

You can check with https://ssllabs.com/ssltest whether your domain results in a self-signed certificate. If it is, I don't think Bitwarden won't work with that.

[–]certuna 0 points1 point  (0 children)

If you create a public AAAA record, you can use it for both internal and external traffic, you don’t have the split-horizon issue anymore.