-
-
Notifications
You must be signed in to change notification settings - Fork 295
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Q: What's the correct way to setup statically managed domains + dynamically added domains? #226
Comments
You'd want to use on-demand TLS: https://pkg.go.dev/github.com/caddyserver/certmagic#Config.OnDemand Probably create two certmagic configs, one that manages the hostnames you control, and one for the on-demand config, and have both configs share the same cache. |
Does that mean I need to return the correct Follow-ups:
|
Yep! Because during a certificate's lifetime, how it is managed may change, so that callback is invoked at the time of renewal to ensure the most current, correct config is used.
Yes!
Also yes! |
Do I need to mux the |
Sorry I missed this reply until now. What do you mean by mux it? Can you explain your question a little more? |
Sorry, I meant if I need to call the correct GetCertificate from different config based on the handshake |
OK, now it is dynamically selecting between the two configs. However, there's an issue:
It seems like if I'm using the built-in solvers (http or tls), certmagic will attempt to start listeners locally. However I already have port 80 and 443 listening in the application that can handle them. Is there a way to work around that? Or do I have to use dns solver only? |
How are you setting it up in code? You should just pull the TLS Config from certmagic and use it with your own listener; don't call |
@zllovesuki CertMagic will only try to bind the port if the socket isn't already in use, but it's tricky in this case since it looks like your program doesn't have permission to bind port 80/443. When it tries binding the port to see if it's in use (and to acquire the socket if it's not), it will defer to whatever is already running if it gets an error like "already in use" -- but in your case it's getting "permission denied" which is a different error. Try giving your program permission to bind to ports 80/443 and it should work. |
There's a workaround to:
However, in my use case I still need the DNS approach, as that's also being used to verify the ownership in the application. |
You should still be able to use the DNS challenge even with that workaround -- does changing the permissions work at all too? |
Use case: I have a project that allows users to create reverse tunnel over QUIC, and their tunnels will be available on
tunnel.example.com
, such asstring-string-string.tunnel.example.com
. However, I also want to allow user to point their own domain to the service.Currently there's
ManageAsync
ontunnel.example.com
and*.tunnel.example.com
, with only DNS solver available. Assuming that the "custom hostname" isweb.mydomain.com
, and its TXT record is managed by the service, how would you dynamically add that to a running certmagic instance?The text was updated successfully, but these errors were encountered: