Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Allow entry point for post certificate provisioning hooks #3643

Closed
hoshsadiq opened this issue Aug 6, 2020 · 10 comments
Closed
Labels
feature ⚙️ New feature or request
Milestone

Comments

@hoshsadiq
Copy link

It would be nice to have a way to run commands after a certificate has been provisioned. This is useful when provisioning certificates for an application that needs to be reloaded or something. In my case I'd like to use Caddy to get certificates for a PostgreSQL instance, and reload PostgreSQL when a certificate is issued. I'm already using Caddy for the front-end, so I'd like to avoid using another tool just for PostgreSQL.

As mentioned in #3604, this used to be provided by the on plugin, which has since been removed.

Relates to abiosoft/caddy-exec#2

@francislavoie
Copy link
Member

Related issue for event stuff: #2344

@virtualdxs
Copy link

Any updates on this? I use Caddy to manage certificates for my mail server and as of right now I have to reload my mail server manually when the certs expire, which is sort of antithetical to the purpose of automatic cert management.

@mholt
Copy link
Member

mholt commented Jun 4, 2022

Well, hang on -- ideally, the mail server should be automatically renewing its own certificate in the first place. 😉

I haven't really looked at this issue since it was opened in 2020 since there hasn't been any activity on it. But now I see it has 16 thumbs up, so I guess there is demand for it.

We can work this into Caddy by v2.6 I think.

@mholt mholt added this to the v2.6.0 milestone Jun 4, 2022
@virtualdxs
Copy link

I don't necessarily disagree that the mailserver should probably do that itself, but even if it did I'm not sure I'd trust it to be as robust as Caddy's cert logic. Plus, it can't bind to 443 so it would need to do DNS-based challenges which require additional configuration.

I think ideally I'd be having Caddy front it with Conncept, but until that's stable, this seems like a good workaround :)

@mholt
Copy link
Member

mholt commented Jun 7, 2022

@virtualdxs Personally, I think you can use Project Conncept, it has settled down a bit and seems to work well. Won't know until more people use it. 🤷

We'll probably be finishing Francis' work on the eventing system this year.

@virtualdxs
Copy link

Unfortunately, I just realized that won't work as it turns out. Unlike with an HTTP reverse proxy, the mail server wouldn't have a way to get the remote IP address to do things like SPF checks. So external cert management seems to be the only option. (Or some crazy idea involving tunneling SMTP in HTTP and a mailserver that understands that 😄)

@emilylange
Copy link
Member

@virtualdxs Just a little fyi 😇

Unlike with an HTTP reverse proxy, the mail server wouldn't have a way to get the remote IP address to do things like SPF checks.

Most mailserver setups are very much capable of running behind a load balancer/proxy.
Project Conncept (caddy-l4) has native support for HAProxy's PROXY protocol (both v1 & v2), which is basically *the* industry standard for arbitrary TCP proxying while also passing the clients' IP to upstream.

Unfortunately, the only encryption SMTP hosts/relays support to send mails between each other is still STARTTLS 🙄.
Opportunistic encryption, which negotiates at the application layer.

So you could very much have caddy-l4 (or any other proxy like nginx, traefik, haproxy, envoy, etc.) in front of your user facing endpoints (IMAPs/POP3s/SMTPs for clients) and SMTP for mailserver to mailserver traffic, but would still have to support STARTTLS on :25 for other mailservers.

And for your MX to support STARTTLS, you would have to pass it a certificate.
Otherwise, any other MTA would only be able to send you their mails unencrypted, which is really really bad.


So external cert management seems to be the only option.

Yes, sadly :(
At least for the server to server traffic between MTAs and MX hosts in SMTP.
Just for a slightly different reason 🙂

@virtualdxs
Copy link

@IndeedNotJames That's good to know, I hadn't heard of the PROXY protocol. Thanks!

@francislavoie
Copy link
Member

For the record, my WIP work on events is here: https://github.com/caddyserver/caddy/compare/event. It's functional, it's possible to subscribe to certificate issuance events, but we don't have any event listener plugins yet, so it's not too useful on its own.

@mholt
Copy link
Member

mholt commented Aug 31, 2022

Implemented in #4984

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature ⚙️ New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants