How SSL Certificates Work in Caddy (Host Installation)

[[How to Configure HTTPS Subdomains for Multiple Services Using Caddy Reverse Proxy]] ## **Automatic HTTPS, Certificate Generation, Storage, and Renewal** When you install **Caddy directly on the host system** (via `apt install caddy`), one of its most powerful features is **automatic HTTPS**. Caddy is the only web server that natively manages SSL certificates _without any external scripts or configuration_. Below is a complete explanation of how it works. --- # **1. Caddy Issues SSL Certificates Automatically** As soon as you configure a site in your `/etc/caddy/Caddyfile` like this: ```caddy example.com { reverse_proxy localhost:8080 } ``` Caddy detects that: - **`example.com` is a real domain name**, not an IP address - **the domain points to your server’s public IP** - **Caddy is listening on ports 80 and 443** And then it automatically requests a valid SSL certificate from **Let’s Encrypt**. You do **not** need: - certbot - manual key generation - CSR files - renew scripts - cron jobs - configuration inside nginx or apache Caddy does everything. --- # **2. Requirements for Automatic HTTPS** To successfully issue a certificate, 3 conditions must be met: ### ✔ 1. DNS A-record must point to your server Example: ``` example.com → 77.237.235.191 ``` ### ✔ 2. Caddy must control ports 80 and 443 This means no nginx, Apache, or Docker container should be using those ports. ### ✔ 3. Domain must be reachable from the internet Let’s Encrypt checks your server externally. If all conditions are met, Caddy automatically provisions HTTPS. --- # **3. How Caddy Verifies the Domain (ACME Challenge)** Caddy uses the **ACME HTTP-01 challenge**: 1. Caddy opens port **80**. 2. Let’s Encrypt asks Caddy to serve a verification file. 3. Caddy responds correctly. 4. Let’s Encrypt confirms you own the domain. 5. Caddy receives the certificate. All of this happens instantly and automatically. --- # **4. Where Caddy Stores Certificates** On a host installation, certificates and keys are stored in: ``` /var/lib/caddy/.local/share/caddy ``` ![[Pasted image 20251113172724.png]] Inside this folder you will find: ``` acme/ certificates/ keys/ ``` Caddy manages its own storage and does not overwrite system certificates. ![[Pasted image 20251113172824.png]] --- # **5. How Caddy Activates SSL Encryption** Once Caddy obtains a certificate: - It opens port **443** - It uses the certificate and private key inside its TLS module - It upgrades all HTTP traffic (port 80) to HTTPS automatically - It begins serving encrypted traffic with HTTP/2 and HTTP/3 (QUIC) No further configuration is needed. --- # **6. Automatic Certificate Renewal** Caddy continuously monitors certificate expiration dates. It automatically renews certificates: - **30 days before expiration** - **without downtime** - **without scripts or cron** - **without reloading the service** Certificates are renewed silently in the background. Caddy is the only major web server that renews SSL **without restarting itself**. --- # **7. What Happens After Renewal** After renewal: - The new certificate replaces the old one - Caddy updates internal TLS state instantly - Active connections remain uninterrupted You never need to restart or reload Caddy manually for renewal. --- # **8. How to Check SSL Status** You can run: ```bash caddy list-modules | grep tls ``` To check active modules. You can inspect certificate files: ```bash sudo ls /var/lib/caddy/.local/share/caddy/certificates ``` Or check logs: ```bash journalctl -u caddy --no-pager -f ``` Look for lines like: ``` obtained certificate renewing certificate certificate successfully renewed ``` --- # **9. What If HTTPS Fails? Common Causes** ### ❌ Port 80 is blocked → A Docker container or nginx is using port 80. ### ❌ DNS does not point to server → A-record incorrect or not propagated. ### ❌ Domain not reachable from the internet → Firewall blocking inbound 80/443. ### ❌ Using IP address instead of domain Caddy cannot issue SSL for bare IPs. --- # **10. Summary** Caddy provides: - **Automatic HTTP→HTTPS** - **Automatic Let’s Encrypt certificates** - **Automatic renewal** - **Zero configuration SSL** - **Zero downtime reloads** - **Built-in modern TLS with HSTS, ALPN, HTTP/2, HTTP/3** When installed on a host system, Caddy is the simplest and most reliable way to deploy production HTTPS for any application.