Google Cloud Datastore storage for Caddy TLS data.
Caddy usually uses a local filesystem to store TLS data when it auto-generates certificates from a CA like Lets Encrypt. With this plugin it is possible to use multiple Caddy instances with the same HTTPS domain, for instance with DNS round-robin or behind a load balancer, with centralized storage (Google Cloud Datastore) for auto-generated certificates. Using a caddy DNS challenge plugin is required.
It works with recent versions of Caddy 0.10.x All data that is stored is encrypted using AES.
You need to compile Caddy by yourself to use this plugin.
- Set up a working Go installation, see https://golang.org/doc/install
- Checkout Caddy source code from https://github.com/caddyserver/caddy
- Get latest caddy-tlsclouddatastore with
go get -u github.com/j0hnsmith/caddy-tlsclouddatastore
- Add this line to
caddy/caddymain/run.go
in theimport
region:
import (
...
_ "github.com/j0hnsmith/caddy-tlsclouddatastore"
)
- Change dir into
caddy/caddymain
and compile Caddy withgo run build.go
In order to use Cloud Datastore you have to change the storage provider in your Caddyfile like so:
tls [email protected] {
storage cloud-datastore
dns ... # dns challenge provider
}
DATASTORE_PROJECT_ID
GCP project id (not name), required.CADDY_CLOUDDATASTORETLS_SERVICE_ACCOUNT_FILE
the full path to service account json key file (create service account with Datastore -> Cloud Datastore User role), required.CADDY_CLOUDDATASTORETLS_B64_AESKEY
defines your personal AES key to use when encrypting data, generate withopenssl rand -base64 32
or similar (don't use a string), defaults to an insecure key.CADDY_CLOUDDATASTORETLS_PREFIX
defines the prefix for the keys, default iscaddytls
.
caddy-tlsconsul provided inspiration, thanks also to Matt Holt for Caddy.