Feature Request: Allow entry point for post certificate provisioning hooks #3643
Comments
|
Related issue for event stuff: #2344 |
|
Any updates on this? I use Caddy to manage certificates for my mail server and as of right now I have to reload my mail server manually when the certs expire, which is sort of antithetical to the purpose of automatic cert management. |
|
Well, hang on -- ideally, the mail server should be automatically renewing its own certificate in the first place. 😉 I haven't really looked at this issue since it was opened in 2020 since there hasn't been any activity on it. But now I see it has 16 thumbs up, so I guess there is demand for it. We can work this into Caddy by v2.6 I think. |
|
I don't necessarily disagree that the mailserver should probably do that itself, but even if it did I'm not sure I'd trust it to be as robust as Caddy's cert logic. Plus, it can't bind to 443 so it would need to do DNS-based challenges which require additional configuration. I think ideally I'd be having Caddy front it with Conncept, but until that's stable, this seems like a good workaround :) |
|
@virtualdxs Personally, I think you can use Project Conncept, it has settled down a bit and seems to work well. Won't know until more people use it. 🤷 We'll probably be finishing Francis' work on the eventing system this year. |
|
Unfortunately, I just realized that won't work as it turns out. Unlike with an HTTP reverse proxy, the mail server wouldn't have a way to get the remote IP address to do things like SPF checks. So external cert management seems to be the only option. (Or some crazy idea involving tunneling SMTP in HTTP and a mailserver that understands that 😄) |
|
@virtualdxs Just a little fyi 😇
Most mailserver setups are very much capable of running behind a load balancer/proxy. Unfortunately, the only encryption SMTP hosts/relays support to send mails between each other is still STARTTLS 🙄. So you could very much have caddy-l4 (or any other proxy like nginx, traefik, haproxy, envoy, etc.) in front of your user facing endpoints (IMAPs/POP3s/SMTPs for clients) and SMTP for mailserver to mailserver traffic, but would still have to support STARTTLS on And for your MX to support STARTTLS, you would have to pass it a certificate.
Yes, sadly :( |
|
@IndeedNotJames That's good to know, I hadn't heard of the PROXY protocol. Thanks! |
|
For the record, my WIP work on events is here: https://github.com/caddyserver/caddy/compare/event. It's functional, it's possible to subscribe to certificate issuance events, but we don't have any event listener plugins yet, so it's not too useful on its own. |
|
Implemented in #4984 |
It would be nice to have a way to run commands after a certificate has been provisioned. This is useful when provisioning certificates for an application that needs to be reloaded or something. In my case I'd like to use Caddy to get certificates for a PostgreSQL instance, and reload PostgreSQL when a certificate is issued. I'm already using Caddy for the front-end, so I'd like to avoid using another tool just for PostgreSQL.
As mentioned in #3604, this used to be provided by the
onplugin, which has since been removed.Relates to abiosoft/caddy-exec#2
The text was updated successfully, but these errors were encountered: