this post was submitted on 01 Feb 2026
36 points (100.0% liked)

Selfhosted

60587 readers
1590 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Think I've gone down the rabbit hole on this one.

I have more than one Debian machine that I host apps on. I want to serve them with https, so I decided it was best to centrally get the domain cert/key (I've used certwarden) and use a script/cron job on each server to get the certs. Then use caddy to reverse-proxy.

So, after some research I decided that certs should be placed in /etc/SSL/certs (keys in /etc/SSL/private). Problem is caddy can't get to them. I've tried messing around with permissions etc but I suspect I'm running into issues because I'm not doing this the proper way.

What is the proper way of doing it? Or is there a much easier solution?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] BlackEco@lemmy.blackeco.com 8 points 5 months ago (1 children)

But you're still using Caddy as the sole reverse proxy, don't you? Do you have multiple Caddy instances that require access to a single certificate?

[โ€“] Appoxo@lemmy.dbzer0.com 1 points 5 months ago

Thing is, you may have some devices that should be accessible even if the reverse proxy is unreachable.
And if you have HSTS and wamt to reach a device under the same local DNS suffix (example: External -> service.example.org, Internal: service.int.examole.org) you can't just bypass the https warning.
Same for devices reachable over RDP, SSH, etc. etc.