Deploying Caddy with DNS-01 Challenge using CNAME on Cloudflare

Preface

Configuration of a Caddyserver with DNS-01 Challenge with CNAME Record on Cloudflare.

Useful for you who use an unsupported DNS provider and just want to delegate (?) the DNS-01 challenge to Cloudflare.

Prerequisite

1. Write access to your unsupported DNS Provider records;
2. Write access to a domain that you want to use for DNS-01 Challenge, which you will use Cloudflare on;
3. Write access to your Cloudflare account;
4. A server with Docker installed on.

Procedure

Before you applying the following docker-compose and Caddyfile, make sure you set a CNAME in your main domain.

For example, if I want to create cert for a subdomain of my main domain, dev.ndkprd.com, and the domain I delegated to Cloudflare is ndkprd.com, I created a CNAME pointint _acme-challenge.dev.ndkprd.com to _acme-challenge.dev.ndkprd.my.id.

Directory Tree

.
├── caddy
│   ├── Caddyfile
│   ├── config
│   └── data
├── docker-compose.yaml
├── Dockerfile_caddy
└── README.md

Docker Compose Example

---
 
# Deploying Caddy with DNS-01 Challenge using CNAME on Cloudflare
 
version: '3.7'
 
services:
 
  caddy-cloudflaredns:
    image: ndkprd/caddy-cloudflaredns:v0.0.1
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./caddy/data:/data
      - ./caddy/config:/config
    env_file:
      - caddy/.env
 
  whoami:
    image: traefik/whoami
    container_name: whoami
    restart: unless-stopped
    ports:
      - 8081:80
 

Caution

Please don’t use my container image, since I probably won’t update it. Instead, you can build it on your own using the following Dockerfile.

With the caddy/.env file:

CLOUDFLARE_EMAIL=<[email protected]>
CLOUDFLARE_API_TOKEN=<my-super-secret-token>
ACME_AGREE=true

Caddyfile Example

*.dev.ndkprd.com {
    tls [email protected] {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        dns_challenge_override_domain _acme-challenge.dev.ndkprd.my.id
        resolvers 1.1.1.1 1.0.0.1
        # Let's Encrypt staging directory, use this for testing, to
        # mitigate being rate limited by Let's Encrypt.
        # ca https://acme-staging-v02.api.letsencrypt.org/directory
        ca https://acme-v02.api.letsencrypt.org/directory
    }
    reverse_proxy whoami:80
    encode gzip
}

Conclusion

Run the docker-compose with docker-compose up -d.

References

• tls (Caddyfile directive) — Caddy Documentation (caddyserver.com)
• caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare (github.com)
• How-To Guide: Caddy V2 & Cloudflare DNS-01 via Docker - Help - Caddy Community