Caddy Server and Home Assistant DNS Validation



secure your system with caddy serverOne of the really great things about using the Caddy addon for home assistant has been that it provides a more secure system as it provides automatic SSL certificates and a reverse proxy and manages renewing the certificates before expiry.

I had always been unhappy however that since LetsEncrypt dropped support for https certificate validation that it required port 80 to be opened and forwarded on the router in order to renew certificates. This isn’t a huge risk as long as you are using a properly configured firewall. Even most consumer level routers include a SPI (stateful-packet-inspection) firewall and will drop incoming requests if they have not been initiated from within the network. In the case of SSL certificates, the Home Assistant addon would open the port to request the certificate validation from LetsEncrypt and thus it would be able to respond to the challenge and validate the request and get the new certificates; port 80 would then be closed and no requests would get through. This works well and if you used a port scanner you would see that the port was closed.

Some 6 or so months ago, Caddy added support for using a DNS challenge instead of the http challenge – it just wasn’t exactly clear to me how that worked and how to set it up and I was told that you needed to build a custom version of Caddy as it was not built into the addon – which sounded like hard work and I didn’t totally understand what was required. On Linux systems, building your own or compiling from source is fairly common and something I have done a lot of times but I didn’t really have the drive or inclination to do this for Caddy particularly as it has been working just fine with http validation.

So what changed? Well a couple of things. First, the caddy version in the addon was now several versions out-of-date and there had been a couple of vulnerabilities that had been fixed, but secondly, I discovered that rolling your own version and using it wasn’t any more involved than a few mouse clicks! So instead of changing the original article I decided a new one was in order and here we are. If you read this article as well as my first article here you will have your system running this new way in no time and with very little effort.

Install Duckdns

First step to setting this up is to setup a DuckDNS account which is free. Go to https://www.duckdns.org/ and log in using one of Persona, Twitter, Github, Reddit or Google. When you log in, the app for the login will require you to authorise DuckDNS to use that account for logging in. You will only generally need to log into DuckDNS once. Here is my screen when I log in with my Twitter account.

duckdns twitter authorisation

Just tap on Authorize app and you will be returned to a screen where you can create your duckdns domain. Duckdns allows you to create up to 5 domains. You don’t need to create sub-domains.

create your duckdns domain Duckdns won’t allow you to create a domain that already exists on their system. Make sure you keep a note of the domain name you created here!

You also need to make sure you copy the token down as you will need to enter that information when you setup the DuckDNS addon and Caddy!

duck-dns-token

Update DuckDNS with the current IP Address of your Home Assistant

Once you have a duckdns address, you need to update the record at duckdns with the current IP address of your home assistant instance. There are actually multiple ways you can do this depending on your network setup and environment.

When I first started doing this, I let the DuckDNS client in my Router update the duckdns record for me. I also had port forwarding to forward https traffic on port xxxxx to my Home Assistant instance. (See my previous blog post for details) This worked well for me. However, my ISP now supports IPv6 dual stack and I wanted to be able to setup my system to use IPv6. This is a little more complicated as with IPv6 every device you expose to the internet (by opening up a port in the router) actually has it’s own real IP address in the internet – there is no port forwarding. Port xxxxx in the internet opened will make port xxxxx on the device directly accessible on the device. So whereas with IPv4 I would forward a port on my router, with IPv6 I open the port and forward that to the device itself. This means using the Duckdns client on my router to update the public IPv6 address on the device does not work. I also have not tried this but I don’t believe the DuckDNS addon in Hass.io supports IPv6. So instead, I use a shell script (examples are here: https://www.duckdns.org/install.jsp ) In fact, if you are using IPv6, your ISP most probably has allocated you a static IPv6 prefix so the IPv6 IP address of your Home Assistant will be fixed and won’t change anyway in which case you can just manually enter the IPv6 address on the DuckDNS site.

Sorry if that got a bit technical and if you don’t understand a word of what I said in the above paragraph, don’t worry. We can just now setup the DuckDNS addon in Hass.io to handle the DuckDNS IP address updates for you. The DuckDNS addon is a core addon and you should install that as you would any other addon. For the addon settings, set it up like this:


{
  "lets_encrypt": {
    "accept_terms": false,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "YOUR_DUCKDNS_TOKEN_HERE",
  "domains": [
    "your-domain-here.duckdns.org"
  ],
  "seconds": 300
}

Note: Enter your token and domain information. Set accept_terms to false as we don’t need the addon to obtain the SSL certificates because Caddy will take care of that for us. Next start the addon. At the bottom make sure it was able to update the address at DuckDNS.



Leave a Reply