Secure Your Home Lab With Lets Encrypt SSL Certificates, Caddy and Mythic Beasts DNS

A Home Lab is a valuable asset for any Developer or Engineer to support their personal development, personal projects, and experimentation.

Web security is relentlessly improving, so we need to adapt our ways of working in order to support this. The days of running Production websites over plaintext http are long gone, and therefore we should also reflect this in our Home Labs too.

There are many different ways to create a professional looking and secure Home Lab. I have documented below the way that I provision SSL Certificates and HTTPS in my own Home Lab.

Caddy is a powerful web server that can secure web traffic with HTTPS automatically using Let’s Encrypt SSL certificates. Mythic Beasts provide an excellent service for domains, DNS, hosting websites and applications, email, virtual machines, and Raspberry Pi computers.

If your Caddy server is accessible on the Internet with a valid DNS record, it will use a HTTP challenge to validate that you own the domain and web server.

In a development or lab environment, or for your home automation server, you may not wish to expose your web server to the Internet, so another method of validation is required. Even within these environments it’s great seeing the secure padlock symbol in the browser, and considering you can obtain SSL certificates for free, it’s always good practice to create something you would expect to see in Production, even if it’s a Non-Production environment. Non-Production is often Production for someone.

A DNS challenge can be used during the SSL certificate provisioning process instead, which involves setting a DNS TXT record to a certain value. Let’s Encrypt can detect the creation and value of the DNS record and validate ownership without ever connecting to the web server itself. If you have permission to manipulate the DNS records, then you are considered to own the domain.

Mythic Beasts provide an API to manage their DNS service, as well as other services, and a community supported Caddy module has been created to automatically interact with it to create the necessary DNS records.

Caddy with Mythic Beasts DNS module Setup

These steps have been tested on a Raspberry Pi 4 running Raspbian

• Download and install the latest version of Go for your system, using the installation steps
• Check Go is working using go version
• Download and install xcaddy for your system from their latest releases
• Build a Caddy binary with the community supported Caddy module using xcaddy build --with github.com/caddy-dns/mythicbeasts
• Install the Caddy binary using the Keep Caddy Running steps
• Create API credentials on Mythic Beasts using the steps on Automating DNS challenges. I needed to create a wildcard credential for all records in the zone, for all record types. This is more permissions than it should require, so the Caddy module is doing something differently to other ACME clients that use the API
• Create the Caddyfile, including the credentials for the Mythic Beasts module using the environment variables as they are in the community supported Caddy module README.md file. These could be added to the systemd service file, if this was the method used to start Caddy
• Start Caddy using your chosen method and watch the journal / logs for successful provisioning of the SSL certificate.
• In my configuration, the internal Caddy files, like keys and certificates, can be found using sudo find /var/lib/caddy/

Example Configuration files

Example Caddyfile configuration for DNS challenge. It relies on a Caddy binary with the community supported module compiled into it. In this case, it is configured as a reverse proxy.

domainname.com {
    reverse_proxy 192.168.1.100:8000
    tls {
        dns mythicbeasts {
            key_id {$MYTHICBEASTS_KEYID}
            secret {$MYTHICBEASTS_SECRET}
        }
    }
}

Example /etc/systemd/system/caddy.service, including environment variables where you may wish store your API credentials. Just remember that this is a plain text file sitting on your file system, so use with caution and asses your security requirements for your system. The paths may need changing for your system.

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Environment=MYTHICBEASTS_KEYID=aaaaaaaaaaaaaaaa
Environment=MYTHICBEASTS_SECRET=bbbbbbbbbbbbbbbbbbb
Type=notify
User=caddy
Group=caddy
ExecStart=/opt/caddy/caddy run --environ --config /opt/caddy/Caddyfile
ExecReload=/opt/caddy/caddy reload --config /opt/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target