During the automated installation for “Auto Generate SSL” Caddy requires TCP 80 to be availble for the Acme Challenge for LetsEncrypt. This poses a security risk to allow either NAT translation or public services to allow TCP 80 to the Mulitportal host.
There is functionality with Letsencrypt to leverage API tokens to providers such as Cloudflare which is used in e.g. NGINX to allow the LetsEncrypt acme challange to auth via API Token without the need for openning security senstive ports for a public facing service and allows Multiportal to reside in a DMZ airgapped environment from the internet.
For example in a NGINX deployment on Ubuntu
sudo apt install python3-certbot-dns-cloudflare
sudo mkdir /etc/letsencrypt/secrets/cloudflare.ini
# Either API Token (recommended)
dns_cloudflare_api_token = <enter api token here>
chmod 600 /etc/letsencrypt/secrets/cloudflare.ini
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/secrets/cloudflare.ini -d cloudstack.somedomain.org.
The available dns providers are as follows depending on python package are,
Cloudflare DNS plugin for Certbot
DigitalOcean DNS plugin for Certbot
DNSimple DNS plugin for Certbot
Gehirn DNS plugin for Certbot
Google DNS plugin for Certbot
Linode DNS plugin for Certbot
OVH DNS plugin for Certbot
RFC 2136 DNS plugin for Certbot
SakuraCloud DNS plugin for Certbot
Infomaniak DNS plugin for Certbot
RFC 2136 DNS plugin for Certbot
Route53 DNS plugin for Certbot
SakuraCloud DNS plugin for Certbot
Standalone DNS Authenticator plugin for Certbot
If there was an option where during the automated install you could select your DNS provider, the installer install the correct package for Caddy and allow input for the API Token to create the .ini file it would provide a secure mechanism to create signed certificates for Caddy while being airgapped for Acme authentication.
