So you’re using Caddy with Let’s Encrypt, and the latest news about Let’s Encrypt banning use of their certificates for people in countries under sanctions from the USA have you worried, and you’re looking into actalis?
Good news: the switch is really easy.
It goes as follows:
-
Create an “free plan” account at actalis. Make sure to check “I do not agree’ with anything you, well, do not agree with.
-
Keep a record of your Actalis Key ID and HMAC key
*IMPORTANT – there are TWO key ID/HMAC key pairs, one for “Domain Validation - 1 year” and one for “Domain Validation - 90 days”. I only tested the 90 days one and suggest you use that one too.
-
Edit your Caddyfile and reload it.
See? Easy.
Er… How do I edit my Caddyfile?
What follows assumes you are using Linux, and more specifically, Debian Trixie. File paths might not be the same for all distros; You should look into how it’s done in your own distro.
If you installed the Debian caddy package, then the Caddyfile is
/etc/caddy/Caddyfile (unless you changed it). Edit it with your
favorite text editor (you’ll need to do that as root).
Look for the global settings block. It starts with this line…
{
… and ends at the first…
}
… which follows.
I don’t have a global settings block…
Add one, empty for now, for instance at the start of the file:
{
}
OK, I’ve got a global settings block. What now?
In that block, look for this line:
cert_issuer acme
I don’t have this line in my global settings block…
Add it !
OK, I’ve got a “cert_issuer acme” line. What now?
Add this after the “cert_issuer acme” line:
acme_ca https://acme-api.actalis.com/acme/directory
acme_eab {
key_id AbCdEfGhIjKlMnOpQrStUvWxYz
mac_key AbCdEfGhIjKlMn_OpQrStUvWxYzAbCdEfGhIjKlMnOp
}
Explanation:
acme_catells Caddy which ACME provider you want to use.acme_eabprovides identifiers for this provider. Let’s Encrypt does not require manual registration, so you didn’t need identifiers so far, but Actalis needs them.
Now, you guessed it probably, the values for key_id and mac_key in
my example above are fake. You must replace these with yours:
-
the
key_iddirective must be followed by your Actalis Key ID -
the
mac_keymust be followed by your Actalis HMAC key – except that any equal signs at the end of the HMAC key must be removed.
In the end, what should my Caddyfile look like?
Here’s a complete example:
{
cert_issuer acme
acme_ca https://acme-api.actalis.com/acme/directory
acme_eab {
key_id AbCdEfGhIjKlMnOpQrStUvWxYz
mac_key AbCdEfGhIjKlMn_OpQrStUvWxYzAbCdEfGhIjKlMnOp
}
}
mysite.example.com {
root /var/www/html
file_server
}
Your Caddyfile may have other lines in its global settings block, or your site block may have different lines; it does not matter. What matters is that the global settings block contains the “acme_ca” and “acme_eab” directives.
You can now validate your Caddyfile…
caddy --config /etc/caddy/Caddyfile validate
… And reload it, right?
Yes, and reload it:
caddy --config /etc/caddy/Caddyfile reload
… and you’re done!
Well, you’ll be done when the current Let’s Encrypt certificate(s) expires, and Caddy asks Actalis for new ones. It might take a few tens of days, but meanwhile, the website(s) will keep wrking.
But what if I want to change NOW?
If you are really eager to switch and do not want to wait, then you can do that at the price of a slight downtime and/or disruption of your website(s) by:
-
stopping Caddy:
systemctl stop caddy -
removing all the Let’s Encrypt certificates:
rm -r /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ -
starting Caddy:
systemctl start caddy
Caddy will regenerate certificates, from Actalis, as soon as your websites are visited. You might need to reload and/or flush the browser’s cache.
That’s it?
Yes! I told you it was easy.