HA with Let's Encrypt add-on behind Caddy reverse proxy configuration

Boerny · February 15, 2025, 7:27pm

Hi,

I’m running HA with a lets encrypt add-on behind caddy. If the certificate in HA is enabled:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

I have to use this in caddy to get a connection:

ha2.my.domain {
        reverse_proxy 111.222.333.444:8123 {
    transport http {
      tls
      tls_insecure_skip_verify
    }
  }
}

If I however disable the let’s encrypt certificate in HA, then there is no need for the “insecure tls skip” stuff in the caddyfile:

ha.my.domain {
        reverse_proxy 111.222.333.444:8123
}

Both ways feel like a workaround and I’m not sure what is better. Is there a proper way to do this?

koying · February 16, 2025, 9:48am

The proper way is to expose SSL and the certificate on the reverse proxy (SSL termination), and not on HA.

You currently have to skip verification because “111.222.333.444” is not a valid domain/ip as described in the letsencrypt certificate.