Enable HTTPS on Local Network Domain with Caddy 2 on Ubuntu


I decided to set up a server on my home network to do a variety of things. Since it’s to be shared with other family members, it’s best to use something easy to remember like a domain name. However, as I soon discovered, setting up a domain on my internal network with HTTPS is not straightforward.

For example, we can’t directly use Let’s Encrypt as the server is only available on an internal network. So no computers outside the network will be able to reach the server, including the Let’s Encrypt server to validate the domain for SSL purposes.

This is a set of notes of what I did to make this feat possible. I hope this helps you out.

In the following steps, I assume you already have Ubuntu installed on your server, you have access to the server via SSH or physical access, and you can do basic tasks on Ubuntu like installing programs, creating directories, etc.

Step 1: Register/Transfer a Domain to a SSL Registrar and Get SSL Files

You will need to register a domain or transfer a domain to a registrar that gives you free SSL certificates like Porkbun. Porkbun generates SSL certificates via Let’s Encrypt.

Before Porkbun can generate the SSL certicifates, your domain must use their name servers. Check to make sure your domain is using Porkbun name servers.

In this tutorial, the domain will be yourdomain.com

Enable SSL on Domain at Registrar

You will then need to enable SSL on your domain. Porkbun will take around 10 minutes to generate the SSL certificates for you from Let’s Encrypt.

Download SSL Files

Once they SSL certificates have been generated, you can download them from Porkbun. It will be a zip file that contains four files

  • domain.cert.pem
  • intermediate.cert.pem
  • private.key.pem
  • public.key.pem

Upload SSL Files

Create a directory on the server and upload the four SSL files to the directory. I will refer to this directory as /path/to/your/ssl/files

Step 2: Install Caddy

To install Caddy 2, run the following commands taken from the Caddy Installation Guide:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

We will configure Caddy before we start it

Step 3: Configure Caddy

Create a new file called Caddyfile and place it in a directory of your choice. Note, there is no extension to the file.

We will then enter the following lines into the configuration.

# disable automatic https redirect
  auto_https off

# redirect regular http calls https
:80 {
  redir https://{host}{uri}

# enable SSL on all subdomains
*.yourdomain.com:443 {
  # this is where you point to your SSL files
  tls /path/to/your/ssl/files/domain.cert.pem /path/to/your/ssl/files/private.key.pem

  # set up www subdomain
  @www host www.yourdomain.com
  handle @www {
    root * /usr/share/caddy
  # display error for all other subdomains      
  handle {
    respond "Not Found!" 404 {

# if no subdomain for https, redirect to www
yourdomain.com:443 {
  redir https://www.{host}{uri}

Please note that {host} and {uri} are placeholders in Caddy.

Step 4: Configure Hosts File

If you’re using Ubuntu, you will need to edit your hosts file so your computer will know which computer to connect to when you enter yourdomain.com in your browser.

You can edit the hosts file using any command line editor such as vim, nano, etc.

You will need to use sudo to open it, for example:

sudo nano /etc/hosts

At the bottom of the hosts file, add the ip to your server and the desired subdomains. At the minimum, there should be a www subdomain. Below is an example.

123.456.789.000 yourdomain.com www.yourdomain.com sub1.yourdomain.com

Save the file.

Step 5: Run Caddy

Enable Binding on Port 80 and 443

By default, Ubuntu won’t allow a regular user to use ports less than 1024. To get around it, we can use the setcap command to give your user permission.

setcap cap_net_bind_service=+ep /usr/bin/caddy

If you want to reset the permission of caddy, you can do the following

setcap cap_net_bind_service=-ep /usr/bin/caddy

Run Caddy

To run caddy, we use the following command with the –config flag that points to the Caddyfile we set up in Step 3.

caddy start --config /path/to/Caddyfile

Using start makes caddy run in the background

Step 5: Access Via Browser

Open up a browser and go to yourdomain.com. You should see the Caddy Welcome page. If you try www.yourdomain.com you will get the same page since yourdomain.com redirects to www.yourdomain.com.

If you try to go to sub1.yourdomain.com, you will get an error page


If you try to do another subdomain like test.yourdomain.com you will not be able to connect to the server and thus, not receive the error page. This is because you did not define a route for test.yourdomain.com in your host file (/etc/hosts).

So for any new subdomain, you must include it in your hosts file.


Stop Caddy

You can stop caddy by running the following command

caddy stop

Next Steps

With Caddy now set up, we can use it to reverse proxy to a lot of different services running on the server with https enabled.

I will write up another guide in the future in how to do so.

I hope this guide has helped you out.

Leave a Reply

Your email address will not be published.