From e992ff695057bcb3d89d8af1322fde84dfed27b8 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Sun, 5 Jan 2025 15:50:21 +1300 Subject: [PATCH] docs: TLS (Caddy) - Revise advice on `tls internal` --- docs/content/config/security/ssl.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 96f4a717..296806a7 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -512,7 +512,7 @@ DSM-generated letsencrypt certificates get auto-renewed every three months. ```caddyfile title="Caddyfile" mail.example.com { - tls internal { + tls { key_type rsa2048 } @@ -524,8 +524,10 @@ DSM-generated letsencrypt certificates get auto-renewed every three months. While DMS does not need a webserver to work, this workaround will provision a TLS certificate for DMS to use. - - [`tls internal`][caddy-docs::tls-internal] will create a local self-signed cert for testing. This targets only the site-address, unlike the global `local_certs` option. - - [`key_type`][caddy-docs::key-type] can be used in the `tls` block if you need to enforce RSA as the key type for certificates provisioned. The default is currently ECDSA (P-256). + An explicit `tls` directive affects only the site-address block it's used in: + + - Use [`tls internal { ... }`][caddy-docs::tls-internal] if wanting to create a local self-signed cert, which may be useful for testing. This allows opt-in to use self-signed certs unlike the global `local_certs` option. + - [`key_type`][caddy-docs::key-type] can be used in the `tls` block if you need to enforce RSA as the key type for certificates provisioned. The default is currently ECDSA (P-256). This may improve compatibility with legacy clients. ??? example "With `caddy-docker-proxy`"