Public | Automated Build

Last pushed: 2 months ago
Short Description
Caddy with integrated TLS storage into Consul KV
Full Description


Consul Storage for Caddy TLS data.

Normally, Caddy uses local filesystem to store TLS data when it auto-generates certificates from a CA like Lets Encrypt.
Starting with 0.11.x Caddy can work in cluster environments where TLS storage path is shared across servers. This is a great improvement but you need to take care of mounting a centeralized storage on every server. If you have an already running Consul cluster it can be easier to use it's KV store to save certificates and make them available to all Caddy instances.

This plugin enables Caddy to store TLS data like user key and certificates in Consul's KV store. This allows you to use Caddy in a cluster or multi machine environment with a centralized storage for auto-generated certificates.

With this plugin it is possible to use multiple Caddy instances with the same HTTPS domain for instance with DNS round-robin.

It works with recent versions of Caddy 0.10.x
All data that is saved in KV store is encrypted using AES.


You need to compile Caddy by yourself to use this plugin. Alternativly you can use my Docker image that already includes Consul KV storage, more infos below.

  • Set up a working Go installation, see
  • Checkout Caddy source code from
  • Get latest caddy-tlsconsul with go get -u
  • Add this line to caddy/caddymain/run.go in the import region:
    import (
    _ ""
  • [DEPRECATED] Change dir into caddy/caddymain and compile Caddy with build.bash
  • Change dir into caddy/caddy do a go get and compile Caddy with go run build.go


In order to use Consul you have to change the storage provider in your Caddyfile like so:

    tls {
        storage consul

Because this plugin uses the official Consul API client you can use all ENV variables like CONSUL_HTTP_ADDR or CONSUL_HTTP_TOKEN
to define your Consul connection and credentials. For more information see

Without any further configuration a running Consul on 127.0.01:8500 is assumed.

There are additional ENV variables for this plugin:

  • CADDY_CONSULTLS_AESKEY defines your personal AES key to use when encrypting data. It needs to be 32 characters long.
  • CADDY_CONSULTLS_PREFIX defines the prefix for the keys in KV store. Default is caddytls

Run with Docker

You can use a custom version of Caddy with integrated Consul TLS storage using the Dockerfile provided in this repo. Because this Dockerfile uses multi-stage build you need at least Docker 17.05 CE.


Example for a Docker run command:

docker run -d -p 80:80 -p 443:443 -e "CONSUL_HTTP_ADDR=my.consul.addr:8500" -v /home/test/Caddyfile:/Caddyfile:ro -v /home/test/config:/.caddy:rw -v /home/test/html:/var/www/html pteich/caddy-tlsconsul -agree -conf=/Caddyfile
Docker Pull Command
Source Repository