[ACME] Choose a specific certificate issuer

Hi, what should I put in my Caddyfile if I want to only use let’s encrypt and not ZeroSSL. Should I use the global acme_ca or the global cert_issuer? (What are the differences between the acme_ca and the cert_issuer)
Additionally, is there a way to disable the challenges which are not used? I would like to use the DNS challenge only.
Thank you for your help.

When you enable the DNS challenge, it automatically disables the other two. So nothing to do there.

If you want to only use Let’s Encrypt, then the easiest way is to configure cert_issuer acme (where acme is just Let’s Encrypt by default). This’ll override the default which is both acme + zerossl.

The acme_ca option is basically like just overriding the URL part of the acme issuer. I don’t remember if specifying it also disables zerossl or not. @matt do you remember? Anyway it requires you to specify a URL which is more “brittle” than just specifying cert_issuer acme and Caddy will do the smart thing for you.

Thanks for your reply it’s more clear now. I still have a question, what is the most optimal way to define the acme email because I see that there is a global email setting but also an email setting under the global issuer so should I specify some things under the issuer or not really? Thanks
Same for disable_http_challenge and disable_tlsalpn_challenge which can be added under the issuer, is cert_issuer acme + acme_dns or dns enough to disable them? And finally acme_dns can be defined globally but also directly under a global issuer by using dns, what is the preferred way. I assume that if I do it globally and I have multiple issuers it will « overwrite » this value for all the issuers.

Yeah if you specify a CA it overrides the defaults.

1 Like

Both work, doesn’t really make a difference. Using the email global option will set a default for when an issuer doesn’t have an email explicitly configured.

You don’t need to touch those at all, they’re only useful when you’re not using the DNS challenge and you need to disable one or the other. Like I said, enabling DNS challenge always disables the other two because if you configured the DNS challenge, there’s the implication that your intent is either to get a wildcard cert, or your server isn’t publicly accessible – those are the main reasons for using the DNS challenge, and neither of those cases work with the HTTP or TLS-ALPN challenges. So they’re essentially mutually exclusive.

Just whatever reads nicer to you. It’ll work the same. Both should produce the same JSON config, which is what Caddy actually runs with (run caddy adapt -p to see your adapted JSON config).

Config inside an issuer will always “win”, global config is “if the issuer didn’t explicitly configure this” basically.

So yeah it depends on whether you’ll ever have a need to also use HTTP/TLS-ALPN challenges for some other domains. If not, then you can just use the global options.

Some users like to use snippets to de-duplicate their tls directive config, then import it into each relevant site. That would let you have different TLS config per site without duplication if you want.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.