"adapting config using caddyfile: subject does not qualify for certificate" when rewriting for wildcard

1. Caddy version (caddy version):

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

a. System environment:

Fedora 34, Docker version 20.10.6, build 370c289, Portainer 2.1.1, slothcroissant/caddy-cloudflaredns container.

b. Command:

Managing containers with Portainer.

c. Service/unit/compose file:

docker run -it --name caddy \
 -p 80:80 \
 -p 443:443 \
 -v caddy_data:/data \
 -v caddy_config:/config \
 -v $PWD/Caddyfile:/etc/caddy/Caddyfile \
 -e CLOUDFLARE_EMAIL=my email \
 -e CLOUDFLARE_API_TOKEN=my token \
 -e ACME_AGREE=true \
 slothcroissant/caddy-cloudflaredns 

Moved Caddyfile to /srv afterwards.

d. My complete Caddyfile or JSON config:

*.internal.{env.DOMAIN} {

    tls email {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
    }

    @server1 host server1.internal.{env.DOMAIN}
    reverse_proxy @server1 IP:port

    @server2 host server2.internal.{env.DOMAIN}
    reverse_proxy @server2 IP:port

    @pihole host pihole.internal.{env.DOMAIN}{
    rewrite * /admin{uri}
    }
    reverse_proxy @pihole IP:port

}

3. The problem I’m having:

I’m trying to rewrite the domain for Pihole under a wildcard, which has worked well like this earlier:

pihole.internal.domain.com {
    tls email {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
    }

    encode gzip
    rewrite * /admin{uri}
    reverse_proxy IP:port
 }

But when I try to get it working under the wildcard, I either get the error “run: adapting config using caddyfile: subject does not qualify for certificate: ‘@pihole’”, that blocks aren’t valid, or only Pihole works, nothing else. Everything else works if I remove the Pihole rewrites.

4. Error messages and/or full log output:

run: adapting config using caddyfile: subject does not qualify for certificate: ‘@pihole’

5. What I already tried:

I’ve tried:

@pihole host pihole.internal.{env.DOMAIN}{
    rewrite * /admin{uri}
    }
    reverse_proxy @pihole IP:port

And:

@pihole host pihole.internal.{env.DOMAIN}
    rewrite * /admin{uri}
    reverse_proxy @pihole IP:port

There’s two styles of environment variable configs in Caddy.

• The style {env.*} is replaced at runtime.
• The style {$ENV} is replaced at Caddyfile-adapt time.

The Caddyfile is an adapter, i.e. its job is to transform your Caddyfile into a JSON config that Caddy will actually run with. You can see the JSON for your config by running caddy adapt --pretty.

The difference is that Caddy needs to know up-front when it starts the domains it needs to issue certificates for. So you should use {$DOMAIN} instead for this.

Also, make sure to always have a space before the { when you have blocks in your config. Spaces are significant in the Caddyfile, because of the way the lexer/tokenizer works. It should look like this:

@pihole host pihole.internal.{$DOMAIN} {

You don’t need this; that env var was necessary in Caddy v1, but is no longer used. You agree to the ACME terms implicitly by using Caddy.

Thanks, I updated the variables and tried again, but it still gives me similar errors.

If I do

	@pihole host pihole.internal.{$DOMAIN} {
    rewrite * /admin{uri}
    }
    reverse_proxy @pihole IP:port

or

	@pihole host pihole.internal.{$DOMAIN} {
    rewrite * /admin{uri}
    reverse_proxy @pihole IP:port
    }

I get run: adapting config using caddyfile: /etc/caddy/Caddyfile:77 - Error during parsing: malformed host matcher: blocks are not supported, and if I do

    @pihole host pihole.internal.{$DOMAIN}
    rewrite * /admin{uri}
    reverse_proxy @pihole IP:port

I get 401 and 404 errors for every other subdomain, but Pihole works.

When you define a matcher, you need to use it somewhere.

I think you’re looking for the handle directive to wrap these.

	@pihole host pihole.internal.{$DOMAIN}
	handle @pihole {
		rewrite * /admin{uri}
		reverse_proxy IP:port
	}

The exact pattern you’re trying is covered here in the docs:

This topic was automatically closed after 30 days. New replies are no longer allowed.