I found caddy from trying letsencrypt clients, and it sounds excellent! However, I need to know if I can start gently running caddy behind an apache front end. I have it on my single server and it is currently running about 10 vhosts, each with separate tls certs. All current sites are strict https-only.
If I use dns validation, can I also use auto-cert management with a virgin site and a suitable http proxy statement in the apache config?
Also, would I be able to have more than caddy instance running or how would I run multiple new vhosts under the single caddy instance?
Yes, this will work fine. You could possibly even use regular validation (well-known URI challenge) - as long as Apache is faithfully proxying the entire domain to Caddy (or at least /.well-known.)
That’s one way to do it, but probably not the easiest… Have a look at the Caddyfile documentation, which supports multiple vhosts - you can edit your Caddyfile while Caddy is live, and then tell Caddy to reload configuration with a USR1 signal to add or remove vhosts with no downtime.
I’m a fan of the import directive myself, in the form of import /etc/caddy/vhosts/*.caddy and I symlink/copy in individual domain vhosts as files (kind of how Apache enable/disable their sites).
Under my current circumstances I think I wll try https caddy, behind apache, but without auto-cert management for a while (I’ll generate them or renew them the standalone way with another letsencrypt client and copy them into their final location as needed).
There’s a list of criteria which must all be true for Caddy to enable Automatic HTTPS - you can see the list here. Breaking any of those conditions will stop Caddy from automatically managing your certificates.