I have an app which allows users to access it via a different subdomain per account, so I require a wildcard certificate for my domain. I have configured Caddy (v2.3.0) as follows, however requests to user.mydomain.com and user2.mydomain.com etc results in specific TLS certificates being requested for these subdomains. I expected Caddy to generate a wildcard certificate for *.mydomain.com.
Am I doing this wrong, or does Caddy not work in this way?
For the time being I have replaced on_demand with a wildcard cert that I generated myself.
However this isn’t working. Unique certs are still being generated for subdomains. I don’t see an error message relating to Cloudflare in the syslog (which is where the LetsEncrypt logs usually end up). Creating the API token in Cloudflare was interesting - there are many permissions. I created the token with access to DNS as per the docs:
You probably don’t need all this stuff. Try removing it. Caddy sets most appropriate headers automatically:
That’s correct. Setting on_demand defers certificate issuance until the TLS handshake. That feature and wildcard certificates are two sides of the same coin. It doesn’t make sense to have both enabled at the same time. Also, it’s unsafe to enable on_demand without configuring an ask endpoint as well, to prevent abuse. See the on_demand_tls global options for more detail.
For next time, it’s best if you not omit any parts of your config when asking for help. Parts that you think not to be relevant, are often actually relevant. It just makes it harder for us to help when we don’t have a clear picture of what’s going on.