Caddy picks the wrong certificate for domain

1. The problem I’m having:

I am hosting multiple domains on the same server. Some of those domains are using Cloudflare and an Origin Certificate, while other domains are direct to the server and using an caddy-managed ACME certificate.

The Cloudflare Origin Certificate includes a wildcard entry for *.minimachines.net.

Here is the relevant Caddy config:

www.minimachines.net {
	tls /etc/caddy/cloudflare-origin-mm-certificate.pem /etc/caddy/cloudflare-origin-mm-key.pem
	root * /home/minimachines/public_html
	# …
}

forum.minimachines.net {
	# …
}

The intend is to have the Cloudflare Origin Certificate for www.minimachines.net, and have forum.minimachines.net use a Caddy-managed ACME certificate.

But Caddy uses the Cloudflare Origin Certificate for forum.minimachines.net even if it is only configured for www.minimachines.net, most likely because this certificate is valid for *.minimachines.net.

Is there a way to force Caddy to only use the provided CF Origin Certificate for a specific list of domains, and somehow ignore the wildcard? Or to force Caddy to generate an ACME certificate for forum.minimachines.net and use it rather than the wildcard?

2. Error messages and/or full log output:

curl -Lvvk -o /dev/null https://forum.minimachines.net/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host forum.minimachines.net:443 was resolved.
* IPv6: 2001:41d0:203:247b::
* IPv4: 54.37.83.123
*   Trying [2001:41d0:203:247b::]:443...
* Connected to forum.minimachines.net (2001:41d0:203:247b::) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [327 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [15 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [1213 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: O=CloudFlare, Inc.; OU=CloudFlare Origin CA; CN=CloudFlare Origin Certificate
*  start date: Jun 25 09:24:00 2024 GMT
*  expire date: Jun 22 09:24:00 2039 GMT
*  issuer: C=US; O=CloudFlare, Inc.; OU=CloudFlare Origin SSL Certificate Authority; L=San Francisco; ST=California
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://forum.minimachines.net/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: forum.minimachines.net]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: forum.minimachines.net
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/2 200
…

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

Debian, systemd, using the caddy packages

b. Command:

systemctl start caddy

c. Service/unit/compose file:

Standard from package

d. My complete Caddy config:

# Minimum reproduction config
www.minimachines.net {
	tls /etc/caddy/cloudflare-origin-mm-certificate.pem /etc/caddy/cloudflare-origin-mm-key.pem
	root * /home/minimachines/public_html
}

forum.minimachines.net {
	root * /home/minimachines/forum/public_html
}

5. Links to relevant resources:

You’ll need to configure auto_https ignore_loaded_certificates so that Caddy will know to manage a cert for domains that might already be covered by another loaded certificate. See Global options (Caddyfile) — Caddy Documentation

1 Like