Caddy With Specific Hosts, But On-Demand TLS?

I would like to have my Caddyfile specify some specific hosts like: {


But, I don’t want it to obtain the TLS certificate until the first request actually hits the server. The only way I have been able to achieve this is to have a file that doesn’t specify the exact hosts:

:443 {
    // etc

Is it possible to achieve this? To delay the certificate process until the first request even when an explicit host is specified?

Just to reiterate what was mentioned on Twitter: obtaining certificates during the handshake is less than ideal for a number of reasons, especially if you know the hostname(s) beforehand. On-Demand TLS is still a useful feature of course, but I can’t think of a compelling reason that obtaining during a handshake should be prioritized over obtaining during startup.

Still, making the change would be easy, if we can come up with a good use case for that override.

There are 2 ways I’m thinking of by which we could allow On-Demand TLS to be “preferred” even if obtaining certificates at startup is possible, if we decide to make a change:

  1. Setting max_certs in the TLS directive forces On-Demand TLS to be used even if the hostname is known beforehand. This “just works” for everyone and there’s no configuring. But it may not be ideal if some users over-configure.

  2. We add an optional argument to max_certs called force or prefer or always or something like that; if specified, use On-Demand TLS even if the hostname is known beforehand: max_certs 5 always. This gives the user more control and leaves on-demand TLS to be less preferred by default.

Either of these tickle your fancy?

What about a new subdirective? max_certs, to me, doesn’t scream “this will defer your certificate requisition until handshake” in a vacuum of context. Maybe defer [always|on-demand|never], defaulting to on-demand being the current behaviour while max_certs is specified. Just spitballing here.

I’m fine with whatever is most maintainable on y’alls end :slight_smile:

I’ve implemented this change in 4462e39. max_certs now changes the certificate obtaining/maintenance to handshake-time for ALL hostnames, not just hostnames that it doesn’t know at startup.

1 Like

Thank you so much!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.