If the A record for that domain no longer reaches Caddy, there’s still nothing to do. On-Demand certs are only renewed in response to a TLS handshake coming in to trigger it (where Caddy will ask to see if it should still maintain it). If that domain’s DNS is no longer pointing to your server, then it’s impossible for Caddy to get requests with that domain in TLS-SNI (unless someone spoofs TLS-SNI, but nobody really does that in practice). So the cert will just expire on its own.
3 Likes