Difference between regular & on-demand TLS

We have a domain that we want to transfer from another server to a server served by Caddy.

Using regular HTTPS doesn’t work, because the challenge can’t be completed while the domain is still pointing to another server. So we decided to try using on-demand TLS certificates. Are there differences in how those are handled, besides the moment when the cert is initially created? In other words, will our on-demand certificate be automatically renewed and will it keep working in the same way as a ‘regular’ cert once it’s created, or are there other things to keep in mind?

Also, is there another way to solve the problem of creating a TLS cert for a domain that’s pointing to a different server, to prepare for a move?

Not really; there are no user-facing differences other than that on-demand certificates are obtained during the TLS handshake, whereas usually it happens while the configuration is loaded.

In general, it’s the same.

Using the DNS challenge, you do not need to open a port because the ACME server doesn’t contact your server. That would be the recommended way to do it.

1 Like

Thanks for the response! Given that we have our cert now (the DNS change has propagated by now), it should ‘just keep working’ like we’re used to from Caddy.

I checked out docs on the DNS challenge, but unfortunately our current provider isn’t supported. I’ll have to take it up internally to see if we can switch to a supported provider to streamline this process.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.