Differences between acme_ca and cert_issuer

1. The problem/doubt I’m having:


Regarding the configuration of certificate issuers, I have the following doubts.

  • If the global acme_ca option is set, does the default Caddy Server fallback mechanism stop working? That is, if this option is set, will only that ACME directory endpoint be used to obtain the certificates? Would it be necessary to manually configure the fallback mechanism?

  • Could acme_ca be set multiple times to configure multiple issuers and set the priorities and fallback strategy?

  • If the global acme_ca option is set and also several cert_issuer options, what value is set in the issuer? For example, the following:

      acme_ca https://acme.zerossl.com/v2/DV90
      cert_issuer acme {
          dir https://api.buypass.com/acme/directory
      cert_issuer zerossl
      cert_issuer acme
  • When should global option acme_ca or tls/ca vs. the global option cert_issuer or tls/issuer be used?

Under my perception, the documentation regarding certificate management is very confusing and there are many redundant options. For example, in the tls directive there are ca and dns options, which are shortcuts to configure the acme issuer. But what about the zerossl issuer?

2. Error messages and/or full log output:


3. Caddy version:


4. How I installed and ran Caddy:


5. Links to relevant resources:


Thank you very much in advance.

Best regards.

If you use acme_ca then fallback is disabled.

No, it’s just a shortcut to configure the acme issuer (i.e. Let’s Encrypt by default) to a different ACME endpoint. If you want multiple issuers, then use cert_issuer, which can be repeated.

I think that’s kinda invalid. Avoid trying to combine both acme_ca and cert_issuer. We should probably have better warnings/errors around that.

Hopefully the above covers it.

Unfortunately I agree, many of those global options were added in v2.0 betas when we weren’t quite sure how we wanted to steer users to configure TLS yet. If we were to do it again, we’d likely not have the global options set up the same way.

When you use those tls top-level options, they propagate to both the acme and zerossl issuers by default, where possible.

Keep in mind that since v2.8.0, you need an email configured for ZeroSSL to be enabled, due to their policy changes.