Regarding the configuration of certificate issuers, I have the following doubts.
If the global acme_ca option is set, does the default Caddy Server fallback mechanism stop working? That is, if this option is set, will only that ACME directory endpoint be used to obtain the certificates? Would it be necessary to manually configure the fallback mechanism?
Could acme_ca be set multiple times to configure multiple issuers and set the priorities and fallback strategy?
If the global acme_ca option is set and also several cert_issuer options, what value is set in the issuer? For example, the following:
When should global option acme_ca or tls/ca vs. the global option cert_issuer or tls/issuer be used?
Under my perception, the documentation regarding certificate management is very confusing and there are many redundant options. For example, in the tls directive there are ca and dns options, which are shortcuts to configure the acme issuer. But what about the zerossl issuer?
No, it’s just a shortcut to configure the acme issuer (i.e. Let’s Encrypt by default) to a different ACME endpoint. If you want multiple issuers, then use cert_issuer, which can be repeated.
I think that’s kinda invalid. Avoid trying to combine both acme_ca and cert_issuer. We should probably have better warnings/errors around that.
Hopefully the above covers it.
Unfortunately I agree, many of those global options were added in v2.0 betas when we weren’t quite sure how we wanted to steer users to configure TLS yet. If we were to do it again, we’d likely not have the global options set up the same way.
When you use those tls top-level options, they propagate to both the acme and zerossl issuers by default, where possible.
Keep in mind that since v2.8.0, you need an email configured for ZeroSSL to be enabled, due to their policy changes.