Disable certificate for single wildcard domain, used only for redirect

camonne · December 2, 2021, 3:48pm

1. Caddy version (`caddy version`):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

Via docker compose

a. System environment:

ubuntu lts 5.4.0-89

d. My complete Caddyfile or JSON config:

# service on a single subdomain
service.mydominio.com {
	reverse_proxy my_service:80
}

# default page for mydominio.com
hello.mydominio.com {
	root * /var/www/defaults/mydominio
	file_server {
		hide .git
	}
}

# redirect all the other non specified subdomains
*.mydominio.com {
	redir https://hello.mydominio.com
}

3. The problem I’m having:

I have multiple domains (like mydominio.com, mydominio2.com etc) on my server. I want to redirect all the subdomains of a single domain not already used by a specific service (let’s say I misstype asdfg.mydominio.com) to a simple page (hello.mydominio.com). I’m using ‘*.mydominio.com’ to do this but it tries to obtain a wildcard certificate (no plugin is available for my dns provider). How do I disable the certificate retrieval or obtain this kind of redirect?

4. Error messages and/or full log output:

{“level”:“error”,“ts”:1638459072.5763295,“logger”:“tls.obtain”,“msg”:“will retry”,“error”:"[.mydominio.com] Obtain: [.mydominio.com] solving challenges: *.mydominio.com: no solvers available for remaining challenges

5. What I already tried:

Using ‘http://*.mydominio.com {}’ to at least redirect http domains.
Checked the automatic_https directive but it does not seem to be useful for wildcard domains.
TLS off is no available.

francislavoie · December 2, 2021, 3:53pm

Caddy needs a certificate to complete the TLS handshake for HTTPS requests. Caddy can’t respond unless the handshake succeeds (browsers wouldn’t accept/trust the response unless it succeeded)

If you only care to redirect HTTP requests, then you can prefix the site address with http:// to prevent it from trying to provision a certificate for that name. But if you also want HTTPS requests, you still need a certificate.

camonne · December 3, 2021, 3:24pm

Thanks, I’ll guess I’ll wait for someone to create a netcup wildcard plugin, I gave it a look but I don’t know Go (yet)

francislavoie · December 3, 2021, 9:48pm

An alternative option is that you could use the duckdns plugin (and get a DuckDNS domain for free) and set up DNS challenge delegation. That way Caddy doesn’t need API access to netcup, and ACME issuers will follow the CNAME to get the challenge from the DuckDNS domain instead.

system · January 1, 2022, 3:49pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

camonne · January 18, 2022, 2:25pm

My use case:

I have several domains managed with my Caddyfile. I want to redirect all the wrong subdomains request (requests to non-existing domains) to their own page (grouped by domain). I don’t have wildcard certificate support because my provider is not supported (netcup)

My solution was to catch all the “remaining” http and https traffic and use the host and handle directives to manage them


# rest of the Caddyfile

welcome.firstdomain.com {
	root * /var/www/welcome
}

welcome.seconddomain.com {
	reverse_proxy docker_container:5000
}

http://, https:// {
	@firstdomain host *.firstdomain.com
	@seconddomain host *.seconddomain.com

	handle @firstdomain {
		redir https://welcome.firstdomail.com
	}

	handle @seconddomain {
		redir https://welcome.seconddomain.com
	}
}

francislavoie · January 18, 2022, 3:04pm

Thanks for the followup, I moved the post back into the original topic, it’s a better fit there rather than in a wiki

francislavoie · January 18, 2022, 3:09pm

FYI using https:// won’t actually “catch remaining HTTPS traffic” because Caddy won’t have a certificate that will allow for the TLS handshake to complete.

This will work fine for http:// though.

francislavoie · January 18, 2022, 3:09pm

jok · January 18, 2022, 3:19pm

There is now support available via https://github.com/caddy-dns/netcup (just seen it, did not try it)

camonne · January 23, 2022, 6:29pm

Yeah I just rechecked hoping someone created it and indeed there was one. I can confirm it works.

*.doomain.com {

    tls {

        dns netcup {
            customer_number {env.NETCUP_CUSTOMER_NUMBER}
            api_key {env.NETCUP_API_KEY}
            api_password {env.NETCUP_API_PASSWORD}
        }
    }

    # default page for redirection of http://doomain.com subdomains
    @hello host hello.doomain.com

    handle @hello {
        root * /var/www/hello
        file_server
    }

    @domain1 host domain1.doomain.com

    handle @domain1 {
        reverse_proxy domain1:80
    }

    @domain2 host domain2.doomain.com

    handle @domain2 {
        reverse_proxy domain2:80
    }

    # Fallback for otherwise unhandled domains
    handle {
        redir https://hello.doomain.com
    }

}

francislavoie · January 31, 2022, 8:00am

This topic was automatically closed after 12 days. New replies are no longer allowed.