ECH not working with wildcard certificates

Caligatio · April 25, 2025, 5:13am

1. The problem I’m having:

I am attempting to use the new encrypted client hello (ECH) functionality with my wildcard certificate domain. I followed the common Caddfile patterns for wildcard cerificates and am using the Cloudflare DNS plugin.

Unfortunately it appears that Caddy isn’t updating anything DNS wise.

2. Error messages and/or full log output:

{"level":"debug","ts":1745557179.799294,"logger":"tls.ech","msg":"ECH config list already published by publisher for associated domains (or no domains to publish for)","config_ids":[232],"publisher":"dns.providers.cloudflare"}

3. Caddy version:

v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=

4. How I installed and ran Caddy:

a. System environment:

systemd service running a Proxmox Debian 12.10 LXC container

b. Command:

N/A

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        email REDACTED
        servers {
                protocols h3 h2 h1
        }

        dns cloudflare REDACTED
        ech ech.mydomain.com
        debug
}

(public_reverse_proxy) {
        reverse_proxy {args[0]} {
                transport http {
                        tls_trust_pool file /etc/ssl/certs/ca-certificates.crt
                }
        }
}

(private_reverse_proxy) {
        @public_ip {
                not remote_ip private_ranges
        }
        abort @public_ip
        import public_reverse_proxy {args[0]}
}

*.mydomain.com {
    tls {
            resolvers 1.1.1.1
            ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    }

    log {
            format console
            output file /var/log/caddy/access.log {
                    roll_size 10mb
                    roll_keep 10
                    roll_keep_for 168h
            }
    }

    header {
            Strict-Transport-Security max-age=63072000;
            X-Robots-Tag "noindex, nofollow"
            X-Content-Type-Options "nosniff"
            X-Frame-Options "SAMEORIGIN"
            X-XSS-Protection "1; mode=block"
            Referrer-Policy "same-origin"

            -server
    }

    encode {
            zstd
            br
            gzip
    }

    @service host service.mydomain.com
    handle @service {
            import public_reverse_proxy service.internal.lan:443
    }

    handle {
        abort
    }

}

5. Links to relevant resources:

Caligatio · April 27, 2025, 6:50am

It appears the core problem is that the documentation for wildcard domains hasn’t been updated to match 2.10 functionality.

Switching to the format described in New pattern for wildcard certs using Caddyfile (2.10.0) worked like a charm.