ECH not working with wildcard certificates

Help
1

1. The problem I’m having:

I am attempting to use the new encrypted client hello (ECH) functionality with my wildcard certificate domain. I followed the common Caddfile patterns for wildcard cerificates and am using the Cloudflare DNS plugin.

Unfortunately it appears that Caddy isn’t updating anything DNS wise.

2. Error messages and/or full log output:

{"level":"debug","ts":1745557179.799294,"logger":"tls.ech","msg":"ECH config list already published by publisher for associated domains (or no domains to publish for)","config_ids":[232],"publisher":"dns.providers.cloudflare"}

3. Caddy version:

v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=

4. How I installed and ran Caddy:

a. System environment:

systemd service running a Proxmox Debian 12.10 LXC container

b. Command:

N/A

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        email REDACTED
        servers {
                protocols h3 h2 h1
        }

        dns cloudflare REDACTED
        ech ech.mydomain.com
        debug
}

(public_reverse_proxy) {
        reverse_proxy {args[0]} {
                transport http {
                        tls_trust_pool file /etc/ssl/certs/ca-certificates.crt
                }
        }
}

(private_reverse_proxy) {
        @public_ip {
                not remote_ip private_ranges
        }
        abort @public_ip
        import public_reverse_proxy {args[0]}
}

*.mydomain.com {
    tls {
            resolvers 1.1.1.1
            ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    }

    log {
            format console
            output file /var/log/caddy/access.log {
                    roll_size 10mb
                    roll_keep 10
                    roll_keep_for 168h
            }
    }

    header {
            Strict-Transport-Security max-age=63072000;
            X-Robots-Tag "noindex, nofollow"
            X-Content-Type-Options "nosniff"
            X-Frame-Options "SAMEORIGIN"
            X-XSS-Protection "1; mode=block"
            Referrer-Policy "same-origin"

            -server
    }

    encode {
            zstd
            br
            gzip
    }

    @service host service.mydomain.com
    handle @service {
            import public_reverse_proxy service.internal.lan:443
    }

    handle {
        abort
    }

}

5. Links to relevant resources: