1. Caddy version (caddy version
):
v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=
2. How I run Caddy:
as a service
a. System environment:
Linux Amazon 2
b. Command:
/usr/bin/caddy run --environ --config /etc/caddy/config.json
c. Service/unit/compose file:
paste full file contents here
d. My complete Caddyfile or JSON config:
{
"admin": {
"disabled": false,
"listen": "0.0.0.0:2020",
"config": {
"persist": true
}
},
"logging": {
"sink": {
"writer": {
"output": "file",
"filename": "/tmp/caddy-Go.log"
}
},
"logs": {
"default": {
"writer": {
"output": "file",
"filename": "/tmp/caddy-tmp.log"
},
"encoder": {
"format": "json"
},
"level": "debug"
}
}
},
"apps": {
"tls": {
"automation": {
"policies": [{
"issuer": {
"module": "acme"
},
"on_demand": true
}],
"on_demand": {
"rate_limit": {
"interval": "5m",
"burst": 100
},
"ask": "http://certs.fakedomain.com/delegated.php"
}
}
},
"http": {
"http_port": 80,
"https_port": 443,
"servers": {
"tiendas": {
"listen": [":80",":443"],
"max_header_bytes": 41943040,
"automatic_https": {
"skip": ["*.fakedomain.com"]
},
"routes": [
{
"group": "grupo1",
"match": [{
"host": ["guiacanaveral.com"]
}],
"handle": [{
"handler": "reverse_proxy",
"upstreams": [{
"dial": "ip-172-31-4-60.us-west-2.compute.internal:80"
}]
}],
"terminal": true
},
{
"@id": "certs",
"group": "grupo1",
"match": [{
"host": ["certs.fakedomain.com"]
}],
"handle": [{
"handler": "reverse_proxy",
"transport": {
"protocol": "fastcgi",
"root": "/"
},
"upstreams": [{
"dial": "unix//var/php.sock"
}]
}],
"terminal": true
},
{
"@id": "subdominios",
"group": "grupo1",
"match": [{
"host": ["*.fakedomain.com"]
}],
"handle": [{
"handler": "reverse_proxy",
"upstreams": [{
"dial": "ip-172-31-4-60.us-west-2.compute.internal:80"
}]
}],
"terminal": true
},
{
"@id": "dominios",
"group": "grupo1",
"match": [{
"host": ["*"]
}],
"handle": [{
"handler": "reverse_proxy",
"upstreams": [{
"dial": "ip-172-31-4-60.us-west-2.compute.internal:80"
}]
}],
"terminal": true
}]
}
}
}
}
}
3. The problem I’m having:
I need to use a fixed wildcard cert for subdomains *.fakedomain.com
for this specific route and use tls on_demand for all the domains pointing to my server (configured as a route that matches ["*"] everything.
Or I need to transparent proxy all the traffico that matches my subdomains to forward traffic “as is” to my webservers and let my webservers without ssl provisioning for my subdomains.
"ask": "http://certs.fakedomain.com/delegated.php"
this endpoint sholud check if the domain has a valid cert? Or it sholud only check that the domain/subdomain is pointing to my caddy server?
4. Error messages and/or full log output:
I understood from the docs that if a configure a site with a wildcard subdomain I will get a wildcard certificate, but Im getting a certificate for each subdomain like :
2020/05/20 22:10:58 [INFO] [www.serinterior.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:11:00 [INFO] [www.serinterior.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:12:02 [INFO] [www.serinterior.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:12:03 [INFO] [www.serinterior.fakedomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/58120303
2020/05/20 22:12:03 [INFO] [www.serinterior.fakedomain.com] acme: authorization already valid; skipping challenge
2020/05/20 22:12:03 [INFO] [www.serinterior.fakedomain.com] acme: Validations succeeded; requesting certificates
2020/05/20 22:12:03 [INFO] [www.serinterior.fakedomain.com] Server responded with a certificate.
2020/05/20 22:12:03 [INFO] [www.serinterior.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:12:06 [INFO] [www.serinterior.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:12:30 [INFO] [coralcosta.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:12:33 [INFO] [coralcosta.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:13:35 [INFO] [coralcosta.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:13:35 [INFO] [coralcosta.fakedomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/58120860
2020/05/20 22:13:35 [INFO] [coralcosta.fakedomain.com] acme: authorization already valid; skipping challenge
2020/05/20 22:13:35 [INFO] [coralcosta.fakedomain.com] acme: Validations succeeded; requesting certificates
2020/05/20 22:13:35 [INFO] [coralcosta.fakedomain.com] Server responded with a certificate.
2020/05/20 22:13:35 [INFO] [coralcosta.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:13:37 [INFO] [coralcosta.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:14:36 [INFO] [balancenatural.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:14:38 [INFO] [balancenatural.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:15:33 [INFO] [www.serinterior.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:15:35 [INFO] [www.serinterior.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:15:35 [INFO] [pruebaluisk.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:15:37 [INFO] [pruebaluisk.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:15:41 [INFO] [balancenatural.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:15:41 [INFO] [balancenatural.fakedomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/58120667
2020/05/20 22:15:41 [INFO] [balancenatural.fakedomain.com] acme: authorization already valid; skipping challenge
2020/05/20 22:15:41 [INFO] [balancenatural.fakedomain.com] acme: Validations succeeded; requesting certificates
2020/05/20 22:15:41 [INFO] [balancenatural.fakedomain.com] Server responded with a certificate.
2020/05/20 22:15:41 [INFO] [balancenatural.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:15:42 [INFO] [tustrabajoscd.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:15:43 [INFO] [balancenatural.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
2020/05/20 22:15:44 [INFO] [tustrabajoscd.fakedomain.com] acme: Obtaining bundled SAN certificate given a CSR
5. What I already tried:
tried to skip ssl issuing with :
"automatic_https": {
"skip": ["*.fakedomain.com"]
},
but doesnt seems to work for me.