Well I did it ! 
I have added 2 automation policies:
- for the wildcard certificate (to catch all subdomains)
- for the domains of my clients (to catch all domains)
I configured the domain wildcard properly and builded the server with the cloudflare plugin:
$ xcaddy build --with github.com/caddy-dns/cloudflare
This is the config file that worked !
{
"admin": {
"disabled": false,
"listen": "0.0.0.0:2020",
"config": {
"persist": true
}
},
"logging": {
"sink": {
"writer": {
"output": "file",
"filename": "/tmp/caddy-Go.log"
}
},
"logs": {
"default": {
"writer": {
"output": "file",
"filename": "/tmp/caddy-tmp.log"
},
"encoder": {
"format": "json"
},
"level": "debug"
}
}
},
"apps": {
"tls": {
"automation": {
"policies": [{
"subjects": ["*.fakedomain.com"],
"issuer": {
"module": "acme",
"email": "soporte@fakedomain.com",
"challenges": {
"dns": {
"provider": {
"name": "cloudflare",
"api_token": "MY_CLOUDFLARE_TOKEN"
}
}
}
},
"on_demand": false
},
{
"issuer": {
"module": "acme",
"email": "soporte@fakedomain.com"
},
"on_demand": true
}],
"on_demand": {
"rate_limit": {
"interval": "5m",
"burst": 100
},
"ask": "http://certs.fakedomain.com/delegated.php"
}
}
},
"http": {
"http_port": 80,
"https_port": 443,
"servers": {
"tiendas": {
"listen": [":80",":443"],
"max_header_bytes": 41943040,
"routes": [
{
"group": "grupo1",
"match": [{
"host": ["certs.fakedomain.com"]
}],
"handle": [{
"handler": "reverse_proxy",
"transport": {
"protocol": "fastcgi",
"root": "/var/www/html/"
},
"upstreams": [{
"dial": "unix//var/php.sock"
}]
}],
"terminal": true
},
{
"group": "grupo1",
"match": [{
"host": ["*.fakedomain.com"]
}],
"handle": [{
"handler": "reverse_proxy",
"upstreams": [{
"dial": "ip-172-31-4-60.us-west-2.compute.internal:80"
}]
}],
"terminal": true
},
{
"@id": "dominios",
"group": "grupo1",
"handle": [{
"handler": "reverse_proxy",
"upstreams": [{
"dial": "ip-172-31-4-60.us-west-2.compute.internal:80"
}]
}],
"terminal": true
}]
}
}
}
}
}