1. The problem I’m having:
I generally wanna use a wildcard cert. But for one Subdomain I wanna use a full domain letsEnrypt cert. (A Server accessing this Subdomain, apparently can’t validate wildcard certs) The problem is that caddy automatically chooses the wildcard cert even if i explicitly ask for “tls issuer acme”. Is there any way to force it to issue a new cert.
(If there is no way I could just use a unique LetsEncrypt cert for all subdomains. Would be just cleaner if it works, since we have a lot of subdomains.)
2. Error messages and/or full log output:
2025/07/24 22:00:13.251 INFO maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined
2025/07/24 22:00:13.251 INFO GOMEMLIMIT is updated {"package": "github.com/KimMachineGun/automemlimit/memlimit", "GOMEMLIMIT": 3694373683, "previous": 9223372036854775807}
2025/07/24 22:00:13.251 INFO using config from file {"file": "/config/Caddyfile"}
2025/07/24 22:00:13.256 INFO adapted config to JSON {"adapter": "caddyfile"}
2025/07/24 22:00:13.256 WARN Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies {"adapter": "caddyfile", "file": "/config/Caddyfile", "line": 2}
2025/07/24 22:00:13.259 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/07/24 22:00:13.260 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0005a8400"}
2025/07/24 22:00:13.261 WARN tls stapling OCSP {"error": "no OCSP stapling for [*.xxxxx.com xxxxx.com]: no OCSP server specified in certificate"}
2025/07/24 22:00:13.261 INFO http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded {"domain": "proxmox.xxxxx.com", "server_name": "srv0"}
2025/07/24 22:00:13.261 INFO http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded {"domain": "service.xxxxx.com", "server_name": "srv0"}
2025/07/24 22:00:13.262 INFO http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded {"domain": "erp.xxxxx.com", "server_name": "srv0"}
2025/07/24 22:00:13.262 INFO http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded {"domain": "xxxxx.com", "server_name": "srv0"}
2025/07/24 22:00:13.262 INFO http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2025/07/24 22:00:13.264 INFO http enabling HTTP/3 listener {"addr": ":443"}
2025/07/24 22:00:13.264 INFO failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2025/07/24 22:00:13.264 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/07/24 22:00:13.264 WARN http HTTP/2 skipped because it requires TLS {"network": "tcp", "addr": ":80"}
2025/07/24 22:00:13.264 WARN http HTTP/3 skipped because it requires TLS {"network": "tcp", "addr": ":80"}
2025/07/24 22:00:13.264 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2025/07/24 22:00:13.264 INFO http enabling automatic TLS certificate management {"domains": ["matomo.xxxxx2.com"]}
2025/07/24 22:00:13.265 WARN tls stapling OCSP {"error": "no OCSP stapling for [matomo.xxxxx2.com]: no OCSP server specified in certificate", "identifiers": ["matomo.xxxxx2.com"]}
2025/07/24 22:00:13.266 INFO autosaved config (load with --resume flag) {"file": "/config/caddy/autosave.json"}
2025/07/24 22:00:13.266 INFO serving initial configuration
2025/07/24 22:00:13.276 INFO tls storage cleaning happened too recently; skipping for now {"storage": "FileStorage:/data/caddy", "instance": "394f0c42-152a-42bb-addb-3454f3342f50", "try_again": "2025/07/25 22:00:13.276", "try_again_in": 86399.999999039}
2025/07/24 22:00:13.276 INFO tls finished cleaning storage units
3. Caddy version:
v2.10.0
4. How I installed and ran Caddy:
Debian 12, docker compose:
services:
caddy:
image: caddy:latest
container_name: caddy
restart: always
network_mode: "host"
# networks:
# - revproxy
stdin_open: true
tty: true
volumes:
- ./container-data:/data
- ./container-config:/config
- ./container-certs/live:/certs
- /etc/localtime:/etc/localtime:ro
ports:
- 80:80
- 443:443
entrypoint: /usr/bin/caddy run --adapter caddyfile --config /config/Caddyfile
My complete Caddy config:
I previosly had all wildcard domains in one section, i just changed it in the hopes of solving my problem this way. The manual cert.pem is the wildcard cert. service.xxxx.com is the subdomain I want a manual cert for.
service.xxxxx.com {
tls {
issuer acme
}
reverse_proxy * http://192.168.23.90:8081
}
xxxxx.com {
tls /certs/xxxxx.com/cert.pem /certs/xxxxx.com/privkey.pem
reverse_proxy * http://192.168.23.95
}
erp.xxxxx.com {
tls /certs/xxxxx.com/cert.pem /certs/xxxxx.com/privkey.pem
reverse_proxy * http://192.168.23.97
}
proxmox.xxxxx.com {
reverse_proxy {
to https://172.16.40.101:8006 https://172.16.40.102:8006 https://172.16.40.103:8006 https://172.16.40.104:8006 https://172.16.40.105:8006 https://172.16.40.106:8006 https://172.16.40.107:8006 https://172.16.40.108:8006 https://172.16.40.109:8006
lb_policy client_ip_hash
transport http {
tls_insecure_skip_verify
}
}
}
matomo.xxxxx2.com {
tls {
issuer acme
}
reverse_proxy http://192.168.23.94
}
Thanks in advance!