I’m not sure I understand the problem you’re trying to solve. Why are you maintaining TLS certs outside of Caddy at all? Use Caddy to front all your services, that’s what it’s great at doing.
There’s definitely some context missing here; which is why the template is particularly useful, because knowing how you installed Caddy, what your config actually looks like, the version, logs, etc, all reduces the knowledge gap between us.
I appreciate the support which makes me hesitant to contradict you.
I am happy to share my config, and probably will at some point. But right now I’m asking a ‘big picture’ question and I fear that getting bogged down in the minutiae of my config would only serve to distract.
I haven’t described a problem yet.
Your response makes me realize that the setup I’m attempting may not be as common as I assumed it was, and it also makes me realize what I didn’t explain.
The “vanity” domain name (stev.land) I’m using for my internal network is one that I’ll also be using for my personal website, email, etc.
I like the idea of having one domain for all of my personal (non-business) stuff, from online entities (eg. blog.stev.land) to home services (plex.stev.land).
So that’s why I have an upstream letsencrypt cert.
I suppose I could register a separate domain name for my home network if you feel there is a compelling reason to do so.
Well the point is that your config is what helps inform that “big picture”. That’s why we ask for it. We can’t be sure we’re talking about the same “big picture” unless we’re on the same page.
Are these hosted in different places? If they’re all in the same place (your home network) then you can just use Caddy to front it all.
No need, it’s fine to use the same domain for multiple purposes/servers.
It’s certainly easier/simpler to just let Caddy automate TLS. If you need you can issue a wildcard with Caddy as well using the DNS challenge.
If your existing certs (not from Caddy) are Let’s Encrypt with 90 day lifetimes, then you’d need to set up automation to copy the certs over to Caddy or whatever and that’s asking for trouble. The point of these tools is to allow you to get rid of that janky stuff. It’s best for certs to be automated as close to the server as possible (and in Caddy’s case, the server itself is the ACME client which is the optimal case).