This works great and Let’s Encrypt issues certs fine. However, I would like Caddy to use the certificate for mainhost.example as the certificate if the client does not support SNI. The idea being that the “main” part of the site will still get the right cert if the client does not support SNI. I’m not sure how Caddy decides which certificate to select if the client does not support SNI (which I realize is an admittedly small list of clients these days).
Initial poking it seems to pick a random cert? Sometimes it will pick the cert for mainhost.example as desired, and other times it will pick www.otherhost.example.
I had previously made the assumption that the certificate used in this case was simply the first certificate in memory (usually the first certificate in the Caddyfile).
I’m not sure which code to look at to verify this one off the top of my head. Perhaps @matt could point us in the right direction.