If you want to use a specific ACME CA like Google Trust Services, put this at the top of your Caddyfile:
{
acme_ca https://dv.acme-v02.api.pki.goog/directory
acme_eab {
key_id <key_id>
mac_key <mac_key>
}
email <contact_email>
}
(Same instructions as here because this works for all ACME CAs)
If you want to use multiple ACME CAs for redundancy, just use the slightly longer form instead:
{
cert_issuer acme https://dv.acme-v02.api.pki.goog/directory {
eab <key_id> <mac_key>
}
cert_issuer acme https://acme.zerossl.com/v2/DV90
cert_issuer acme https://acme-v02.api.letsencrypt.org/directory
cert_issuer internal
email <contact_email>
}
Just for kicks, that last one will issue self-signed certificates if all other CAs fail to provide one.
EDIT: The ZeroSSL issuer might require an EAB as well, I forget (you can actually replace that one with cert_issuer zerossl since Caddy has a prefabricated EAB for default use).
Unfortunately we can’t use GTS by default because it requires an external Google account, which we can’t know until the user specifies their EAB credentials.