Just for kicks, that last one will issue self-signed certificates if all other CAs fail to provide one.
EDIT: The ZeroSSL issuer might require an EAB as well, I forget (you can actually replace that one with cert_issuer zerossl since Caddy has a prefabricated EAB for default use).
Unfortunately we can’t use GTS by default because it requires an external Google account, which we can’t know until the user specifies their EAB credentials.
And this is the error I’m getting when using “caddy validate”:
Error: adapting config using caddyfile: automation policy from site block is also default/catch-all policy because of key without hostname, and the two are in conflict: []certmagic.Issuer{(*caddytls.ACMEIssuer)(0xc00029cfc0), (*caddytls.ZeroSSLIssuer)(0xc0000bc570), (*caddytls.ACMEIssuer)(0xc00029d340)} != []certmagic.Issuer{(*caddytls.ACMEIssuer)(0xc00029d500), (*caddytls.ZeroSSLIssuer)(0xc0000bcbd0)}