How to get wildcard certificate for entire subdomain

1. Caddy version : v2.2.0

2. How I run Caddy:

Caddyfile in /etc/caddy/Caddyfile

a. System environment:

Ubuntu 20

b. Command:

d. My complete Caddyfile or JSON config:


 *.maindomain.com, othersubdomain.com

root * /home/<user>/<dir>

# Enable the static file server.
file_server browse

@notStatic {
        not path /static/*
}
reverse_proxy @notStatic localhost:8000

tls <email> {
       dns cloudflare <API>
       on_demand
}

3. The problem Im having:

All my wildcard subdomains are giving ERR_TIMED_OUT

Some of the subdomains are having a certificate issued and works fine. While others are giving this time out. I want to issue a single certificate to all wildcard subdomains and still support the otherdomain.

4. Error messages and/or full log output:

Oct 06 00:41:10 maindomain caddy[238708]: {"level":"info","ts":1601937670.4078476,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-staging-v02.api.letsencrypt.org/acme/cert/<some_id>"}
Oct 06 00:41:10 maindomain caddy[238708]: {"level":"info","ts":1601937670.4084172,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["subdomain.maindomain.com"]}
Oct 06 00:41:13 maindomain caddy[238708]: {"level":"info","ts":1601937673.2709827,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["subdomain.maindomain.com"]}
Oct 06 00:41:14 maindomain caddy[238708]: {"level":"info","ts":1601937674.2175426,"logger":"tls.obtain","msg":"releasing lock","identifier":"subdomain.maindomain.com"}
Oct 06 00:41:14 maindomain caddy[238708]: {"level":"info","ts":1601937674.369648,"logger":"tls.on_demand","msg":"obtaining new certificate","server_name":"subdomain.maindomain.com"}
Oct 06 00:41:14 maindomain caddy[238708]: {"level":"info","ts":1601937674.3703494,"logger":"tls.obtain","msg":"acquiring lock","identifier":"subdomain.maindomain.com"}
Oct 06 00:41:14 maindomain caddy[238708]: {"level":"info","ts":1601937674.370565,"logger":"tls.obtain","msg":"lock acquired","identifier":"subdomain.maindomain.com"}
Oct 06 00:41:14 maindomain caddy[238708]: {"level":"info","ts":1601937674.372699,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["subdomain.maindomain.com"]}

5. What I already tried:

  • Added Cloudflare API key for DNS : didn’t help.

Try removing on_demand; it’s not needed for wildcards. (And not recommended except in very special cases.)

1 Like

It worked, thanks.

But I want to add more external extra domains the future (custom domain feature for the product), that’s why I added the on_demand part, what do I do in that case?

I think you should make a separate site block to handle on-demand TLS. Maybe something like this:

{
	on_demand_tls {
		ask http://example.com/ask
	}
}

(common-site) {
	root * /home/user/dir
	file_server browse

	@notStatic not path /static/*
	reverse_proxy @notStatic localhost:8000
}

*.maindomain.com, othersubdomain.com {
	import common-site

	tls foo@example.com {
		dns cloudflare {$CLOUDFLARE_API_KEY}
	}
}

:443 {
	import common-site

	tls foo@example.com {
		on_demand
	}
}
1 Like

That’s worth a shot. This might also be more elegant in the JSON.

This topic was automatically closed after 30 days. New replies are no longer allowed.