How to specify a domain name to use http challenge

1. Output of caddy version:

2.5.2

2. How I run Caddy:

docker

d. My complete Caddy config:

{
 acme_ca https://acme.zerossl.com/v2/DV90
 cert_issuer zerossl zerossltoken
 email example@gmail.com
 acme_dns alidns {
  access_key_id "access_key_id "
  access_key_secret "access_key_secret "
 }
}

3. The problem I’m having:

I set up dns challenge globally, but some of my domain names don’t belong to me, how can I specify these domain names to use http challenge, I see the documentation says that it will be fall back with by itself, but the log shows that caddy is just reusing dns challenge over and over again

4. Error messages and/or full log output:

{"level":"error","ts":1661909544.5273466,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"rj.quxiye.cn","issuer":"acme.zerossl.com-v2-DV90","error":"[rj.quxiye.cn] solving challenges: presenting for challenge: adding temporary record for zone quxiye.cn.: get error status: HTTP 400: The domain name belongs to other users. Transfer the domain name to the current user and then try the binding and setting actions. (order=https://acme.zerossl.com/v2/DV90/order/5UVbzuSqey0hvs2f7UDMjg) (ca=https://acme.zerossl.com/v2/DV90)"}

In that case, you shouldn’t use the acme_dns global option, but instead use the tls directive and configure the DNS challenge only for the domains that you do control.

1 Like

The problem is that most domains can use dns challenge, only one or two domains need http challenge. It seems that the current configuration does not support this. Is On-Demand TLS suitable?

I think Francis’ answer still applies. Simply configure Caddy to use the DNS challenge only for the domains you do control; for all others, use the HTTP challenge.

Yes, probably: on-demand TLS should be used when you do not control the domains you want to serve. But make sure you set up the “ask” endpoint so that it doesn’t get abused.

You can use Caddyfile snippets to copy the tls config into each site.

We don’t offer ways to override acme_dns, because that only exists as a shortcut for everything to use that. If not everything is using that, then it doesn’t apply for you. We don’t provide a way to override that, because acme_dns is the override, essentially.

1 Like

Understood, thanks

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.