How to switch to a self-maintained wildcard certificate?


I have caddy (v2.8.4) running in a docker as a reverse proxy for a bunch of services. Certificates are on-demand (HTTP Challenge) and everything works perfectly.

I now would like to switch to a single wildcard certificate for all the existing services.

This requires two things:

  1. a global configuration that would say “when a certificate is needed, this is where to go to grab the wildcard one”
  2. a way to automatically maintain the wildcard certificate (creation and automatic renewal)

The configuration problem (1.)

What I managed to do: have a service answer on a certificate I provided, via the tls → file directive as part of the service configuration

Where I failed: to push this configuration globally. I expected that it would be set in the global TLS options

The maintenance problem (2.)

I have no idea where to look to configure an entry that would not be connected to a site but do its work “in the background” (work = get and renew the cert)

NOTE: I know about Common Caddyfile Patterns — Caddy Documentation - but here all the services are under a single * entry. My services are dynamic and need to be defined independently (in my specific case, via the GitHub - lucaslorentz/caddy-docker-proxy: Caddy as a reverse proxy for Docker middleware - and I do not think I could “inject” a @foo entry under * (to take the example in the docs))

You can, actually. CDP will merge sites with the same site address.


Yes thank you. I am testing this as we speak, following your comment in Github. Once I have this tested, I will update both places with a snippet.