How to use custom certificates with wildcard generated ones?

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

Docker compose file

a. System environment:

Docker

b. Command:

docker compose up -d

c. Service/unit/compose file:

docker-compose.yaml

version: '3.7'

services:
  caddy:
    build: ./caddy
    restart: unless-stopped
    networks:
      backbone:
        ipv4_address: 10.0.0.12
    ports:
      - "80:80"
      - "443:443"
      - "21443:21443"
    volumes:
      - "./caddy/Caddyfile:/etc/caddy/Caddyfile"
      - "./caddy/data:/data"
      - "./caddy/cf-certs/certificate.pem:/etc/ssl/certs/cf-certificate.pem"
      - "./caddy/cf-certs/origin-pull-ca.pem:/etc/ssl/certs/cf-origin-pull-ca.pem"
      - "./caddy/cf-certs/privatekey.pem:/etc/ssl/private/cf-key.pem"
    env_file:
      - ./common.env
      - ./caddy/secrets.env
    dns: 10.0.0.3

networks:
  backbone:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: backbone
    ipam:
      config:
        - subnet: 10.0.0.0/27

Dockerfile

FROM caddy:builder-alpine AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare

FROM caddy:alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

d. My complete Caddy config:

*.example.com:443 {
	tls {
		dns cloudflare {env.CADDY_CLOUDFLARE_TOKEN}
	}

	@homeassistant host homeassistant.example.com
	handle @homeassistant {
		encode zstd gzip
		reverse_proxy homeassistant:8123
	}

	@other host other.example.com
	handle @other {
		encode zstd gzip
		reverse_proxy other
	}
}

:21443 {
	 tls /etc/ssl/certs/cf-certificate.pem /etc/ssl/private/cf-key.pem {
		 client_auth {
			 mode require_and_verify
			 trusted_ca_cert_file /etc/ssl/certs/cf-origin-pull-ca.pem
		 }
	 }

	 @homeassistant host homeassistant-external.example.com
	 handle @homeassistant {
		 encode zstd gzip
		 reverse_proxy homeassistant:8123
	 }
}

3. The problem I’m having:

So I want to caddy to generate a wildcard certificate *.example.com, and then use that for multiple hosts (like homeassistant.example.com and other.example.com) on port 443.

I also want to have homeassistant-external.example.com on port 21443 so I can use a manually set certificate.

Basically, I want that when I access https://homeassistant.example.com:443 the certificate used is the auto-generated wildcard one, and when I access https://homeassistant-external.example.com:21443 it uses the supplied certificate instead.

The problem is the moment I add the :21443 block, it will always pick up that certificate for both :443 and :21443, and ignore the auto-generated one!

I have this setup working fine under nginx, but I haven’t been able to do it with caddy…

4. Error messages and/or full log output:

{"level":"info","ts":1669049465.481152,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1669049465.4910066,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1669049465.4954476,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1669049465.4981682,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x4000440310"}
{"level":"info","ts":1669049465.50363,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1669049465.5037131,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1669049465.51021,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1669049465.5101776,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1669049465.510438,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"debug","ts":1669049465.5105987,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1669049465.5106263,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1669049465.5107412,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1669049465.5107656,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1669049465.5107765,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.example.com"]}
{"level":"debug","ts":1669049465.5117052,"logger":"tls","msg":"loading managed certificate","domain":"*.example.com","expiration":1676811013,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
{"level":"debug","ts":1669049465.5124776,"logger":"tls.cache","msg":"added certificate to cache","subjects":["*.example.com"],"expiration":1676811013,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"73ca35f4146d93539ede788e63f664049395110f58b0fbd301b215124fb07479","cache_size":1,"cache_capacity":10000}
{"level":"debug","ts":1669049465.5125697,"logger":"events","msg":"event","name":"cached_managed_cert","id":"48c0b6ea-a061-4272-b97d-0564946e6fac","origin":"tls","data":{"sans":["*.example.com"]}}
{"level":"info","ts":1669049465.5134115,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1669049465.5136263,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1669049465.5136645,"msg":"serving initial configuration"}

5. What I already tried:

I’ve tried using auto_https ignore_loaded_certs, made no difference at all…

6. Links to relevant resources:

Thanks for the question. Can you file a bug at Sign in to GitHub · GitHub so I won’t forget to take a look at this? It should be using your supplied certs.

1 Like

Thanks @matt, added it here:

How to use both custom certificates and wildcard auto-generated ones? · Issue #5216 · caddyserver/caddy (github.com)

1 Like