1. Output of caddy version:
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I run Caddy:
Docker compose file
a. System environment:
Docker
b. Command:
docker compose up -d
c. Service/unit/compose file:
docker-compose.yaml
version: '3.7'
services:
caddy:
build: ./caddy
restart: unless-stopped
networks:
backbone:
ipv4_address: 10.0.0.12
ports:
- "80:80"
- "443:443"
- "21443:21443"
volumes:
- "./caddy/Caddyfile:/etc/caddy/Caddyfile"
- "./caddy/data:/data"
- "./caddy/cf-certs/certificate.pem:/etc/ssl/certs/cf-certificate.pem"
- "./caddy/cf-certs/origin-pull-ca.pem:/etc/ssl/certs/cf-origin-pull-ca.pem"
- "./caddy/cf-certs/privatekey.pem:/etc/ssl/private/cf-key.pem"
env_file:
- ./common.env
- ./caddy/secrets.env
dns: 10.0.0.3
networks:
backbone:
driver: bridge
driver_opts:
com.docker.network.bridge.name: backbone
ipam:
config:
- subnet: 10.0.0.0/27
Dockerfile
FROM caddy:builder-alpine AS builder
RUN xcaddy build \
--with github.com/caddy-dns/cloudflare
FROM caddy:alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
d. My complete Caddy config:
*.example.com:443 {
tls {
dns cloudflare {env.CADDY_CLOUDFLARE_TOKEN}
}
@homeassistant host homeassistant.example.com
handle @homeassistant {
encode zstd gzip
reverse_proxy homeassistant:8123
}
@other host other.example.com
handle @other {
encode zstd gzip
reverse_proxy other
}
}
:21443 {
tls /etc/ssl/certs/cf-certificate.pem /etc/ssl/private/cf-key.pem {
client_auth {
mode require_and_verify
trusted_ca_cert_file /etc/ssl/certs/cf-origin-pull-ca.pem
}
}
@homeassistant host homeassistant-external.example.com
handle @homeassistant {
encode zstd gzip
reverse_proxy homeassistant:8123
}
}
3. The problem I’m having:
So I want to caddy to generate a wildcard certificate *.example.com, and then use that for multiple hosts (like homeassistant.example.com and other.example.com) on port 443.
I also want to have homeassistant-external.example.com on port 21443 so I can use a manually set certificate.
Basically, I want that when I access https://homeassistant.example.com:443 the certificate used is the auto-generated wildcard one, and when I access https://homeassistant-external.example.com:21443 it uses the supplied certificate instead.
The problem is the moment I add the :21443 block, it will always pick up that certificate for both :443 and :21443, and ignore the auto-generated one!
I have this setup working fine under nginx, but I haven’t been able to do it with caddy…
4. Error messages and/or full log output:
{"level":"info","ts":1669049465.481152,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1669049465.4910066,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1669049465.4954476,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1669049465.4981682,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x4000440310"}
{"level":"info","ts":1669049465.50363,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1669049465.5037131,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1669049465.51021,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1669049465.5101776,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1669049465.510438,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"debug","ts":1669049465.5105987,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1669049465.5106263,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1669049465.5107412,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1669049465.5107656,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1669049465.5107765,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.example.com"]}
{"level":"debug","ts":1669049465.5117052,"logger":"tls","msg":"loading managed certificate","domain":"*.example.com","expiration":1676811013,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
{"level":"debug","ts":1669049465.5124776,"logger":"tls.cache","msg":"added certificate to cache","subjects":["*.example.com"],"expiration":1676811013,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"73ca35f4146d93539ede788e63f664049395110f58b0fbd301b215124fb07479","cache_size":1,"cache_capacity":10000}
{"level":"debug","ts":1669049465.5125697,"logger":"events","msg":"event","name":"cached_managed_cert","id":"48c0b6ea-a061-4272-b97d-0564946e6fac","origin":"tls","data":{"sans":["*.example.com"]}}
{"level":"info","ts":1669049465.5134115,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1669049465.5136263,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1669049465.5136645,"msg":"serving initial configuration"}
5. What I already tried:
I’ve tried using auto_https ignore_loaded_certs, made no difference at all…