How to use SSL for multiple subdomains?

1. Output of caddy version:

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

  1. my domain DNS are controlled by cloudflare, I applied for a api pub key for it. and Caddy is using it very well.
  2. I edit my Caddyfile
  3. I run caddy via sudo ./caddy start

a. System environment:

Ubuntu 20.04 LTS

b. Command:

cd ~/caddy
sudo ./caddy start

c. Service/unit/compose file:

not used this.

d. My complete Caddy config:

*.ddns.so *.eth.ddns.so *.dot.ddns.so *.*.eth.ddns.so {

  handle {
    reverse_proxy 127.0.0.1:4567
  }

  log {
    output file /var/log/access-wildcard-ddns-so.log
  }

  tls {
    dns cloudflare <my cloudflare api key>
  }
}

3. The problem I’m having:

I am trying to config multiple subdomains, such as:

  • a.b.c.ddns.so ( failed with: *.*.*.ddns.so, *.ddns.so)
  • a.b.c.d.ddns.so ( failed with: *.*.*.*.ddns.so, *.ddns.so)

However, what I can successfully make is:

  • a.ddns.so ( mapping to *.ddns.so in Caddyfile)
  • a.eth.ddns.so ( mapping to *.eth.ddns.so in Caddyfile)

so I want to know how to do this in Caddy?

4. Error messages and/or full log output:

Failed to establish secure connection

Error connecting to a.b.c.eth.ddns.so. The peer reported that it encountered an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

     The page you want to view cannot be displayed because the received data cannot be verified as authentic.
     It is recommended to report this issue to the administrator of this site.

5. What I already tried:

I also tried add demaned tls but failed, also got the error above:

{
  on_demand_tls {
    ask    https://127.0.0.1:3000/check         # this will always return 200 or true result
  }
}

*.ddns.so *.eth.ddns.so *.dot.ddns.so *.*.eth.ddns.so {

  handle {
    reverse_proxy 127.0.0.1:4567
  }

  log {
    output file /var/log/access-wildcard-ddns-so.log
  }

  tls {
    on_demand
    dns cloudflare <my cloudflare api key>
  }
}

6. Links to relevant resources:

Please upgrade to v2.6.0. You’re using quite an old version at this point.

It’s strongly recommended to not run with caddy start. Instead, run Caddy as a systemd service. Follow these sections in the docs to get set up:

It’s not possible to get multi-level wildcard certs. See the docs, which mentions you must only have a single wildcard * in the domain, and it must be the left-most label:

This is limitation of wildcard certificates in general, and it’s just not possible to do this way. See Wildcard certificate - Wikipedia

Only a single level of subdomain matching is supported in accordance with RFC 2818.

I suggest rethinking what you’re trying to build, and use something like dashes between the segments instead of dots, like a-b-c.ddns.so instead.

1 Like