For a lot of subdomains, use a wildcard certificate so that you won’t hit CA rate limits.
Caddy will manage wildcard certificates just like regular ones, except you need the DNS challenge enabled.
As you know, Caddy manages domains for any hostnames that appear in a top-level host matcher. (In the Caddyfile, this translates literally to hostnames in addresses at the head of site blocks.)
So, the following Caddyfile will manage a wildcard cert:
*.example.com
tls {
dns providername ...
}
...
That should take care of the subdomains.
For domains that you don’t control but which you need to serve over HTTPS, that’s what on-demand TLS is for:
{
on_demand_tls {
ask http://localhost:9000/check
}
}
:443
tls {
on_demand
}
The “ask” stuff at the top is how on-demand TLS authorizes the issuance of a cert for that hostname. Ideally you have some backend that can make sure the issuance is allowed. Docs have details.
Anyway, that should take care of both use cases!