Https for dynamic subdomains and custom domains

Hi,

I am new to Caddy, but already loving it. I am building an application where every user gets their own subdomain name. ex: user1.mydomain.com, user2.mydomain.com etc… And every user also gets to point their own domain names through a cname record. ex: www.customdomain.com points to user1.mydomain.com

I need caddy to auto-generate SSL certificates dynamically for all the subdomains created, and the custom domains of my users who configure via cname records to my server.

I tried a couple of things from couple of posts but nothing seems to work. Hence requesting the community to help me with the right caddy file to achieve it

I am using Route 53 as my DNS provider for my domain

Thanks in advance.

if im not wrong someone else was using caddy for serving user created subdomains in production.

nginx was failing when count of user increases and caddy was working OK.

First thing that came to my mind is to use JSON API of Caddy to reconfigure server each time.

I’m running into this same issue. We want to be able to dynamically provision certificates for any custom domain that is CNAME’d to us. I seem to recall this working last year when I was prototyping Caddy v1.

For a lot of subdomains, use a wildcard certificate so that you won’t hit CA rate limits.

Caddy will manage wildcard certificates just like regular ones, except you need the DNS challenge enabled.

As you know, Caddy manages domains for any hostnames that appear in a top-level host matcher. (In the Caddyfile, this translates literally to hostnames in addresses at the head of site blocks.)

So, the following Caddyfile will manage a wildcard cert:

*.example.com

tls {
    dns providername ...
}

...

That should take care of the subdomains.

For domains that you don’t control but which you need to serve over HTTPS, that’s what on-demand TLS is for:

{
    on_demand_tls {
        ask http://localhost:9000/check
    }
}

:443

tls {
    on_demand
}

The “ask” stuff at the top is how on-demand TLS authorizes the issuance of a cert for that hostname. Ideally you have some backend that can make sure the issuance is allowed. Docs have details.

Anyway, that should take care of both use cases!

5 Likes

Thanks a lot for the help Matt. Let me try it

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.