Is it possible to enable TLS for any domains with wildcard?

1. Caddy version (caddy version):

v2.1.0

2. How I run Caddy:

caddy run -config /etc/caddy/Caddyfile

a. System environment:

CentOS 7

b. Command:

caddy run -config /etc/caddy/Caddyfile

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

* {
    file_server
    root * /usr/share/caddy
}

3. The problem I’m having:

My app allow user to custom their domain(cname dns), Is it possible to enable TLS for any domains with wildcard?

4. Error messages and/or full log output:

./caddy run -config /etc/caddy/Caddyfile -watch
2020/06/29 07:11:31 WARNING: proto: file "pb.proto" is already registered
A future release will panic on registration conflicts. See:
https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflict

2020/06/29 11:11:32.048 INFO    using provided configuration    {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/06/29 11:11:32.058 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/06/29 07:11:32 [INFO][cache:0xc0006dfce0] Started certificate maintenance routine
2020/06/29 11:11:32.058 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/06/29 11:11:32.058 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/06/29 11:11:32.060 INFO    tls     cleaned up storage units
2020/06/29 11:11:32.061 INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
2020/06/29 11:11:32.061 INFO    serving initial configuration
2020/06/29 11:11:32.061 INFO    watcher watching config file for changes        {"config_file": "/etc/caddy/Caddyfile"}
2020/06/29 07:11:52 http: TLS handshake error from 223.73.237.8:51188: no certificate available for 'ssl.razonyang.com'
2020/06/29 07:11:53 http: TLS handshake error from 223.73.237.8:51191: no certificate available for 'ssl.razonyang.com'

5. What I already tried:

6. Links to relevant resources:

Yep, you’re looking for On-Demand TLS

1 Like

Thank you so mush!

Here is my configuration, hope it helps others.

{
    debug
    on_demand_tls {
        # you should change the endpoint.
        ask https://www.google.com
    }
}

:443 {
    tls {
        on_demand
    }
    file_server
    root * /usr/share/caddy
}

Related docs:

1 Like