Manual Wildcard Certs?

Is it possible to manually generate wildcard certs or manually handle DNS confirmation to support a wildcard domain without doing a special compile of Caddy?

Is the special compile the only way to do Wildcard certs?


Yes, the only way to do it with Caddy is via DNS plugins. Allowing manual steps isn’t really sustainable.

I’ve made progress on setting up Caddy to work with Route53 for wildcard certs + the DNS challenge.

Question - Can caddy use the DNS challenge for the wildcard domain, in this case * but still use the automatically HTTP challenges for other domains (like

Asking because the way the configuration looks I’m worried it will try to use DNS for all the domains but I only need that for the wildcard domains.

Thanks for any tips,


Yeah, just make separate site blocks for each, and set up tls dns config only for the wildcard one.

How should I connect the two? This is my best guess:

  "apps": {
    "tls": {
      "automation": {
        "policies": [
          "subjects": ["*"],

… for the DNS policy … and connect to a route like this:

              "match": [{
                "host": ["*"]
              "handle": [{
                "handler": "reverse_proxy",
                "upstreams": [{
                  "dial": ""
              "terminal": true

So the subject and the host values match. Is that what you mean?

Trying this… hopefully it will work!



Something like this (easier to write in Caddyfile first then adapt to JSON):

* {
	tls {
		dns route53 <secret>
	reverse_proxy whatever:80
} {
	root * /path/to/site

What will trigger Caddy to do the DNS challenge and generate the wildcard cert?

It feels like this should happen the first time the config loads instead of on-demand. But I am not ever seeing Caddy try to set up the ACME challenge DNS record.

I have everything set up just like the docs are saying but can’t pinpoint where why it is failing? (just getting an NO CERT error).


Please post your full config + logs (obviously omit your route53 secret), otherwise we’d just be postulating and that isn’t very productive.

I’ve made some progress at least getting data from the logs. Currently seeing this:

[*] [*] acme: error presenting token: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
 - retrying in 5m0s (5m26.933906965s/720h0m0s elapsed)...

After searching around for that I am attempting to update my /etc/environment file to include:


The latest challenge is I don’t know how to get Caddy to recognize updates to the /etc/environment file.

And unfortunately I haven’t found any working examples of how Caddy interacts with Route53.

I can post my caddy.json if that would help but this seems more related to how the Route53 integration works.

How do I get Caddy to see the latest Environment variables? (it can see the Key and Secret, but not the new variables).


You can instead use the --envfile option when running Caddy to provide a file which has key-value pairs of additional env vars for Caddy to load at runtime.

1 Like

And you can always double-check the environment that Caddy sees by running caddy environ or caddy run --environ.

This topic was automatically closed after 30 days. New replies are no longer allowed.