Mixing stored TLS certificates and automatic TLS certificates uses wrong certs

pfish · December 16, 2025, 7:22am

1. The problem I’m having:

I have a server where I have both TLS certificates managed externally (specifically by Certbot), but I also want to have dynamically-issued certificates for other domains.

I’m running an example server at caddy-ssl-test.ttdi.us:

[*.]caddy-ssl-test.ttdi.us is managed by certbot
other-caddy-ssl.ttdi.us is automatically issued by Caddy.

The logs indicate that Caddy is successfully provisioning a certificate for other-caddy-ssl.ttdi.us, but when I make a request to it, Caddy tries to present me with the certificate for *.caddy-ssl-test.ttdi.us.

2. Error messages and/or full log output:

These logs were emitted on startup:

2025/12/16 06:59:13.261 INFO    using adjacent Caddyfile
2025/12/16 06:59:13.264 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/12/16 06:59:13.265 WARN    tls     stapling OCSP   {"error": "no OCSP stapling for [caddy-ssl-test.ttdi.us *.caddy-ssl-test.ttdi.us]: no OCSP server specified in certificate"}
2025/12/16 06:59:13.265 DEBUG   events  event   {"name": "cached_unmanaged_cert", "id": "d0fc8022-5567-433a-ab55-c0be583ad764", "origin": "tls", "data": {"sans":["caddy-ssl-test.ttdi.us","*.caddy-ssl-test.ttdi.us"]}}
2025/12/16 06:59:13.265 DEBUG   tls.cache       added certificate to cache      {"subjects": ["caddy-ssl-test.ttdi.us", "*.caddy-ssl-test.ttdi.us"], "expiration": "2026/03/16 05:36:35.000", "managed": false, "issuer_key": "", "hash": "447b373cc86ddb0e21519b3ddb47c472d8bc59dfcb10c77fcf7bda9eb1982379", "cache_size": 1, "cache_capacity": 10000}
2025/12/16 06:59:13.265 WARN    http    automatic HTTP->HTTPS redirects are disabled    {"server_name": "srv0"}
2025/12/16 06:59:13.266 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2025/12/16 06:59:13.266 INFO    connection doesn't allow setting of send buffer size. Not a *net.UDPConn?. See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2025/12/16 06:59:13.266 DEBUG   http    starting server loop    {"address": "[::]:443", "tls": true, "http3": true}
2025/12/16 06:59:13.266 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/12/16 06:59:13.266 INFO    http    enabling automatic TLS certificate management   {"domains": ["other-caddy-ssl.ttdi.us"]}
2025/12/16 06:59:13.267 DEBUG   tls     loading managed certificate     {"domain": "other-caddy-ssl.ttdi.us", "expiration": "2026/03/16 05:49:16.000", "issuer_key": "acme-v02.api.letsencrypt.org-directory", "storage": "FileStorage:/root/.local/share/caddy"}
2025/12/16 06:59:13.267 WARN    tls     stapling OCSP   {"error": "no OCSP stapling for [other-caddy-ssl.ttdi.us]: no OCSP server specified in certificate", "identifiers": ["other-caddy-ssl.ttdi.us"]}
2025/12/16 06:59:13.268 DEBUG   tls.cache       added certificate to cache      {"subjects": ["other-caddy-ssl.ttdi.us"], "expiration": "2026/03/16 05:49:16.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "72260663013c02901ecf62c5677d8a5feec3cae4363acd8f2e8b65eded1d898c", "cache_size": 2, "cache_capacity": 10000}
2025/12/16 06:59:13.268 DEBUG   events  event   {"name": "cached_managed_cert", "id": "3037d6c9-ec5e-4829-bb19-5239e737a6a6", "origin": "tls", "data": {"sans":["other-caddy-ssl.ttdi.us"]}}
2025/12/16 06:59:13.268 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2025/12/16 06:59:13.268 INFO    serving initial configuration
2025/12/16 06:59:13.269 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0001c7810"}
2025/12/16 06:59:13.269 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2025/12/16 06:59:13.269 INFO    tls     finished cleaning storage units

Then I made this request from another machine:

$ curl -vL https://updog.caddy-ssl-test.ttdi.us/not-much
* Host updog.caddy-ssl-test.ttdi.us:443 was resolved.
* IPv6: 2604:a880:400:d1:0:3:6578:e001
* IPv4: 159.223.159.15
*   Trying [2604:a880:400:d1:0:3:6578:e001]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=caddy-ssl-test.ttdi.us
*  start date: Dec 16 05:36:35 2025 GMT
*  expire date: Mar 16 05:36:34 2026 GMT
*  subjectAltName: host "updog.caddy-ssl-test.ttdi.us" matched cert's "*.caddy-ssl-test.ttdi.us"
*  issuer: C=US; O=Let's Encrypt; CN=E7
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to updog.caddy-ssl-test.ttdi.us (2604:a880:400:d1:0:3:6578:e001) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://updog.caddy-ssl-test.ttdi.us/not-much
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: updog.caddy-ssl-test.ttdi.us]
* [HTTP/2] [1] [:path: /not-much]
* [HTTP/2] [1] [user-agent: curl/8.14.1]
* [HTTP/2] [1] [accept: */*]
> GET /not-much HTTP/2
> Host: updog.caddy-ssl-test.ttdi.us
> User-Agent: curl/8.14.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 200
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< server: Caddy
< content-length: 63
< date: Tue, 16 Dec 2025 07:00:10 GMT
<
* Connection #0 to host updog.caddy-ssl-test.ttdi.us left intact
You just requested /not-much from updog.caddy-ssl-test.ttdi.us.

Great! It works. Caddy produced these logs:

2025/12/16 07:00:10.576 DEBUG   events  event   {"name": "tls_get_certificate", "id": "1282da2f-b73a-4da0-9f75-bd77acc1f897", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47],"ServerName":"updog.caddy-ssl-test.ttdi.us","SupportedCurves":[4588,29,23,30,24,25,256,257],"SupportedPoints":"AAEC","SignatureSchemes":[2309,2310,2308,1027,1283,1539,2055,2056,2074,2075,2076,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Extensions":[65281,0,11,10,16,22,23,49,13,43,45,51,27],"Conn":{}}}}
2025/12/16 07:00:10.577 DEBUG   tls.handshake   no matching certificate; will choose from all certificates      {"identifier": "updog.caddy-ssl-test.ttdi.us"}
2025/12/16 07:00:10.577 DEBUG   tls.handshake   choosing certificate    {"identifier": "updog.caddy-ssl-test.ttdi.us", "num_choices": 2}
2025/12/16 07:00:10.577 DEBUG   tls.handshake   custom certificate selection results    {"identifier": "updog.caddy-ssl-test.ttdi.us", "subjects": ["caddy-ssl-test.ttdi.us", "*.caddy-ssl-test.ttdi.us"], "managed": false, "issuer_key": "", "hash": "447b373cc86ddb0e21519b3ddb47c472d8bc59dfcb10c77fcf7bda9eb1982379"}
2025/12/16 07:00:10.577 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "2604:a880:0:1010::59:6001", "remote_port": "49136", "subjects": ["caddy-ssl-test.ttdi.us", "*.caddy-ssl-test.ttdi.us"], "managed": false, "expiration": "2026/03/16 05:36:35.000", "hash": "447b373cc86ddb0e21519b3ddb47c472d8bc59dfcb10c77fcf7bda9eb1982379"}

Then I made another request:

$ curl -vL https://other-caddy-ssl.ttdi.us/the-other-one
* Host other-caddy-ssl.ttdi.us:443 was resolved.
* IPv6: 2604:a880:400:d1:0:3:6578:e001
* IPv4: 159.223.159.15
*   Trying [2604:a880:400:d1:0:3:6578:e001]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=caddy-ssl-test.ttdi.us
*  start date: Dec 16 05:36:35 2025 GMT
*  expire date: Mar 16 05:36:34 2026 GMT
*  subjectAltName does not match hostname other-caddy-ssl.ttdi.us
* SSL: no alternative certificate subject name matches target hostname 'other-caddy-ssl.ttdi.us'
* closing connection #0
curl: (60) SSL: no alternative certificate subject name matches target hostname 'other-caddy-ssl.ttdi.us'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

This time, despite having apparently provisioned a TLS certificate and put it into the cache,

2025/12/16 07:00:37.429 DEBUG   events  event   {"name": "tls_get_certificate", "id": "9a010fec-065f-4213-af4c-be74cafb08a0", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,30,24,25,256,257],"SupportedPoints":"AAEC","SignatureSchemes":[2309,2310,2308,1027,1283,1539,2055,2056,2074,2075,2076,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Extensions":[65281,0,11,10,16,22,23,49,13,43,45,51,27],"Conn":{}}}}
2025/12/16 07:00:37.429 DEBUG   tls.handshake   choosing certificate    {"identifier": "other-caddy-ssl.ttdi.us", "num_choices": 1}
2025/12/16 07:00:37.429 DEBUG   tls.handshake   custom certificate selection results    {"error": "no certificates matched custom selection policy", "identifier": "other-caddy-ssl.ttdi.us", "subjects": [], "managed": false, "issuer_key": "", "hash": ""}
2025/12/16 07:00:37.429 DEBUG   tls.handshake   no matching certificate; will choose from all certificates      {"identifier": "*.ttdi.us"}
2025/12/16 07:00:37.429 DEBUG   tls.handshake   choosing certificate    {"identifier": "*.ttdi.us", "num_choices": 2}
2025/12/16 07:00:37.429 DEBUG   tls.handshake   custom certificate selection results    {"identifier": "*.ttdi.us", "subjects": ["caddy-ssl-test.ttdi.us", "*.caddy-ssl-test.ttdi.us"], "managed": false, "issuer_key": "", "hash": "447b373cc86ddb0e21519b3ddb47c472d8bc59dfcb10c77fcf7bda9eb1982379"}
2025/12/16 07:00:37.429 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "2604:a880:0:1010::59:6001", "remote_port": "36866", "subjects": ["caddy-ssl-test.ttdi.us", "*.caddy-ssl-test.ttdi.us"], "managed": false, "expiration": "2026/03/16 05:36:35.000", "hash": "447b373cc86ddb0e21519b3ddb47c472d8bc59dfcb10c77fcf7bda9eb1982379"}
2025/12/16 07:00:37.455 DEBUG   http.stdlib     http2: server: error reading preface from client [2604:a880:0:1010::59:6001]:36866: read tcp [2604:a880:400:d1:0:3:6578:e001]:443->[2604:a880:0:1010::59:6001]:36866: read: connection reset by peer

However, if I don’t check the TLS certificate, the request is routed to the correct backend:

$ curl -vL --insecure https://other-caddy-ssl.ttdi.us/the-other-one
* Host other-caddy-ssl.ttdi.us:443 was resolved.
* IPv6: 2604:a880:400:d1:0:3:6578:e001
* IPv4: 159.223.159.15
*   Trying [2604:a880:400:d1:0:3:6578:e001]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=caddy-ssl-test.ttdi.us
*  start date: Dec 16 05:36:35 2025 GMT
*  expire date: Mar 16 05:36:34 2026 GMT
*  issuer: C=US; O=Let's Encrypt; CN=E7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to other-caddy-ssl.ttdi.us (2604:a880:400:d1:0:3:6578:e001) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://other-caddy-ssl.ttdi.us/the-other-one
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: other-caddy-ssl.ttdi.us]
* [HTTP/2] [1] [:path: /the-other-one]
* [HTTP/2] [1] [user-agent: curl/8.14.1]
* [HTTP/2] [1] [accept: */*]
> GET /the-other-one HTTP/2
> Host: other-caddy-ssl.ttdi.us
> User-Agent: curl/8.14.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 200
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< server: Caddy
< content-length: 68
< date: Tue, 16 Dec 2025 07:16:19 GMT
<
* Connection #0 to host other-caddy-ssl.ttdi.us left intact
THE OTHER CONFIG! This is /the-other-one on other-caddy-ssl.ttdi.us.

3. Caddy version:

Installed from the Ubuntu 25.10 repositories:

$ caddy version
2.6.2

4. How I installed and ran Caddy:

From the Ubuntu APT archives, via

# apt install caddy

a. System environment:

Ubuntu 25.10, as installed and using a systemd service.

I am using a separate service, listening on port 80, to handle redirects to HTTPS on port 443.

b. Command:

# caddy run

d. My complete Caddy config:

{
        auto_https disable_redirects
        debug
}

https:// {
        tls /etc/letsencrypt/live/caddy-ssl-test.ttdi.us/fullchain.pem /etc/letsencrypt/live/caddy-ssl-test.ttdi.us/privkey.pem
        respond "You just requested {uri} from {host}."
}

other-caddy-ssl.ttdi.us {
        respond "THE OTHER CONFIG! This is {uri} on {host}."
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

5. Links to relevant resources:

(not applicable)

6. Disclaimer

I’m going to re-run this test after installing the version available in the Cloudsmith repositories but I already wrote this whole thing out and maybe it will help somebody else so I’m posting it anyway.

pfish · December 16, 2025, 7:31am

Same symptoms after installing Caddy from the Cloudsmith repos.

$ caddy version
v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=

I know I am doing a lot of weird things for dumb reasons, but it does seem like something is wrong with the way Caddy is looking for TLS certificates and this may indicate some kind of bug.

timelordx · December 16, 2025, 7:54am

pfish · December 16, 2025, 8:35am

I don’t think this is related to what you’re describing there. The issue I am running into is on completely different domains than the wildcarded one (which might not be obvious since the domain names are kind of similar). It’s as if, after successfully getting a certificate for mydomain.invalid, Caddy then decided that a request to mydomain.invalid should be presented with the certificate for *.example.com. (Also my issue already existed before v2.10.)

To make this more concrete, if I had a stanza in my config like

special-case.caddy-ssl-test.ttdi.us {
  respond "here comes a special boy"
}

I would indeed expect it to use the *.caddy-ssl-test.ttdi.us certificate from /etc/letsencrypt/... specified in the earlier https:// {} stanza and not request a new cert (which is what I think you’re referring to).

timelordx · December 16, 2025, 9:18am

Can you please share /root/.config/caddy/autosave.json?

If you have jq command installed:

jq . /root/.config/caddy/autosave.json

pfish · December 16, 2025, 7:24pm

Here are the contents of the autosave.json file:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "automatic_https": {
            "disable_redirects": true
          },
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "body": "THE OTHER CONFIG! This is {http.request.uri} on {http.request.host}.",
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "other-caddy-ssl.ttdi.us"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "body": "You just requested {http.request.uri} from {http.request.host}.",
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ],
          "tls_connection_policies": [
            {
              "certificate_selection": {
                "any_tag": [
                  "cert0"
                ]
              }
            }
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "load_files": [
          {
            "certificate": "/etc/letsencrypt/live/caddy-ssl-test.ttdi.us/fullchain.pem",
            "key": "/etc/letsencrypt/live/caddy-ssl-test.ttdi.us/privkey.pem",
            "tags": [
              "cert0"
            ]
          }
        ]
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "level": "DEBUG"
      }
    }
  }
}

pfish · December 16, 2025, 7:59pm

I’ve been doing some more experimenting. If I change the config to specify caddy-ssl-test.ttdi.us, *.caddy-ssl-test.ttdi.us, so that the full Caddyfile looks like:

{
        auto_https disable_redirects
        debug
}

caddy-ssl-test.ttdi.us, *.caddy-ssl-test.ttdi.us {
        # NO LONGER https:// {
        tls /etc/letsencrypt/live/caddy-ssl-test.ttdi.us/fullchain.pem /etc/letsencrypt/live/caddy-ssl-test.ttdi.us/privkey.pem
        respond "You just requested {uri} from {host}."
}

other-caddy-ssl.ttdi.us {
        respond "THE OTHER CONFIG! This is {uri} on {host}."
}

the resultant config is:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "automatic_https": {
            "disable_redirects": true
          },
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "body": "THE OTHER CONFIG! This is {http.request.uri} on {http.request.host}.",
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "other-caddy-ssl.ttdi.us"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "body": "You just requested {http.request.uri} from {http.request.host}.",
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "caddy-ssl-test.ttdi.us",
                    "*.caddy-ssl-test.ttdi.us"
                  ]
                }
              ],
              "terminal": true
            }
          ],
          "tls_connection_policies": [
            {
              "certificate_selection": {
                "any_tag": [
                  "cert0"
                ]
              },
              "match": {
                "sni": [
                  "*.caddy-ssl-test.ttdi.us",
                  "caddy-ssl-test.ttdi.us"
                ]
              }
            },
            {}
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "load_files": [
          {
            "certificate": "/etc/letsencrypt/live/caddy-ssl-test.ttdi.us/fullchain.pem",
            "key": "/etc/letsencrypt/live/caddy-ssl-test.ttdi.us/privkey.pem",
            "tags": [
              "cert0"
            ]
          }
        ]
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "level": "DEBUG"
      }
    }
  }
}

These are the differences:

--- old.json    2025-12-16 19:52:25.176985631 +0000
+++ new.json    2025-12-16 19:52:25.113985589 +0000
@@ -51,6 +51,14 @@
                   ]
                 }
               ],
+              "match": [
+                {
+                  "host": [
+                    "caddy-ssl-test.ttdi.us",
+                    "*.caddy-ssl-test.ttdi.us"
+                  ]
+                }
+              ],
               "terminal": true
             }
           ],
@@ -60,8 +68,15 @@
                 "any_tag": [
                   "cert0"
                 ]
+              },
+              "match": {
+                "sni": [
+                  "*.caddy-ssl-test.ttdi.us",
+                  "caddy-ssl-test.ttdi.us"
+                ]
               }
-            }
+            },
+            {}
           ]
         }
       }

First, in the You just requested {http.request.uri} from {http.request.host}. handler, the match part is added (not particularly interesting). But later, in the tls_connection_policies, the first entry in the tls_connection_policies gains a match>sni child with the appropriate hosts, and a new empty [} policy is added to the list.

When I start the server after intentionally deleting the ~/.config/caddy/ and ~/.local/share/caddy/ directories, the logs look like:

2025/12/16 19:39:43.919 INFO    maxprocs: Leaving GOMAXPROCS=1: CPU quota undefined
2025/12/16 19:39:43.919 INFO    GOMEMLIMIT is updated   {"package": "github.com/KimMachineGun/automemlimit/memlimit", "GOMEMLIMIT": 430693171, "previous": 9223372036854775807}
2025/12/16 19:39:43.919 INFO    using adjacent Caddyfile
2025/12/16 19:39:43.922 INFO    adapted config to JSON  {"adapter": "caddyfile"}
2025/12/16 19:39:43.922 WARN    Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies   {"adapter": "caddyfile", "file": "Caddyfile", "line": 17}
2025/12/16 19:39:43.925 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2025/12/16 19:39:43.925 DEBUG   tls     stapling OCSP   {"error": "no OCSP stapling for [caddy-ssl-test.ttdi.us *.caddy-ssl-test.ttdi.us]: no OCSP server specified in certificate"}
2025/12/16 19:39:43.926 DEBUG   events  event   {"name": "cached_unmanaged_cert", "id": "ee8c8c9b-c77a-4d82-92a4-2f2b8a464102", "origin": "tls", "data": {"sans":["caddy-ssl-test.ttdi.us","*.caddy-ssl-test.ttdi.us"]}}
2025/12/16 19:39:43.926 DEBUG   tls.cache       added certificate to cache      {"subjects": ["caddy-ssl-test.ttdi.us", "*.caddy-ssl-test.ttdi.us"], "expiration": "2026/03/16 05:36:35.000", "managed": false, "issuer_key": "", "hash": "b5aec2f7eda574fd204f67e78611f523e7813672e224f5c55d51618488363bab", "cache_size": 1, "cache_capacity": 10000}
2025/12/16 19:39:43.927 INFO    http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "caddy-ssl-test.ttdi.us", "server_name": "srv0"}
2025/12/16 19:39:43.927 INFO    http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "*.caddy-ssl-test.ttdi.us", "server_name": "srv0"}
2025/12/16 19:39:43.928 INFO    http.auto_https automatic HTTP->HTTPS redirects are disabled    {"server_name": "srv0"}
2025/12/16 19:39:43.928 DEBUG   http.auto_https adjusted config {"tls": {"automation":{"policies":[{}]}}, "http": {"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"THE OTHER CONFIG! This is {http.request.uri} on {http.request.host}.","handler":"static_response"}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"You just requested {http.request.uri} from {http.request.host}.","handler":"static_response"}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["*.caddy-ssl-test.ttdi.us","caddy-ssl-test.ttdi.us"]},"certificate_selection":{"any_tag":["cert0"]}},{}],"automatic_https":{"disable_redirects":true}}}}}
2025/12/16 19:39:43.928 DEBUG   http    starting server loop    {"address": "[::]:443", "tls": true, "http3": false}
2025/12/16 19:39:43.929 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2025/12/16 19:39:43.929 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/12/16 19:39:43.929 INFO    http    enabling automatic TLS certificate management   {"domains": ["other-caddy-ssl.ttdi.us"]}
2025/12/16 19:39:43.929 DEBUG   events  event   {"name": "started", "id": "5c590fa9-a55f-4e90-814a-085b3b750209", "origin": "", "data": null}
2025/12/16 19:39:43.930 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2025/12/16 19:39:43.930 INFO    serving initial configuration
2025/12/16 19:39:43.933 INFO    tls.obtain      acquiring lock  {"identifier": "other-caddy-ssl.ttdi.us"}
2025/12/16 19:39:43.935 INFO    tls.obtain      lock acquired   {"identifier": "other-caddy-ssl.ttdi.us"}
2025/12/16 19:39:43.935 INFO    tls.obtain      obtaining certificate   {"identifier": "other-caddy-ssl.ttdi.us"}
2025/12/16 19:39:43.935 DEBUG   events  event   {"name": "cert_obtaining", "id": "934026e6-e11a-4485-b532-7a1a6d1c5063", "origin": "tls", "data": {"identifier":"other-caddy-ssl.ttdi.us"}}
2025/12/16 19:39:43.936 DEBUG   tls     created CSR     {"identifiers": ["other-caddy-ssl.ttdi.us"], "san_dns_names": ["other-caddy-ssl.ttdi.us"], "san_emails": [], "common_name": "", "extra_extensions": 0}
2025/12/16 19:39:43.936 DEBUG   tls.obtain      trying issuer 1/1       {"issuer": "acme-v02.api.letsencrypt.org-directory"}
2025/12/16 19:39:43.936 INFO    http    creating new account because no account for configured email is known to us    {"email": "", "ca": "https://acme-v02.api.letsencrypt.org/directory", "error": "open /root/.local/share/caddy/acme/acme-v02.api.letsencrypt.org-directory/users/default/default.json: no such file or directory"}
2025/12/16 19:39:43.936 INFO    http    ACME account has empty status; registering account with ACME server     {"contact": [], "location": ""}
2025/12/16 19:39:43.937 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000895280"}
2025/12/16 19:39:43.938 INFO    http    creating new account because no account for configured email is known to us    {"email": "", "ca": "https://acme-v02.api.letsencrypt.org/directory", "error": "open /root/.local/share/caddy/acme/acme-v02.api.letsencrypt.org-directory/users/default/default.json: no such file or directory"}
2025/12/16 19:39:43.940 INFO    tls     cleaning storage unit   {"storage": "FileStorage:/root/.local/share/caddy"}
2025/12/16 19:39:43.943 INFO    tls     finished cleaning storage units
2025/12/16 19:39:44.126 DEBUG   http request    {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/directory", "headers": {"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["1063"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:44 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:44.185 DEBUG   http request    {"method": "HEAD", "url": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "headers": {"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Date":["Tue, 16 Dec 2025 19:39:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["YWDLJucGjU0WJfmy7zJecNSy_gnWk-vZ1OeTB_LD3GGICLOzaLg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:44.274 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2884229286"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["236"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/2884229286"],"Replay-Nonce":["hSQhSvkiRyRrSjei0ZqSc4dQzaYZoK8oAe4q_Ny-ubdHOastZ9g"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2025/12/16 19:39:44.275 INFO    http    new ACME account registered     {"contact": [], "status": "valid"}
2025/12/16 19:39:44.280 INFO    http    waiting on internal rate limiter        {"identifiers": ["other-caddy-ssl.ttdi.us"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2025/12/16 19:39:44.280 INFO    http    done waiting on internal rate limiter   {"identifiers": ["other-caddy-ssl.ttdi.us"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2025/12/16 19:39:44.280 INFO    http    using ACME account      {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/2884229286", "account_contact": []}
2025/12/16 19:39:44.280 DEBUG   creating order  {"account": "https://acme-v02.api.letsencrypt.org/acme/acct/2884229286", "identifiers": ["other-caddy-ssl.ttdi.us"]}
2025/12/16 19:39:44.388 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2884229286"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["357"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/2884229286/459505933436"],"Replay-Nonce":["hSQhSvkin9vGSpIO5-CiLtMdiHJqgCkwkaxmOZWy20JHZKko9uU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 201}
2025/12/16 19:39:44.460 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2884229286/628473069316", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2884229286"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["YWDLJucGZyIIDOY5HdlgC89rASUBOZ7QjCeyPAoSg-kPT4MnmTM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:44.461 INFO    trying to solve challenge       {"identifier": "other-caddy-ssl.ttdi.us", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2025/12/16 19:39:44.464 DEBUG   waiting for solver before continuing    {"identifier": "other-caddy-ssl.ttdi.us", "challenge_type": "tls-alpn-01"}
2025/12/16 19:39:44.465 DEBUG   done waiting for solver {"identifier": "other-caddy-ssl.ttdi.us", "challenge_type": "tls-alpn-01"}
2025/12/16 19:39:44.465 DEBUG   http.stdlib     http: TLS handshake error from 127.0.0.1:38524: EOF
2025/12/16 19:39:44.527 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2884229286/628473069316/IygVNg", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2884229286"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["199"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz/2884229286/628473069316>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall/2884229286/628473069316/IygVNg"],"Replay-Nonce":["YWDLJucGto5GQWgM4WJJ5fk6ZAf0uCK6yfARrNVi4slB1aUNczc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:44.527 DEBUG   challenge accepted      {"identifier": "other-caddy-ssl.ttdi.us", "challenge_type": "tls-alpn-01"}
2025/12/16 19:39:44.694 DEBUG   events  event   {"name": "tls_get_certificate", "id": "bc729055-a97e-4544-b1c0-8c92ef82b69e", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2600:3000:2710:200::83","Port":37045,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
2025/12/16 19:39:44.695 INFO    tls     served key authentication certificate   {"server_name": "other-caddy-ssl.ttdi.us", "challenge": "tls-alpn-01", "remote": "[2600:3000:2710:200::83]:37045", "distributed": false}
2025/12/16 19:39:44.840 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2884229286/628473069316", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2884229286"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["hSQhSvkiSmN1YQBoGYUN0wzAt6mw4E1mHYcl1GZLyLtr9ZfMqkg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:44.863 DEBUG   events  event   {"name": "tls_get_certificate", "id": "fac23ba4-c115-47d9-8e49-c10311c194fd", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2600:1f16:269:da02:c3e:df1e:f6d3:a972","Port":46816,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
2025/12/16 19:39:44.863 INFO    tls     served key authentication certificate   {"server_name": "other-caddy-ssl.ttdi.us", "challenge": "tls-alpn-01", "remote": "[2600:1f16:269:da02:c3e:df1e:f6d3:a972]:46816", "distributed": false}
2025/12/16 19:39:44.915 DEBUG   events  event   {"name": "tls_get_certificate", "id": "144d2481-3836-44ec-a935-e6c6eab92f82", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2600:1f14:804:fd02:edc3:48a6:1456:4c3d","Port":37616,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
2025/12/16 19:39:44.915 INFO    tls     served key authentication certificate   {"server_name": "other-caddy-ssl.ttdi.us", "challenge": "tls-alpn-01", "remote": "[2600:1f14:804:fd02:edc3:48a6:1456:4c3d]:37616", "distributed": false}
2025/12/16 19:39:45.029 DEBUG   events  event   {"name": "tls_get_certificate", "id": "76a5f423-b6f5-46d1-9718-bcb66a81f387", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2a05:d016:39f:3102:e50a:e96f:84e8:bfee","Port":16948,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
2025/12/16 19:39:45.030 INFO    tls     served key authentication certificate   {"server_name": "other-caddy-ssl.ttdi.us", "challenge": "tls-alpn-01", "remote": "[2a05:d016:39f:3102:e50a:e96f:84e8:bfee]:16948", "distributed": false}
2025/12/16 19:39:45.198 DEBUG   events  event   {"name": "tls_get_certificate", "id": "3b02ef6d-dfd8-4768-af1d-a0597dacb0de", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2406:da18:85:1402:6c8:c5f0:8595:c13d","Port":36046,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
2025/12/16 19:39:45.199 INFO    tls     served key authentication certificate   {"server_name": "other-caddy-ssl.ttdi.us", "challenge": "tls-alpn-01", "remote": "[2406:da18:85:1402:6c8:c5f0:8595:c13d]:36046", "distributed": false}
2025/12/16 19:39:45.199 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2884229286/628473069316", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2884229286"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:45 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["hSQhSvkiQGVjs0gSBOOuTVehBKDkAztdxyqkAPJUBTQX820C2v4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:45.512 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2884229286/628473069316", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2884229286"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:45 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["YWDLJucGbEqwHnTeiy1CSJmVCCYTs17jS4UAQNybBnnSYw1Ns3Q"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:45.823 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/2884229286/628473069316", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2884229286"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["739"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:45 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["YWDLJucGmZGVp0jwlwLJaIzULPCE56wc68S6zRd0nETD_n5I4TY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:45.823 INFO    authorization finalized {"identifier": "other-caddy-ssl.ttdi.us", "authz_status": "valid"}
2025/12/16 19:39:45.823 INFO    validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/2884229286/459505933436"}
2025/12/16 19:39:47.020 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/finalize/2884229286/459505933436", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2884229286"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["459"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:46 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/2884229286/459505933436"],"Replay-Nonce":["hSQhSvki5tt9yAccv5z50M1jG__D5KTL-JtXT2sPP91-Pa1MxSg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:47.082 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/cert/050e1f67040e239cfa7f7589a5c9357d6d76", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["2889"],"Content-Type":["application/pem-certificate-chain"],"Date":["Tue, 16 Dec 2025 19:39:47 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/050e1f67040e239cfa7f7589a5c9357d6d76/1>;rel=\"alternate\""],"Replay-Nonce":["YWDLJucG-i-l45MVwhcXt7wDG97cNz0Wd9xykqjHbz4Ic5w3LOs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:47.083 DEBUG   getting renewal info    {"names": ["other-caddy-ssl.ttdi.us"]}
2025/12/16 19:39:47.159 DEBUG   http request    {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/acme/renewal-info/jw0TovYuftFQbDMYOF1ZjiNykco.BQ4fZwQOI5z6f3WJpck1fW12", "headers": {"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:47 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:47.159 INFO    got renewal info        {"names": ["other-caddy-ssl.ttdi.us"], "window_start": "2026/02/13 21:25:19.000", "window_end": "2026/02/15 16:36:09.000", "selected_time": "2026/02/14 19:15:36.000", "recheck_after": "2025/12/17 01:39:47.159", "explanation_url": ""}
2025/12/16 19:39:47.221 DEBUG   http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/cert/050e1f67040e239cfa7f7589a5c9357d6d76/1", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["2324"],"Content-Type":["application/pem-certificate-chain"],"Date":["Tue, 16 Dec 2025 19:39:47 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/050e1f67040e239cfa7f7589a5c9357d6d76/0>;rel=\"alternate\""],"Replay-Nonce":["hSQhSvkiR5k_A9XLECbEHCQcLSjBhAdvASzDRj3_Y_f7bU2Evq0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:47.222 DEBUG   getting renewal info    {"names": ["other-caddy-ssl.ttdi.us"]}
2025/12/16 19:39:47.286 DEBUG   http request    {"method": "GET", "url": "https://acme-v02.api.letsencrypt.org/acme/renewal-info/jw0TovYuftFQbDMYOF1ZjiNykco.BQ4fZwQOI5z6f3WJpck1fW12", "headers": {"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]}, "response_headers": {"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Tue, 16 Dec 2025 19:39:47 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2025/12/16 19:39:47.287 INFO    got renewal info        {"names": ["other-caddy-ssl.ttdi.us"], "window_start": "2026/02/13 21:25:19.000", "window_end": "2026/02/15 16:36:09.000", "selected_time": "2026/02/14 00:53:56.000", "recheck_after": "2025/12/17 01:39:47.287", "explanation_url": ""}
2025/12/16 19:39:47.287 INFO    successfully downloaded available certificate chains    {"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/050e1f67040e239cfa7f7589a5c9357d6d76"}
2025/12/16 19:39:47.287 DEBUG   http    selected certificate chain      {"url": "https://acme-v02.api.letsencrypt.org/acme/cert/050e1f67040e239cfa7f7589a5c9357d6d76"}
2025/12/16 19:39:47.295 INFO    tls.obtain      certificate obtained successfully       {"identifier": "other-caddy-ssl.ttdi.us", "issuer": "acme-v02.api.letsencrypt.org-directory"}
2025/12/16 19:39:47.295 DEBUG   events  event   {"name": "cert_obtained", "id": "f8a54929-627e-47a3-9b56-5426f295199e", "origin": "tls", "data": {"certificate_path":"certificates/acme-v02.api.letsencrypt.org-directory/other-caddy-ssl.ttdi.us/other-caddy-ssl.ttdi.us.crt","csr_pem":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlId01JR1hBZ0VBTUFBd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFUdVZGdm4xSFdxRHRXVApJY3NQa3JaaktJVk54OG1weEgrdXZ1bExrMDRjTTZjM1JwcXRvRzBPb0J5M0tsbHlaRlJBMThXL0l5bVk1THFnClZ5M2czOEFqb0RVd013WUpLb1pJaHZjTkFRa09NU1l3SkRBaUJnTlZIUkVFR3pBWmdoZHZkR2hsY2kxallXUmsKZVMxemMyd3VkSFJrYVM1MWN6QUtCZ2dxaGtqT1BRUURBZ05JQURCRkFpQVhhSDAyUlppY3dpSVp6VHY5MVdVZgpkNjhRNCtEZVlJcy9pZy8zSjlxOGhRSWhBTDQ5QWpwSldFUGJxSFZvb01BbjlENlBEQ2xTdmxsSkdNS25SNWRaCkd5bFYKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","identifier":"other-caddy-ssl.ttdi.us","issuer":"acme-v02.api.letsencrypt.org-directory","metadata_path":"certificates/acme-v02.api.letsencrypt.org-directory/other-caddy-ssl.ttdi.us/other-caddy-ssl.ttdi.us.json","private_key_path":"certificates/acme-v02.api.letsencrypt.org-directory/other-caddy-ssl.ttdi.us/other-caddy-ssl.ttdi.us.key","renewal":false,"storage_path":"certificates/acme-v02.api.letsencrypt.org-directory/other-caddy-ssl.ttdi.us"}}
2025/12/16 19:39:47.295 INFO    tls.obtain      releasing lock  {"identifier": "other-caddy-ssl.ttdi.us"}
2025/12/16 19:39:47.295 DEBUG   tls     stapling OCSP   {"error": "no OCSP stapling for [other-caddy-ssl.ttdi.us]: no OCSP server specified in certificate", "identifiers": ["other-caddy-ssl.ttdi.us"]}
2025/12/16 19:39:47.296 DEBUG   tls.cache       added certificate to cache      {"subjects": ["other-caddy-ssl.ttdi.us"], "expiration": "2026/03/16 18:41:15.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "cd5adf0c3d43e43a36735836aef627d3e2e83480919e2d58f00d346c2fc34299", "cache_size": 2, "cache_capacity": 10000}
2025/12/16 19:39:47.296 DEBUG   events  event   {"name": "cached_managed_cert", "id": "dda6bf23-c7f4-4fec-a294-a859c1cd33b6", "origin": "tls", "data": {"sans":["other-caddy-ssl.ttdi.us"]}}

and upon requesting something from other-caddy-ssl.ttdi.us, the logs are thus and it chooses the right certificate:

2025/12/16 19:40:52.333 DEBUG   events  event   {"name": "tls_get_certificate", "id": "cd5a985e-b641-4b62-b263-de978104f985", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"RemoteAddr":{"IP":"2601:189:8580:c871:2022:8de0:1f5a:7dcd","Port":50213,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
2025/12/16 19:40:52.334 DEBUG   tls.handshake   choosing certificate    {"identifier": "other-caddy-ssl.ttdi.us", "num_choices": 1}
2025/12/16 19:40:52.334 DEBUG   tls.handshake   default certificate selection results   {"identifier": "other-caddy-ssl.ttdi.us", "subjects": ["other-caddy-ssl.ttdi.us"], "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "cd5adf0c3d43e43a36735836aef627d3e2e83480919e2d58f00d346c2fc34299"}
2025/12/16 19:40:52.335 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "2601:189:8580:c871:2022:8de0:1f5a:7dcd", "remote_port": "50213", "subjects": ["other-caddy-ssl.ttdi.us"], "managed": true, "expiration": "2026/03/16 18:41:15.000", "hash": "cd5adf0c3d43e43a36735836aef627d3e2e83480919e2d58f00d346c2fc34299"}

timelordx · December 18, 2025, 12:39am

I’ve got to admit, I’m running out of ideas here.

Your output for:

$ jq .apps.http.servers.srv0.tls_connection_policies autosave.json

[
  {
    "certificate_selection": {
      "any_tag": [
        "cert0"
      ]
    },
    "match": {
      "sni": [
        "*.caddy-ssl-test.ttdi.us",
        "caddy-ssl-test.ttdi.us"
      ]
    }
  },
  {}
]

and:

$ jq .apps.tls autosave.json

{
  "certificates": {
    "load_files": [
      {
        "certificate": "/etc/letsencrypt/live/caddy-ssl-test.ttdi.us/fullchain.pem",
        "key": "/etc/letsencrypt/live/caddy-ssl-test.ttdi.us/privkey.pem",
        "tags": [
          "cert0"
        ]
      }
    ]
  }
}

do not look the way I’d expect them to.

At this point, I’m going to leave it to the smarter folks (the devs) to see if they can spot what’s going wrong.

pfish · December 18, 2025, 1:24am

You’ve still helped me a lot by pointing me towards diagnostics and ways to look at the config.

I’ve managed to configure Caddy to work the way I would have expected it to work by making one very simple change to the generated JSON config from the https:// Caddyfile:

"tls_connection_policies": [
  {},  // <-- I added THIS empty policy to the list *before* cert0.
  {
    "certificate_selection": {
      "any_tag": [
        "cert0"
      ]
    }
  }
],

Which is to say that the full configuration looks like:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "automatic_https": {
            "disable_redirects": true
          },
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "body": "THE OTHER CONFIG! This is {http.request.uri} on {http.request.host}.",
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "other-caddy-ssl.ttdi.us"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "body": "You just requested {http.request.uri} from {http.request.host}.",
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ],
          "tls_connection_policies": [
            {},
            {
              "certificate_selection": {
                "any_tag": [
                  "cert0"
                ]
              }
            }
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "load_files": [
          {
            "certificate": "/etc/letsencrypt/live/caddy-ssl-test.ttdi.us/fullchain.pem",
            "key": "/etc/letsencrypt/live/caddy-ssl-test.ttdi.us/privkey.pem",
            "tags": [
              "cert0"
            ]
          }
        ]
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "level": "DEBUG"
      }
    }
  }
}

and here are the logs which show it both successfully requesting a TLS certificate for other-caddy-ssl.ttdi.us and then using both that certificate and the other wildcard certificate to correctly serve requests:

Starting caddy.service - Caddy...
{"level":"info","ts":1766020086.0902586,"msg":"maxprocs: Leaving GOMAXPROCS=1: CPU quota undefined"}
{"level":"info","ts":1766020086.0909383,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":430693171,"previous":9223372036854775807}
caddy.HomeDir=/var/lib/caddy
caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
caddy.AppConfigDir=/var/lib/caddy/.config/caddy
caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
caddy.Version=v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=
runtime.GOOS=linux
runtime.GOARCH=amd64
runtime.Compiler=gc
runtime.NumCPU=1
runtime.GOMAXPROCS=1
runtime.Version=go1.25.0
os.Getwd=/
LANG=C.UTF-8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/snap/bin
NOTIFY_SOCKET=/run/systemd/notify
USER=caddy
LOGNAME=caddy
HOME=/var/lib/caddy
INVOCATION_ID=31b4c0e7f1234b8c981d616d999bdfd0
JOURNAL_STREAM=9:640841
SYSTEMD_EXEC_PID=43918
MEMORY_PRESSURE_WATCH=/sys/fs/cgroup/system.slice/caddy.service/memory.pressure
MEMORY_PRESSURE_WRITE=c29tZSAyMDAwMDAgMjAwMDAwMAA=
{"level":"info","ts":1766020086.0910728,"msg":"using config from file","file":"/etc/caddy/caddy-config.json"}
{"level":"info","ts":1766020086.0946848,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"debug","ts":1766020086.0958269,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [caddy-ssl-test.ttdi.us *.caddy-ssl-test.ttdi.us]: no OCSP server specified in certificate"}
{"level":"debug","ts":1766020086.095985,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"c959918e-ccfa-4bda-8cb9-fc39079dde39","origin":"tls","data":{"sans":["caddy-ssl-test.ttdi.us","*.caddy-ssl-test.ttdi.us"]}}
{"level":"debug","ts":1766020086.0960832,"logger":"tls.cache","msg":"added certificate to cache","subjects":["caddy-ssl-test.ttdi.us","*.caddy-ssl-test.ttdi.us"],"expiration":1773639395,"managed":false,"issuer_key":"","hash":"b5aec2f7eda574fd204f67e78611f523e7813672e224f5c55d51618488363bab","cache_size":1,"cache_capacity":10000}
{"level":"info","ts":1766020086.0961905,"logger":"http.auto_https","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv0"}
{"level":"debug","ts":1766020086.0962112,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"THE OTHER CONFIG! This is {http.request.uri} on {http.request.host}.","handler":"static_response"}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"You just requested {http.request.uri} from {http.request.host}.","handler":"static_response"}]}]}],"terminal":true}],"tls_connection_policies":[{},{"certificate_selection":{"any_tag":["cert0"]}}],"automatic_https":{"disable_redirects":true}}}}}
{"level":"debug","ts":1766020086.0966868,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
{"level":"info","ts":1766020086.0967069,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1766020086.0968816,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1766020086.0968885,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["other-caddy-ssl.ttdi.us"]}
{"level":"debug","ts":1766020086.0969713,"logger":"events","msg":"event","name":"started","id":"b50c453f-3eb6-4c48-9d97-0d82374e22a1","origin":"","data":null}
{"level":"info","ts":1766020086.0971167,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Started caddy.service - Caddy.
{"level":"info","ts":1766020086.1016057,"msg":"serving initial configuration"}
{"level":"info","ts":1766020086.103653,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00033c980"}
{"level":"info","ts":1766020086.1055908,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
{"level":"info","ts":1766020086.1077085,"logger":"tls.obtain","msg":"acquiring lock","identifier":"other-caddy-ssl.ttdi.us"}
{"level":"info","ts":1766020086.1094139,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1766020086.110033,"logger":"tls.obtain","msg":"lock acquired","identifier":"other-caddy-ssl.ttdi.us"}
{"level":"info","ts":1766020086.110158,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"other-caddy-ssl.ttdi.us"}
{"level":"debug","ts":1766020086.1101956,"logger":"events","msg":"event","name":"cert_obtaining","id":"e42f6359-2025-479e-9d4d-3ee043480b3a","origin":"tls","data":{"identifier":"other-caddy-ssl.ttdi.us"}}
{"level":"debug","ts":1766020086.1104434,"logger":"tls","msg":"created CSR","identifiers":["other-caddy-ssl.ttdi.us"],"san_dns_names":["other-caddy-ssl.ttdi.us"],"san_emails":[],"common_name":"","extra_extensions":0}
{"level":"debug","ts":1766020086.1108763,"logger":"tls.obtain","msg":"trying issuer 1/1","issuer":"acme-v02.api.letsencrypt.org-directory"}
{"level":"info","ts":1766020086.1109946,"logger":"http","msg":"creating new account because no account for configured email is known to us","email":"","ca":"https://acme-v02.api.letsencrypt.org/directory","error":"open /var/lib/caddy/.local/share/caddy/acme/acme-v02.api.letsencrypt.org-directory/users/default/default.json: no such file or directory"}
{"level":"info","ts":1766020086.111047,"logger":"http","msg":"ACME account has empty status; registering account with ACME server","contact":[],"location":""}
{"level":"info","ts":1766020086.1132576,"logger":"http","msg":"creating new account because no account for configured email is known to us","email":"","ca":"https://acme-v02.api.letsencrypt.org/directory","error":"open /var/lib/caddy/.local/share/caddy/acme/acme-v02.api.letsencrypt.org-directory/users/default/default.json: no such file or directory"}
{"level":"debug","ts":1766020086.3012018,"msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["1033"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:06 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020086.359854,"msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 18 Dec 2025 01:08:06 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["3ZGp365BJEEiOjlNbCB-EvFwWRQliafCTzna25N_V3LHMdReZWo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020086.4657905,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["235"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:06 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/2888069156"],"Replay-Nonce":["WDq8UPGSKmCDCLXw4t-hA6JrLKnMxPorQ20IgK4QQbnOioqxlF0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"info","ts":1766020086.466472,"logger":"http","msg":"new ACME account registered","contact":[],"status":"valid"}
{"level":"info","ts":1766020086.4715757,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["other-caddy-ssl.ttdi.us"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1766020086.4716125,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["other-caddy-ssl.ttdi.us"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1766020086.4716501,"logger":"http","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2888069156","account_contact":[]}
{"level":"debug","ts":1766020086.4716792,"msg":"creating order","account":"https://acme-v02.api.letsencrypt.org/acme/acct/2888069156","identifiers":["other-caddy-ssl.ttdi.us"]}
{"level":"debug","ts":1766020086.600487,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["357"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:06 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/2888069156/459931559606"],"Replay-Nonce":["WDq8UPGSA4wpZXuvF-jQfG8Wkd35MRxIaPH9Cegjvxwh7t8nmcw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
{"level":"debug","ts":1766020086.661558,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz/2888069156/629084642316","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:06 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["WDq8UPGSliITfxMziEeD3Qi69k7cgIfewkB6XUbp9OpAoWCGjyc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"info","ts":1766020086.662296,"msg":"trying to solve challenge","identifier":"other-caddy-ssl.ttdi.us","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"debug","ts":1766020086.6658692,"msg":"waiting for solver before continuing","identifier":"other-caddy-ssl.ttdi.us","challenge_type":"tls-alpn-01"}
{"level":"debug","ts":1766020086.6659107,"msg":"done waiting for solver","identifier":"other-caddy-ssl.ttdi.us","challenge_type":"tls-alpn-01"}
{"level":"debug","ts":1766020086.6666203,"logger":"http.stdlib","msg":"http: TLS handshake error from 127.0.0.1:44724: EOF"}
{"level":"debug","ts":1766020086.7302167,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall/2888069156/629084642316/YFEl_g","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["199"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:06 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz/2888069156/629084642316>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall/2888069156/629084642316/YFEl_g"],"Replay-Nonce":["3ZGp365B-0IsB8SnwtrK-GCX-ARiMCaE4ygHDXk8AmA1nzN9pZ4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020086.7309942,"msg":"challenge accepted","identifier":"other-caddy-ssl.ttdi.us","challenge_type":"tls-alpn-01"}
{"level":"debug","ts":1766020086.888917,"logger":"events","msg":"event","name":"tls_get_certificate","id":"6bd82f93-2020-4488-976a-539cb236273f","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2600:3000:2710:200::86","Port":43537,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
{"level":"info","ts":1766020086.8892076,"logger":"tls","msg":"served key authentication certificate","server_name":"other-caddy-ssl.ttdi.us","challenge":"tls-alpn-01","remote":"[2600:3000:2710:200::86]:43537","distributed":false}
{"level":"debug","ts":1766020087.0404513,"logger":"events","msg":"event","name":"tls_get_certificate","id":"7ea08eda-8616-44ad-9fb1-8029d464fdc4","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2600:1f16:269:da02:cdf7:9dda:4664:41f5","Port":18050,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
{"level":"info","ts":1766020087.0405061,"logger":"tls","msg":"served key authentication certificate","server_name":"other-caddy-ssl.ttdi.us","challenge":"tls-alpn-01","remote":"[2600:1f16:269:da02:cdf7:9dda:4664:41f5]:18050","distributed":false}
{"level":"debug","ts":1766020087.0448737,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz/2888069156/629084642316","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:07 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["WDq8UPGS75urkDwdeoKwBseqtBwSlPZ22YEVOC5ET-6ped8xNXY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020087.1629868,"logger":"events","msg":"event","name":"tls_get_certificate","id":"2eb2f688-49fe-4c28-b80e-629732357c27","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2600:1f14:804:fd00:14e1:2f6b:7078:b3df","Port":32672,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
{"level":"info","ts":1766020087.1637332,"logger":"tls","msg":"served key authentication certificate","server_name":"other-caddy-ssl.ttdi.us","challenge":"tls-alpn-01","remote":"[2600:1f14:804:fd00:14e1:2f6b:7078:b3df]:32672","distributed":false}
{"level":"debug","ts":1766020087.2096343,"logger":"events","msg":"event","name":"tls_get_certificate","id":"c46da7fa-0798-43ef-b0ef-85f8a449cc99","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2a05:d016:39f:3102:3b39:d1be:b29c:e928","Port":64860,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
{"level":"info","ts":1766020087.2097418,"logger":"tls","msg":"served key authentication certificate","server_name":"other-caddy-ssl.ttdi.us","challenge":"tls-alpn-01","remote":"[2a05:d016:39f:3102:3b39:d1be:b29c:e928]:64860","distributed":false}
{"level":"debug","ts":1766020087.3572936,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz/2888069156/629084642316","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:07 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["3ZGp365BQopsWzXnCILrxQPLS-11pvxnH8_6l7JpkE55aws2Ie4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020087.6096358,"logger":"events","msg":"event","name":"tls_get_certificate","id":"2a507e75-b2d5-4655-b745-5860743f8192","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539],"SupportedProtos":["acme-tls/1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2406:da18:85:1400:9f8a:9abb:50aa:b86c","Port":61058,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
{"level":"info","ts":1766020087.6096911,"logger":"tls","msg":"served key authentication certificate","server_name":"other-caddy-ssl.ttdi.us","challenge":"tls-alpn-01","remote":"[2406:da18:85:1400:9f8a:9abb:50aa:b86c]:61058","distributed":false}
{"level":"debug","ts":1766020087.6686096,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz/2888069156/629084642316","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:07 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["3ZGp365BoEfgAOIND1KuLazJPjQNEXoQRsq2rj4CNxjDKiw9O58"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020087.9798207,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz/2888069156/629084642316","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["831"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:07 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["3ZGp365BNBofVAfaD4m09GR4a901nHzlJYTxRAo1e1c4h2ErIXc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020088.2912545,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz/2888069156/629084642316","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["739"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["3ZGp365BCmrQ20JzkzJrPCSJwbUmyfgk6OziE8T9XUq9rr24hSk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"info","ts":1766020088.2915246,"msg":"authorization finalized","identifier":"other-caddy-ssl.ttdi.us","authz_status":"valid"}
{"level":"info","ts":1766020088.2915516,"msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/2888069156/459931559606"}
{"level":"debug","ts":1766020088.6860232,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/finalize/2888069156/459931559606","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["2888069156"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["459"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/2888069156/459931559606"],"Replay-Nonce":["WDq8UPGS1CkxI0S_q3F1reZvBb_19LHY4aNt9lOK8L6KcqYzNlA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020088.7481337,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/cert/05fe474eea41d631ddde8e50560ea09e9c4d","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["2881"],"Content-Type":["application/pem-certificate-chain"],"Date":["Thu, 18 Dec 2025 01:08:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/05fe474eea41d631ddde8e50560ea09e9c4d/1>;rel=\"alternate\""],"Replay-Nonce":["3ZGp365B4n_lAZxT1LWrQt53RQSFMpdSdAw3YxYd2K-CdDbTQdc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020088.7483492,"msg":"getting renewal info","names":["other-caddy-ssl.ttdi.us"]}
{"level":"debug","ts":1766020088.8095505,"msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/acme/renewal-info/jw0TovYuftFQbDMYOF1ZjiNykco.Bf5HTupB1jHd3o5QVg6gnpxN","headers":{"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"info","ts":1766020088.809734,"msg":"got renewal info","names":["other-caddy-ssl.ttdi.us"],"window_start":1771124022,"window_end":1771279471,"selected_time":1771198219,"recheck_after":1766041688.809724,"explanation_url":""}
{"level":"debug","ts":1766020088.8697035,"msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/cert/05fe474eea41d631ddde8e50560ea09e9c4d/1","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["2316"],"Content-Type":["application/pem-certificate-chain"],"Date":["Thu, 18 Dec 2025 01:08:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/05fe474eea41d631ddde8e50560ea09e9c4d/0>;rel=\"alternate\""],"Replay-Nonce":["3ZGp365BE7HJlLtT5w_ISyiYKvKsX3mgCgYc3_NkElD0UxVAChQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"debug","ts":1766020088.8705277,"msg":"getting renewal info","names":["other-caddy-ssl.ttdi.us"]}
{"level":"debug","ts":1766020088.9470026,"msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/acme/renewal-info/jw0TovYuftFQbDMYOF1ZjiNykco.Bf5HTupB1jHd3o5QVg6gnpxN","headers":{"User-Agent":["Caddy/2.10.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Thu, 18 Dec 2025 01:08:08 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
{"level":"info","ts":1766020088.9471385,"msg":"got renewal info","names":["other-caddy-ssl.ttdi.us"],"window_start":1771124022,"window_end":1771279471,"selected_time":1771236260,"recheck_after":1766041688.9471285,"explanation_url":""}
{"level":"info","ts":1766020088.9471908,"msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/05fe474eea41d631ddde8e50560ea09e9c4d"}
{"level":"debug","ts":1766020088.9472053,"logger":"http","msg":"selected certificate chain","url":"https://acme-v02.api.letsencrypt.org/acme/cert/05fe474eea41d631ddde8e50560ea09e9c4d"}
{"level":"info","ts":1766020088.9530954,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"other-caddy-ssl.ttdi.us","issuer":"acme-v02.api.letsencrypt.org-directory"}
{"level":"debug","ts":1766020088.9536948,"logger":"events","msg":"event","name":"cert_obtained","id":"248b9b4d-2710-40f8-9c98-228a9e46ff56","origin":"tls","data":{"certificate_path":"certificates/acme-v02.api.letsencrypt.org-directory/other-caddy-ssl.ttdi.us/other-caddy-ssl.ttdi.us.crt","csr_pem":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIeE1JR1hBZ0VBTUFBd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSV0MzdFVxVTh5YzMrVwo2clkrRVpRUUJuRTVOSzFmT0NUTjd5NENrNTROVzlPTjM0S0tiTGRpU1gzNU9IRUpDVEo4K3FBSkVzaUZPUjhVCjEwWFJ3dzhJb0RVd013WUpLb1pJaHZjTkFRa09NU1l3SkRBaUJnTlZIUkVFR3pBWmdoZHZkR2hsY2kxallXUmsKZVMxemMyd3VkSFJrYVM1MWN6QUtCZ2dxaGtqT1BRUURBZ05KQURCR0FpRUF5Rnl1bmNYYlJaTVliNUVnSlBvaQp4ZVc2MVFsL0hMWlEvdmxId212c3hISUNJUUQwYnEvMGVsSyt1V0VQUWRYbnVUQ0k2TE5rdjk3clFadURJSHVOCkFDQXNnQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=","identifier":"other-caddy-ssl.ttdi.us","issuer":"acme-v02.api.letsencrypt.org-directory","metadata_path":"certificates/acme-v02.api.letsencrypt.org-directory/other-caddy-ssl.ttdi.us/other-caddy-ssl.ttdi.us.json","private_key_path":"certificates/acme-v02.api.letsencrypt.org-directory/other-caddy-ssl.ttdi.us/other-caddy-ssl.ttdi.us.key","renewal":false,"storage_path":"certificates/acme-v02.api.letsencrypt.org-directory/other-caddy-ssl.ttdi.us"}}
{"level":"info","ts":1766020088.9540212,"logger":"tls.obtain","msg":"releasing lock","identifier":"other-caddy-ssl.ttdi.us"}
{"level":"debug","ts":1766020088.955239,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [other-caddy-ssl.ttdi.us]: no OCSP server specified in certificate","identifiers":["other-caddy-ssl.ttdi.us"]}
{"level":"debug","ts":1766020088.9555247,"logger":"tls.cache","msg":"added certificate to cache","subjects":["other-caddy-ssl.ttdi.us"],"expiration":1773792578,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"cb5dfc03a34c1f1f9914c13ccc2326528bdf172c319744e08e4e3f69cac52e7e","cache_size":2,"cache_capacity":10000}
{"level":"debug","ts":1766020088.9555683,"logger":"events","msg":"event","name":"cached_managed_cert","id":"249cf934-e68a-4e84-a86c-4ada271e3025","origin":"tls","data":{"sans":["other-caddy-ssl.ttdi.us"]}}
{"level":"debug","ts":1766020089.8653126,"logger":"events","msg":"event","name":"tls_get_certificate","id":"a204d327-6f9a-4677-a312-f124f4c607bb","origin":"tls","data":{"client_hello":{"CipherSuites":[35466,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[10794,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"2601:189:8580:c871:2d16:cee6:62ae:ae50","Port":64499,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
{"level":"debug","ts":1766020089.8654006,"logger":"tls.handshake","msg":"choosing certificate","identifier":"other-caddy-ssl.ttdi.us","num_choices":1}
{"level":"debug","ts":1766020089.86541,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"other-caddy-ssl.ttdi.us","subjects":["other-caddy-ssl.ttdi.us"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"cb5dfc03a34c1f1f9914c13ccc2326528bdf172c319744e08e4e3f69cac52e7e"}
{"level":"debug","ts":1766020089.8654187,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"2601:189:8580:c871:2d16:cee6:62ae:ae50","remote_port":"64499","subjects":["other-caddy-ssl.ttdi.us"],"managed":true,"expiration":1773792578,"hash":"cb5dfc03a34c1f1f9914c13ccc2326528bdf172c319744e08e4e3f69cac52e7e"}
{"level":"debug","ts":1766020090.0788321,"logger":"events","msg":"event","name":"tls_get_certificate","id":"741012a6-ab59-4f47-b292-0761dbd3d575","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"caddy-ssl-test.ttdi.us","SupportedCurves":[4588,29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"RemoteAddr":{"IP":"2601:189:8580:c871:2d16:cee6:62ae:ae50","Port":65076,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
{"level":"debug","ts":1766020090.0792084,"logger":"tls.handshake","msg":"choosing certificate","identifier":"caddy-ssl-test.ttdi.us","num_choices":1}
{"level":"debug","ts":1766020090.079224,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"caddy-ssl-test.ttdi.us","subjects":["caddy-ssl-test.ttdi.us","*.caddy-ssl-test.ttdi.us"],"managed":false,"issuer_key":"","hash":"b5aec2f7eda574fd204f67e78611f523e7813672e224f5c55d51618488363bab"}
{"level":"debug","ts":1766020090.0792322,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"2601:189:8580:c871:2d16:cee6:62ae:ae50","remote_port":"65076","subjects":["caddy-ssl-test.ttdi.us","*.caddy-ssl-test.ttdi.us"],"managed":false,"expiration":1773639395,"hash":"b5aec2f7eda574fd204f67e78611f523e7813672e224f5c55d51618488363bab"}
{"level":"debug","ts":1766020151.9550397,"logger":"events","msg":"event","name":"tls_get_certificate","id":"da099abd-8977-41ec-b669-cfc81e936136","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"RemoteAddr":{"IP":"64.23.218.208","Port":35748,"Zone":""},"LocalAddr":{"IP":"159.223.159.15","Port":443,"Zone":""}}}}
{"level":"debug","ts":1766020151.9551363,"logger":"tls.handshake","msg":"choosing certificate","identifier":"other-caddy-ssl.ttdi.us","num_choices":1}
{"level":"debug","ts":1766020151.9551466,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"other-caddy-ssl.ttdi.us","subjects":["other-caddy-ssl.ttdi.us"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"cb5dfc03a34c1f1f9914c13ccc2326528bdf172c319744e08e4e3f69cac52e7e"}
{"level":"debug","ts":1766020151.9551578,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"64.23.218.208","remote_port":"35748","subjects":["other-caddy-ssl.ttdi.us"],"managed":true,"expiration":1773792578,"hash":"cb5dfc03a34c1f1f9914c13ccc2326528bdf172c319744e08e4e3f69cac52e7e"}
{"level":"debug","ts":1766020152.0445824,"logger":"events","msg":"event","name":"tls_get_certificate","id":"670f7143-4c84-488a-8f43-d7fdd3c9f01a","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,4865,4866,4867],"ServerName":"other-caddy-ssl.ttdi.us","SupportedCurves":[4588,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771],"RemoteAddr":{"IP":"2a03:b0c0:3:d0::e89:e001","Port":54482,"Zone":""},"LocalAddr":{"IP":"2604:a880:400:d1:0:3:6578:e001","Port":443,"Zone":""}}}}
{"level":"debug","ts":1766020152.0448966,"logger":"tls.handshake","msg":"choosing certificate","identifier":"other-caddy-ssl.ttdi.us","num_choices":1}
{"level":"debug","ts":1766020152.0449173,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"other-caddy-ssl.ttdi.us","subjects":["other-caddy-ssl.ttdi.us"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"cb5dfc03a34c1f1f9914c13ccc2326528bdf172c319744e08e4e3f69cac52e7e"}
{"level":"debug","ts":1766020152.0451932,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"2a03:b0c0:3:d0::e89:e001","remote_port":"54482","subjects":["other-caddy-ssl.ttdi.us"],"managed":true,"expiration":1773792578,"hash":"cb5dfc03a34c1f1f9914c13ccc2326528bdf172c319744e08e4e3f69cac52e7e"}

francislavoie · December 18, 2025, 1:44am

Hmm. Yeah that does seems like an edgecase not properly covered regarding connection policy setup via the Caddyfile… but I don’t understand why you would write your Caddyfile that way anyway I think it’s most correct to specify your hostnames like you did with caddy-ssl-test.ttdi.us, *.caddy-ssl-test.ttdi.us to match your certificate’s SANs. Why are you wanting to do it that way with https://?

pfish · December 18, 2025, 7:07am

Look, man, you’re not wrong.

If I’m honest I don’t really know why either. I think it’s mostly a path dependency thing where I wanted to just continue to use my existing externally-managed wildcard certs (which are also used by other thing(s?) like Postfix) for the domains they’re associated with, but have other different specially-configured domains that are webserver-only. Also I stubbornly didn’t want to specify the list of SANs on the cert in a place other than the cert itself (despite the fact that I already have to do essentially the same thing in the Postfix config to say “these are the domains you should handle mail for”).

Overall I think I want to rearrange the way I do certificates entirely and should probably separate the world of SMTP certs and the world of HTTP certs entirely, but in the meantime I got sniped by this weird edge case.

In conclusion, I am a land of contrasts.