Placeholders not allowed for default_sni?

1. The problem I’m having:

I am getting the below error for this global config, it is using the string “env.caddy_host}” as certificate name. The request was for the bare IP of the host.

2. Error messages and/or full log output:

{
“insertId”: “fte4ugfcf24ze”,
“jsonPayload”: {
“container”: {
“imageName”: “jumager/caddy:develop”,
“created”: “2026-06-08T19:35:46.830030493Z”,
“imageId”: “sha256:f5131c52f7dbb44a961fb65441f7ef81da68e88fea3c15b75e519d891060464a”,
“id”: “a524875a8de4648e3f7bc2457c0a8620e811d041938c6d32881809e95df6074b”,
“name”: “/caddy”
},
“logger”: “http.stdlib”,
“message”: “http: TLS handshake error from 144.202.82.88:61234: certificate is not allowed for server name {env.caddy_host}: subject name does not qualify for certificate: {env.caddy_host}”,
“instance”: {
“zone”: “redacted”,
“id”: “redacted”
}
},
“resource”: {
“type”: “gce_instance”,
“labels”: {
“project_id”: “redacted”,
“zone”: “redacted”,
“instance_id”: “redacted”
}
},
“timestamp”: “2026-06-09T12:35:34.975880513Z”,
“severity”: “DEBUG”,
“logName”: “projects/redacted/logs/ngcplogs-docker-driver”,
“receiveTimestamp”: “2026-06-09T12:35:36.056063542Z”
}

3. Caddy version:

v2.11.5-0.20260603034900-fcc7860d038a h1:3Xp13FOrIusjyZNLM2Vlx3WZhkMUYkztdszCc+21JUA=

4. How I installed and ran Caddy:

I am runnig caddy from a docker container in host mode with the following plugins:

xcaddy build ${CADDY_VERSION} \
--with github.com/pberkel/caddy-storage-redis@main \
--with github.com/caddy-dns/cloudflare \
--with github.com/jum/caddy-simpletrace \
--with github.com/lucaslorentz/caddy-docker-proxy/v2@master

4a. System environment:

Docker on an debian x86 bookworm install.

4b. Command:

caddy docker-proxy

4c. Service/unit/compose file:

{
email redacted
cert_issuer acme
auto_https disable_redirects
acme_dns cloudflare {env.CF_API_KEY}
default_sni {env.CADDY_HOST}
storage redis {
host “{env.CADDY_REDIS_HOST}”
}
log {
level DEBUG
}
}

4d. My complete Caddy config:

email redacted
cert_issuer acme
auto_https disable_redirects
acme_dns cloudflare {env.CF_API_KEY}
default_sni {env.CADDY_HOST}
storage redis {
host “{env.CADDY_REDIS_HOST}”
}
log {
level DEBUG
}
}

5. What I already tried, and links to relevant resources:

I would like to use place holders in the default_sni global config. Is there a particular reason to not being able to use env vars here?

Assistance disclosure

No AI used.

I have so far traced it down to parseOptSingleString only allowing a literal string, no placeholders being substituted. Does appear to me as an oversight.

Apparently the syntax ($ENV_VAR} works here. So I end up with this:

`

acme_dns cloudflare {env.CF_API_KEY}
default_sni {$CADDY_HOST}

`

The acme_dns works with the one syntax, and the default_sni needs another. Strange.

Yeah I don’t think we’ve added placeholder support for the SNI field. We could consider doing that but it’d mainly be for env vars.

The {$ENV_VAR} syntax works because that always works everywhere, it is replaced at “adapt time” instead of “load time”, so if you adapt your config in a separate environment from production you may have separate results.