Problems mixing automatic and on demand TLS

Help
2

You didn’t mention which version of Caddy you’re using, so I’ll assume it’s somewhere in the 2.10.x range.

Starting with version 2.10.0, if there’s a wildcard domain configured, its wildcard certificate will be used for all matching subdomains. From the v2.10.0 release notes:

  • Wildcards used by default: Previously, Caddy would obtain individual certificates for every domain in your config literally; now wildcards, if present, will be utilized for subdomains, rather than obtaining individual certificates. This change was motivated by the novel possibility for subdomain privacy afforded by ECH. It can be overridden with tls force_automate in the Caddyfile. The experimental auto_https prefer_wildcard option has been removed.

Here’s what your Caddyfile could look like:

{
        email my@email.com
        on_demand_tls {
                ask http://localhost:3000/tls-check
        }
}

sub.gpp.garden {
        tls force_automate
        respond "A response: {http.request.host}"
}

*.gpp.garden, gpp.garden {
        tls {
                on_demand
        }
        respond "A different response: {http.request.host}"
}

It looks like this detail isn’t currently covered in the official tls documentation, but you can find it both in the release notes and in the code:

3 Likes