Question about the Multi-Issuer Support

1. Caddy version (caddy version):


3. The problem I’m having:

The release notes for version 2.3.0 say that multi-issuer support is turned on by default.
I have some applications that expect a Let’s Encrypt certificate. Therefore, I do not want a fallback to ZeroSSL for the time being. If I see this correctly, I have to set the cert_issuer for this. As possible options I only find “acme” and “zerossl”. Does “acme” without further parameters mean the use of Let’s Encrypt?
Unfortunately, the documentation only tells me how to set ZeroSSL in different ways.


Technically, if you only want to allow Let’s Encrypt (or any other specific CAs) to issue certs for your domains, you need to configure CAA records in your DNS zone. This is unrelated to Caddy, and it sounds like what your applications actually require based on what you’ve said.

If you want to configure the issuers that Caddy uses, the existing methods apply. Since you mentioned that you set cert_issuer I assume you’re using the Caddyfile:

  • cert_issuer global option
  • or tls directive

The default CA for the acme issuer is still Let’s Encrypt.

In other words, for your use case, this would probably be easiest:

    cert_issuer acme

You can also make it more explicit like so:


Or you can use the tls directive to give you control per-domain, etc.

Thanks for the quick reply!

Now I know how to achieve my goal.

I think I was a bit confused because, as far as I know, ZeroSSL and Let’s Encrypt both use the ACME protocol, but ZeroSSL has its own issuer type and Let’s Encrypt hides behind the generic name.

1 Like

Great! Glad that helped.

Yeah, it’s because ZeroSSL requires EAB, which you can specify manually after getting EAB credentials through the dashboard. Or Caddy can generate them for you through their API, which simply requires your API key from your ZeroSSL account. That API call is not ACME, but that’s the only divergence, so the ZeroSSLIssuer is implemented as a literal wrapper over the ACMEIssuer with the addition of the API key. Otherwise, they’re exactly the same and you don’t need to use the ZeroSSL API if you don’t want to.

This topic was automatically closed after 30 days. New replies are no longer allowed.