Tailscale + Cloudflare: Combining explicit and wildcard CNAME records

milad · January 3, 2025, 11:11am

1. The problem I’m having:

I have two DNS records in cloudflare

an explicit CNAME record for plex.mydomain.com pointing to the full tailscale name of my device
a CNAME record for *.h.mydomain.com also pointing to the same tailscale device

On caddy’s side I have

plex.mydomain.com, plex.h.mydomain.com,  {
        reverse_proxy 192.168.1.120:3000
        import cloudflare
}

where cloudflare is the usual:

(cloudflare) { 
        tls {
                dns cloudflare SOME_TOKEN
        }
}

When I try accessing https://plex.h.mydomain.com everything works correctly and I get the SSL certificate. but when I use https://plex.mydomain.com I can access the server but my browser is not happy about the SSL certificate.

2. Error messages and/or full log output:

When I look at the logs I see

http.auto_https	skipping automatic certificate management because one or more matching certificates are already loaded

for plex.mydomain.com

what makes the problem go away is adding the global:

{
  auto_https ignore_loaded_certs
}

so I think the problem is related to caddy using some old certificates or getting confused about the wildcard certificates.

Am I doing something obviously wrong?

3. Caddy version:

v2.9.0 h1:rteY8N18LsQn+2KVk6R10Vg/AlNsID1N/Ek9JLjm2yE=

4. How I installed and ran Caddy:

Downloaded caddy + cloudflare plugin and saved the binary

a. System environment:

ubuntu + systemd

system · February 2, 2025, 11:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.