Use case for On-Demand TLS

Hello! Just discovered Caddy the other day, and as a long-time nginx user I’m loving this feature set, especially the on-demand TLS stuff. I do have a question about it…

I’ve got an app where users can publish a blog, and by default it’s at a subdomain of my own domain, like where is my domain. I’ve configured Caddy to get certs for the subdomains and everything is great.

Now, a customer wants to CNAME their own domain to mine, so that resolves to and they can access their site, over HTTPS, as if it was coming from their domain directly. Is this the correct use case for On-demand TLS? I don’t see a mention of the actual term CNAME anywhere in these docs, so I got a little nervous.

It seems like if Let’s Encrypt is doing these ACME challenges and writing TXT records on the fly to confirm DNS ownership, then that’s not going to work for a domain that I don’t have full control over. But maybe it’s being smart and actually creates one of these “multi domain” certs instead?

1 Like

Caddy is fine with this, but just be aware you’ll run into rate limits with Let’s Encrypt really fast if you do this. It will fall back to ZeroSSL but it’s more optimal to have a wildcard domain for this use case.

On-Demand TLS is for domains you don’t control.

CNAME is just an implementation detail of how domains are validated. That delegates their domain to yours.

Since you don’t control the domain being verified (theirs), you should use On-Demand TLS for that.

On-Demand TLS works best with the HTTP-01 and TLS-ALPN-01 challenges, which are enabled by default. It doesn’t require any manipulation of TXT records.

No, all of Caddy’s managed certs are single-SAN.

Bottom line: I recommend creating a wildcard for your domain, then using on-demand TLS for customer domains if customers want to bring their own domains.

1 Like

Thanks for the quick reply!

I actually am using a wildcard domain for the subdomains, but it’s just HTTP at the moment: we’re using DNSimple so I’m waiting for my buddy who owns the domain to get me the API key so I can use the deprecated LEGO lib. I saw the GH issue yesterday where someone offered to make a libdns implementation for DNSimple so I’m crossing my fingers that happens soon. :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.