Using different (overlapping) certificates for different sites in same config file

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=
Built via xcaddy: ~/go/bin/xcaddy build --with github.com/caddy-dns/cloudflare --with github.com/hairyhenderson/caddy-teapot-module

2. How I run Caddy:

a. System environment:

Debian 10.4 Buster

b. Command:

Caddy usually maintained via systemd service but for testing, I am just executing it manually:

caddy run

d. My complete Caddyfile or JSON config:

{
#debug
}

##### START OF REVERSE PROXY SNIPPETS #####

(rp_nextcloud01) {
        reverse_proxy http://nextcloud01.app.colo.1904.tech:80 {
                header_down "X-Served-By" "Edge05"
                flush_interval -1
        }
}

(rp_gitea01) {
        reverse_proxy http://gitea01.app.colo.1904.tech:80 {
                header_down "X-Served-By" "Edge05"
        }
}

(rp_adfs) {
        reverse_proxy https://adfs.1904.tech:443 {
                header_down "X-Served-By" "Edge05"
        }
}

##### END OF REVERSE PROXY SNIPPETS #####

#### START OF TLS SNIPPETS #####

#Private CA issued, issued for wildcard externally-facing domains
(tls_ca_ext_wildcard) {
        tls /etc/ssl/certs/BCT-Edge05-BCTPublicDomains-Wildcard.pem /etc/ssl/private/BCT-Edge05-BCTPublicDomains-Wildcard.key
}
#Private CA issued, issued for server's hostname
(tls_ca_int_wildcard) {
        tls /etc/ssl/certs/edge05.dmz.colo.1904.tech.pem /etc/ssl/private/edge05.dmz.colo.1904.tech.key
}

#Cloudflare DNS API key for provisioning LE's DNS Challenge records 
(tls_le_boldcity.tech) {
        tls {
                dns cloudflare {$CLOUDFLARE_API_KEY}
        }
}

#Cloudflare issued Origin Certificate for use with Cloudflare proxy
(tls_cf_boldcity.tech) {
        tls /etc/ssl/cf/boldcity.tech/cert.pem /etc/ssl/cf/boldcity.tech/priv.key
}

###### END OF TLS SNIPPETS #####

####### END OF ALL SNIPPETS #######



####### START OF SITE DECLARATIONS#######

#We want this domain to utilize the Cloudflare-issued TLS Certificate as the public endpoint is proxied
cloud.boldcity.tech drive.boldcity.tech {
        import rp_nextcloud01
        import tls_cf_boldcity.tech
        redir /.well-known/carddav https://ingest.cloud.boldcity.tech/remote.php/dav/ 302
        redir /.well-known/caldav https://ingest.cloud.boldcity.tech/remote.php/dav/ 302

#       log / /var/log/caddy/cloud.boldcity.tech.log {combined}
}

#Use a Caddy-generated LE TLS certificate
ingest.cloud.boldcity.tech {
        import rp_nextcloud01
        import tls_le_boldcity.tech
}

#Use a Caddy-generated LE TLS certificate
git.boldcity.tech {
        import rp_gitea01
        import tls_le_boldcity.tech
}

#Use wildcard certificate from internal private CA
enterpriseregistration.potts.it {
       import rp_adfs
       import tls_ca_ext_wildcard
}

#Use wildcard certificate from internal private CA
enterpriseregistration.1904.tech {
       import rp_adfs
       import tls_ca_ext_wildcard
}

3. The problem I’m having:

I am attempting to replace my nginx-based reverse proxy in my lab with Caddy.
I have multiple different scenarios that necessitate the use of one of three different type of certificates for each particular FQDN that is being proxied:

  • Caddy-managed Let’s Encrypt certificate, issued for the individual FQDN (git.boldcity.tech)
  • Cloudflare-issued origin CA certificate, issued for a wildcard of the base domain (*.boldcity.tech)
  • Internal private CA-issued certificate, usually issued for a wildcard of the base domain.

To increase scalability for myself, I am using snippets in a similar way to how I did things in nginx, as there will be multiple external domains that use the same backend server, each potentially using different certificate types.

(Yes, it’s a pain to keep organized and, among other reasons, I want to move to Caddy to eventually utilize the API to automate much of this…)

When I utilize the above Caddyfile, Caddy utilizes non-desired certificates for each endpoint, presumably because it’s doing things in the order it reads the config file and I am doing something wrong…

In this example, it seems to utilize:

  1. wildcard CF cert for the first site as desired
  2. for the second site it doesn’t encounter a cert that matches the secondary subdomain (which is accurate) and generates a LE cert
  3. It sees that it already has a cert that will work (wildcard CF cert) and uses it instead of a LE cert
  4. for the 4th and fifth it uses the correct internal CA.

Any additional sites I add use all sorts of non-desired certs as well, seemingly based on the order of their inclusion. The config file was trimmed down to exclude the 30+ other sites & 10 domains/CF Certs that are all redundant of what is shown.

I completely understand that I am utilizing this in a pretty unique implementation of an atypical scenario but I figure there has to be a way to convince Caddy to use a specific cert for a specific site, without having to resorting to putting the sites in the config file in a specific order, which seems pretty unsustainable.

What am I missing to make this work?

Thanks!

In reading through other posts, I came across this which seems to indicate the logic I am expecting isn’t how this works.

I will attempt to reformat my config utilizing host matchers and see if that gets me where I need to go. (how I will use this via the API in the future will be something that future me will have to deal with.)

Since I am wanting to have different certificates for different subdomains on the same domain, it looks like the method linked above isn’t going to work.

Does anyone else have any thoughts on how I can achieve what I am looking to get working?

There seems to be a lot going on here, and I haven’t had time to spend drilling down into it for you, but I’ll give you a hint, that is if we convert your Caddyfile to JSON (caddy adapt) you should be able to see what is going on more clearly:

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "match": [
                {
                  "host": [
                    "enterpriseregistration.1904.tech"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "response": {
                              "set": {
                                "X-Served-By": [
                                  "Edge05"
                                ]
                              }
                            }
                          },
                          "transport": {
                            "protocol": "http",
                            "tls": {}
                          },
                          "upstreams": [
                            {
                              "dial": "adfs.1904.tech:443"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            },
            {
              "match": [
                {
                  "host": [
                    "enterpriseregistration.potts.it"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "response": {
                              "set": {
                                "X-Served-By": [
                                  "Edge05"
                                ]
                              }
                            }
                          },
                          "transport": {
                            "protocol": "http",
                            "tls": {}
                          },
                          "upstreams": [
                            {
                              "dial": "adfs.1904.tech:443"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            },
            {
              "match": [
                {
                  "host": [
                    "ingest.cloud.boldcity.tech"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "flush_interval": -1,
                          "handler": "reverse_proxy",
                          "headers": {
                            "response": {
                              "set": {
                                "X-Served-By": [
                                  "Edge05"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "nextcloud01.app.colo.1904.tech:80"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            },
            {
              "match": [
                {
                  "host": [
                    "cloud.boldcity.tech",
                    "drive.boldcity.tech"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "static_response",
                          "headers": {
                            "Location": [
                              "https://ingest.cloud.boldcity.tech/remote.php/dav/"
                            ]
                          },
                          "status_code": 302
                        }
                      ],
                      "match": [
                        {
                          "path": [
                            "/.well-known/carddav"
                          ]
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "handler": "static_response",
                          "headers": {
                            "Location": [
                              "https://ingest.cloud.boldcity.tech/remote.php/dav/"
                            ]
                          },
                          "status_code": 302
                        }
                      ],
                      "match": [
                        {
                          "path": [
                            "/.well-known/caldav"
                          ]
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "flush_interval": -1,
                          "handler": "reverse_proxy",
                          "headers": {
                            "response": {
                              "set": {
                                "X-Served-By": [
                                  "Edge05"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "nextcloud01.app.colo.1904.tech:80"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            },
            {
              "match": [
                {
                  "host": [
                    "git.boldcity.tech"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "response": {
                              "set": {
                                "X-Served-By": [
                                  "Edge05"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "gitea01.app.colo.1904.tech:80"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ],
          "tls_connection_policies": [
            {
              "match": {
                "sni": [
                  "enterpriseregistration.1904.tech"
                ]
              },
              "certificate_selection": {
                "any_tag": [
                  "cert1"
                ]
              }
            },
            {
              "match": {
                "sni": [
                  "enterpriseregistration.potts.it"
                ]
              },
              "certificate_selection": {
                "any_tag": [
                  "cert1"
                ]
              }
            },
            {
              "match": {
                "sni": [
                  "cloud.boldcity.tech",
                  "drive.boldcity.tech"
                ]
              },
              "certificate_selection": {
                "any_tag": [
                  "cert0"
                ]
              }
            },
            {}
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "load_files": [
          {
            "certificate": "/etc/ssl/certs/BCT-Edge05-BCTPublicDomains-Wildcard.pem",
            "key": "/etc/ssl/private/BCT-Edge05-BCTPublicDomains-Wildcard.key",
            "tags": [
              "cert1"
            ]
          },
          {
            "certificate": "/etc/ssl/cf/boldcity.tech/cert.pem",
            "key": "/etc/ssl/cf/boldcity.tech/priv.key",
            "tags": [
              "cert0"
            ]
          }
        ]
      },
      "automation": {
        "policies": [
          {
            "subjects": [
              "ingest.cloud.boldcity.tech",
              "git.boldcity.tech"
            ],
            "issuer": {
              "challenges": {
                "dns": {
                  "provider": {
                    "api_token": "secret123",
                    "name": "cloudflare"
                  }
                }
              },
              "module": "acme"
            }
          }
        ]
      }
    }
  }
}

Manually-loaded certificates are tagged so that they are used for specific server names; anything that Caddy automates is selected based on the specific server name being connected to.

Study this, and I think it will help answer your question or provide some guidance.

Thanks for getting back to me!
After some enthusiastic trial and failure, I took the exact caddy file you provided and attempted to run it with caddy start -config caddy.json and it immeidately started to try to request a cert for enterpriseregistration.1904.tech, which I would have expected it not to as it’s already specified to match against cert1.

The first part of the log from that attempt is here:

root@Edge05:/etc/caddy# caddy start -config caddy.json                                                                                                                             2020/11/03 22:57:03.241 INFO    using provided configuration    {"config_file": "caddy.json", "config_adapter": ""}
2020/11/03 22:57:03.244 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/11/03 17:57:03 [INFO][cache:0xc0004df740] Started certificate maintenance routine
2020/11/03 17:57:03 [WARNING] Stapling OCSP: no OCSP stapling for [edge05.dmz.colo.1904.tech *.boldcity.tech boldcity.tech]: no OCSP server specified in certificate
2020/11/03 17:57:03 [WARNING] Stapling OCSP: no OCSP stapling for [cloudflare origin certificate *.boldcity.tech *.chat.boldcity.tech boldcity.tech]: no URL to issuing certificate
2020/11/03 22:57:03.248 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "cloud.boldcity.tech", "server_name": "srv0"}
2020/11/03 22:57:03.248 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "drive.boldcity.tech", "server_name": "srv0"}
2020/11/03 22:57:03.248 INFO    http    skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "git.boldcity.tech", "server_name": "srv0"}
2020/11/03 22:57:03.248 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/11/03 22:57:03.250 INFO    tls     cleaned up storage units
2020/11/03 22:57:03.250 INFO    http    enabling automatic TLS certificate management   {"domains": ["enterpriseregistration.1904.tech", "enterpriseregistration.potts.it", "ingest.cloud.boldcity.tech"]}
2020/11/03 22:57:03.251 INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
2020/11/03 22:57:03.251 INFO    serving initial configuration
2020/11/03 17:57:03 [INFO][enterpriseregistration.1904.tech] Obtain certificate; acquiring lock...
2020/11/03 17:57:03 [INFO][ingest.cloud.boldcity.tech] Obtain certificate; acquiring lock...
2020/11/03 17:57:03 [INFO][enterpriseregistration.potts.it] Obtain certificate; acquiring lock...
2020/11/03 17:57:03 [INFO][enterpriseregistration.1904.tech] Obtain: Lock acquired; proceeding...
2020/11/03 17:57:03 [INFO][enterpriseregistration.potts.it] Obtain: Lock acquired; proceeding...
2020/11/03 17:57:03 [INFO][ingest.cloud.boldcity.tech] Obtain: Lock acquired; proceeding...
Successfully started Caddy (pid=17881) - Caddy is running in the background
root@Edge05:/etc/caddy# 2020/11/03 17:57:03 http: TLS handshake error from 8.9.230.29:54983: remote error: tls: unknown certificate
2020/11/03 17:57:04 [INFO][enterpriseregistration.potts.it] Waiting on rate limiter...
2020/11/03 17:57:04 [INFO][enterpriseregistration.potts.it] Done waiting
2020/11/03 17:57:04 [INFO] [enterpriseregistration.potts.it] acme: Obtaining bundled SAN certificate given a CSR
2020/11/03 17:57:04 [INFO][enterpriseregistration.1904.tech] Waiting on rate limiter...
2020/11/03 17:57:04 [INFO][enterpriseregistration.1904.tech] Done waiting
2020/11/03 17:57:04 [INFO] [enterpriseregistration.1904.tech] acme: Obtaining bundled SAN certificate given a CSR
2020/11/03 17:57:04 [INFO][ingest.cloud.boldcity.tech] Waiting on rate limiter...
2020/11/03 17:57:04 [INFO][ingest.cloud.boldcity.tech] Done waiting
2020/11/03 17:57:04 [INFO] [ingest.cloud.boldcity.tech] acme: Obtaining bundled SAN certificate given a CSR
2020/11/03 17:57:04 [INFO] [enterpriseregistration.potts.it] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8343676806
2020/11/03 17:57:04 [INFO] [enterpriseregistration.potts.it] acme: Could not find solver for: tls-alpn-01
2020/11/03 17:57:04 [INFO] [enterpriseregistration.potts.it] acme: Could not find solver for: http-01
2020/11/03 17:57:04 [INFO] [enterpriseregistration.potts.it] acme: use dns-01 solver
2020/11/03 17:57:04 [INFO] [enterpriseregistration.potts.it] acme: Preparing to solve DNS-01
2020/11/03 17:57:04 [INFO] [ingest.cloud.boldcity.tech] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8343676889
2020/11/03 17:57:04 [INFO] [ingest.cloud.boldcity.tech] acme: Could not find solver for: tls-alpn-01
2020/11/03 17:57:04 [INFO] [ingest.cloud.boldcity.tech] acme: Could not find solver for: http-01
2020/11/03 17:57:04 [INFO] [ingest.cloud.boldcity.tech] acme: use dns-01 solver
2020/11/03 17:57:04 [INFO] [ingest.cloud.boldcity.tech] acme: Preparing to solve DNS-01
2020/11/03 17:57:05 [INFO] [enterpriseregistration.1904.tech] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8343676915
2020/11/03 17:57:05 [INFO] [enterpriseregistration.1904.tech] acme: Could not find solver for: tls-alpn-01

I am going to simplify my config down a bit more and do some further testing.
Thanks for getting me started!

What is the output of openssl x509 -in /etc/ssl/certs/BCT-Edge05-BCTPublicDomains-Wildcard.pem -text?

Full output is below, anything in particular you are thinking?

(also, I just noticed this is an older cert that I generated prior to fixing my CRL. I’ll fix that soon)

root@Edge05:/etc/caddy# openssl x509 -in /etc/ssl/certs/BCT-Edge05-BCTPublicDomains-Wildcard.pem -text                   Certificate:                                                                                                                 Data:                                                                                                                        Version: 3 (0x2)                                                                                                         Serial Number:                                                                                                               1c:00:00:00:58:e6:a9:59:8a:c6:5e:5c:0d:00:00:00:00:00:58                                                             Signature Algorithm: sha256WithRSAEncryption                                                                             Issuer: DC = tech, DC = 1904, CN = 1904 Intermediate Authority X1                                                        Validity                                                                                                                     Not Before: Aug 31 20:22:26 2020 GMT                                                                                     Not After : Aug 31 20:32:26 2022 GMT                                                                                 Subject: CN = edge05.dmz.colo.1904.tech                                                                                  Subject Public Key Info:                                                                                                     Public Key Algorithm: rsaEncryption                                                                                          RSA Public-Key: (2048 bit)                                                                                               Modulus:                                                                                                                     00:a0:c5:6a:f5:c1:9d:b5:6b:bf:99:54:89:2c:73:                                                                            48:17:47:e0:8f:3a:f1:b7:eb:e8:f3:4c:20:0d:81:                                                                            7c:1b:7e:5b:71:b2:bb:10:1c:38:03:a0:28:a4:d6:                                                                            3b:09:83:c0:35:b8:49:9c:42:81:8b:52:7f:f0:32:                                                                            fd:86:a0:41:de:46:76:98:11:d7:c3:23:26:17:38:                                                                            88:98:42:73:bb:bb:20:99:e6:36:37:c0:dc:13:b2:                                                                            db:d7:d3:f7:0d:49:d1:f6:3f:b6:29:53:a0:b7:d3:                                                                            11:b8:72:6c:8b:8c:10:b8:49:ac:bb:47:1a:bf:d5:                                                                            1e:5d:f3:2a:42:5d:bd:7f:17:14:87:d9:09:b7:f6:                                                                            20:7a:77:3d:ff:6a:4d:e9:25:c2:af:b2:bc:6e:81:                                                                            8c:c0:ae:3a:b5:ae:8c:58:2e:90:b0:1c:84:90:59:                                                                            bb:92:33:e3:8c:06:cd:38:c1:d8:60:9d:ff:8a:a8:                                                                            97:41:02:19:38:d8:67:09:0c:b4:2c:87:3d:1b:1e:                                                                            3f:ac:0b:15:37:5b:40:5e:b2:87:3b:3d:d1:2f:92:                                                                            a6:cc:cd:20:9b:33:21:bc:a8:c3:0d:ef:61:8e:a4:                                                                            57:2b:27:07:34:85:b8:93:ed:38:f6:ed:0c:bf:fc:                                                                            64:e3:e2:0b:73:85:ae:aa:4e:11:c9:f0:9c:cc:7c:                                                                            a2:61                                                                                                                Exponent: 65537 (0x10001)                                                                                        X509v3 extensions:
            1.3.6.1.4.1.311.21.7:
                0..&+.....7.....u...r.......I........>...'..d...
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            1.3.6.1.4.1.311.21.10:
                0.0
..+.......0
..+.......
            X509v3 Subject Key Identifier:
                E5:DB:C9:FA:4F:36:C1:5B:A1:C3:DF:D2:95:71:2D:CF:A9:59:A9:0B
            X509v3 Subject Alternative Name:
                DNS:edge05.dmz.colo.1904.tech, DNS:*.boldcity.tech, DNS:*.boldcity.network, DNS:*.boldcitytech.chat, DNS$*.boldcity.services, DNS:boldcity.tech, DNS:boldcity.network, DNS:boldcity.services, DNS:boldcitytech.chat
            X509v3 Authority Key Identifier:
                keyid:F5:AE:F5:F4:44:14:37:DA:F4:AB:6A:F3:FA:19:16:B3:80:8E:D4:B4

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:ldap:///CN=1904%20Intermediate%20Authority%20X1,CN=CA-Intermediate01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=1904,DC=tech?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=1904%20Intermediate%20Authority%20X1,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=1904,DC=tech?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: sha256WithRSAEncryption
         0c:f1:bc:87:f2:e4:df:c1:99:eb:80:72:35:b7:9d:ce:dc:84:
         a6:04:1e:7c:48:31:ba:68:cc:30:cd:57:15:2f:84:d7:86:00:
         ab:5f:23:59:44:4c:3f:be:4b:c9:57:54:29:b7:1a:31:16:1f:
         01:d7:87:34:8b:f2:3c:f5:ab:ea:79:9b:86:e4:1d:2d:e2:94:
         10:20:87:91:55:f5:10:0d:5c:24:e7:1d:08:5f:dc:1e:32:a4:
         54:c2:41:7d:fe:e2:79:40:03:9c:33:b3:9d:a6:0d:39:4c:91:
         17:5f:4c:83:92:0f:f0:83:47:4f:14:dc:84:d8:f3:d4:2b:a4:
         90:3d:04:03:59:05:0f:e8:b0:f5:db:65:37:e0:4e:43:26:5b:
         66:98:32:c6:ec:96:90:d0:35:64:8e:7c:93:3f:1d:e0:20:5c:
         18:d2:0e:fd:d8:82:93:d3:c6:f3:2d:8a:ea:d6:7c:7a:4b:6f:
         75:b1:06:12:78:69:ad:31:a0:a3:50:86:2a:6e:cf:29:a2:d8:
         bd:2d:5a:c4:35:0c:b6:3d:d0:ab:05:37:6e:99:39:ee:4a:c9:
         32:cd:08:8a:a4:2b:4a:94:b5:35:d7:4b:70:52:53:50:fe:2b:
         a3:d1:f0:49:de:82:8d:68:42:dc:ef:a8:e2:bc:29:1c:8d:23:
         5d:3c:af:47
-----BEGIN CERTIFICATE-----
MIIGZjCCBU6gAwIBAgITHAAAAFjmqVmKxl5cDQAAAAAAWDANBgkqhkiG9w0BAQsF
ADBVMRQwEgYKCZImiZPyLGQBGRYEdGVjaDEUMBIGCgmSJomT8ixkARkWBDE5MDQx
JzAlBgNVBAMTHjE5MDQgSW50ZXJtZWRpYXRlIEF1dGhvcml0eSBYMTAeFw0yMDA4
MzEyMDIyMjZaFw0yMjA4MzEyMDMyMjZaMCQxIjAgBgNVBAMTGWVkZ2UwNS5kbXou
Y29sby4xOTA0LnRlY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg
xWr1wZ21a7+ZVIksc0gXR+CPOvG36+jzTCANgXwbfltxsrsQHDgDoCik1jsJg8A1
uEmcQoGLUn/wMv2GoEHeRnaYEdfDIyYXOIiYQnO7uyCZ5jY3wNwTstvX0/cNSdH2
P7YpU6C30xG4cmyLjBC4Say7Rxq/1R5d8ypCXb1/FxSH2Qm39iB6dz3/ak3pJcKv
srxugYzArjq1roxYLpCwHISQWbuSM+OMBs04wdhgnf+KqJdBAhk42GcJDLQshz0b
Hj+sCxU3W0Besoc7PdEvkqbMzSCbMyG8qMMN72GOpFcrJwc0hbiT7Tj27Qy//GTj
4gtzha6qThHJ8JzMfKJhAgMBAAGjggNeMIIDWjA9BgkrBgEEAYI3FQcEMDAuBiYr
BgEEAYI3FQiBn+11gay9coT1lwCG9a1Jh7OJBRKDpPM+hfbJJwIBZAIBCzAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMCcGCSsG
AQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFOXb
yfpPNsFbocPf0pVxLc+pWakLMIG8BgNVHREEgbQwgbGCGWVkZ2UwNS5kbXouY29s
by4xOTA0LnRlY2iCDyouYm9sZGNpdHkudGVjaIISKi5ib2xkY2l0eS5uZXR3b3Jr
ghMqLmJvbGRjaXR5dGVjaC5jaGF0ghMqLmJvbGRjaXR5LnNlcnZpY2Vzgg1ib2xk
Y2l0eS50ZWNoghBib2xkY2l0eS5uZXR3b3JrghFib2xkY2l0eS5zZXJ2aWNlc4IR
Ym9sZGNpdHl0ZWNoLmNoYXQwHwYDVR0jBBgwFoAU9a719EQUN9r0q2rz+hkWs4CO
1LQwgeoGA1UdHwSB4jCB3zCB3KCB2aCB1oaB02xkYXA6Ly8vQ049MTkwNCUyMElu
dGVybWVkaWF0ZSUyMEF1dGhvcml0eSUyMFgxLENOPUNBLUludGVybWVkaWF0ZTAx
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPTE5MDQsREM9dGVjaD9jZXJ0aWZpY2F0ZVJldm9j
YXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQw
gdQGCCsGAQUFBwEBBIHHMIHEMIHBBggrBgEFBQcwAoaBtGxkYXA6Ly8vQ049MTkw
NCUyMEludGVybWVkaWF0ZSUyMEF1dGhvcml0eSUyMFgxLENOPUFJQSxDTj1QdWJs
aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9u
LERDPTE5MDQsREM9dGVjaD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9
Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEADPG8h/Lk
38GZ64ByNbedztyEpgQefEgxumjMMM1XFS+E14YAq18jWURMP75LyVdUKbcaMRYf
AdeHNIvyPPWr6nmbhuQdLeKUECCHkVX1EA1cJOcdCF/cHjKkVMJBff7ieUADnDOz
naYNOUyRF19Mg5IP8INHTxTchNjz1CukkD0EA1kFD+iw9dtlN+BOQyZbZpgyxuyW
kNA1ZI58kz8d4CBcGNIO/diCk9PG8y2K6tZ8ektvdbEGEnhprTGgo1CGKm7PKaLY
vS1axDUMtj3QqwU3bpk57krJMs0IiqQrSpS1NddLcFJTUP4ro9HwSd6CjWhC3O+o
4rwpHI0jXTyvRw==
-----END CERTIFICATE-----

Well, I think that’s why. That cert has these SANs:

X509v3 Subject Alternative Name:
                DNS:edge05.dmz.colo.1904.tech, DNS:*.boldcity.tech, DNS:*.boldcity.network, DNS:*.boldcitytech.chat, DNS$*.boldcity.services, DNS:boldcity.tech, DNS:boldcity.network, DNS:boldcity.services, DNS:boldcitytech.chat

Which does not match enterpriseregistration.1904.tech, so Caddy will not choose it.

This topic was automatically closed after 30 days. New replies are no longer allowed.