Using On-Demand TLS for Wildcard Domains

Hello,

I would like to know if it is possible to use on-demand TLS in Caddy to issue certificates for wildcard domains when a subdomain is accessed for the first time. I have many subdomains, so it is expensive to issue a certificate for each one. At the same time, I have a large number of domains, which makes it difficult to add them all to the configuration. Is there a solution for this?

Can you quantify “many”? I’ve just seen many people assume computers have the same operational budget as people and overestimate the effort/cost.

If you enable on-demand TLS, you cannot get wildcards certs. You can only get single SAN for each requested cert. One thing I can think of is to hook into Caddy events, grab the SAN, transform it into the wildcard form, then update Caddy config dynamically via the config API so Caddy would switch to the wildcard cert rather than the SAN.

Currently, we have about 80000 domains, and around 400 are added each day. On many sites, subdomains are attached to categories. This means that one site can have an unlimited number of subdomains (currently it’s around 3000 to 20000 per site). If we keep everything as is, we will hit rate limits.

I am looking into synchronizing all domains from our DNS server and either generating the configuration (JSON/Caddyfile) or adding them through the admin API. Could we face performance issues in this case?