Is there any rationale behind this decision? Or is there a way in Caddy to accomplish the same result? Adding *.*.example.com, *.*.*.example.com and so on becomes just ridiculous.
QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN
the answer will be "foo.bar.example. IN TXT ..."
because bar.example. does not exist, but the wildcard
does.
Caddy’s domain rules need to follow from certificate rules, because it does the extra job of managing certificates automatically. Other web servers don’t do that.
Yes it will. So pick your poison. If you still need HTTP->HTTPS redirects alongside this, then you need to do it yourself for the domains you still need redirects for. It’s really just redir https://<domain>{uri} 308, and fill in <domain> however you need. You could use map (Caddyfile directive) — Caddy Documentation to match the domains you need.
Okay…just trying to figure out things here… This is a heck of a lot more complicated than how it’s done in Nginx or Apache
I still don’t see why *.example.com, or something else, like maybe **.example.com can’t match foo.bar.example.com
RFC6125 can’t really be the reason, since you support *.*.example.com, which 6125 explicitly forbids…
And you even have a on-demand feature for getting certificates, so allow *.example.com to match whatever, then you combine it with on_demand and everything should work fine?
The client SHOULD NOT attempt to match a presented identifier in
which the wildcard character comprises a label other than the
left-most label (e.g., do not match bar.*.example.net).
If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).
This is about the client, not the server; and a “SHOULD NOT” phrase is weaker than a “MUST NOT” – you’ll find that most major web browsers do accept certificates like *.*.foo.com (but not *.* – individual implementations are nuanced like that). Also, in *.*.foo.com, the wildcard does comprise the left-most label, so there is an argument this does not apply anyway (see example).
While I believe publicly-trusted CAs are generally forbidden from issuing wildcard certificates with multiple wildcard labels by the BRs, this does not prevent servers from serving certificates with such subjects; and this is often in fact useful.
Is irrelevant, again, as it describes what the client “SHOULD NOT” do (i.e. is a recommendation), not saying what is forbidden by servers or X.509 Certificate issuers. See the example – it’s saying that the wildcard in a label does not apply to incongruent labels when comparing the identifier, i.e. the domains must have the same number of labels.
There’s a lot of things Caddy does differently than other servers. That’s the whole point. Francis already explained why this one is.
Not really… since you can set up on-demand certs there is zero reason for it.
If it’s just a matter of not wanting to support it, fine, but referring to RFCs doesn’t really work, since we have established that Caddy doesn’t follow 4562 already.
And the issue with certificates is easily taken care of with on demand certs, which would keep Caddy compliant with 6125
I’m not sure we have. What about this part, which follows on immediately after the area you quoted?
The final example highlights one common misconception about
wildcards. A wildcard “blocks itself” in the sense that a wildcard
does not match its own subdomains. That is, “*.example.” does not
match all names in the “example.” zone; it fails to match the names
below “*.example.”. To cover names under “*.example.”, another
wildcard domain name is needed–“*.*.example.”–which covers all but
its own subdomains.