Utilizing Wildcard Certificate for Subdomains

1. Caddy version (caddy version):

v2.1.1

2. How I run Caddy:

Directly on debian buster amd64

a. System environment:

Debian Buster amd64

b. Command:

caddy run

d. My complete Caddyfile or JSON config:

*.website.org {
tls {
dns cloudflare myapikey
}


}
sub1.website.org {
reverse_proxy 127.0.0.1:9000
}

sub2.website.org {
reverse_proxy 127.0.0.1:8000
}

3. The problem I’m having:

I would like to have the subdomains use the wildcard certificate to serve sub1.website.org and sub2.website.org I am having trouble with doing that.

4. Error messages and/or full log output:

There are no error messages, but instead caddy grabs certs for the wildcard as well as sub1 and sub2

5. What I already tried:

I have tried moving the sub1 and sub2 block to inside the wildcard block to no avail. I am not sure if there is another directive I should be using for this.

6. Links to relevant resources:

This seems similar but I haven’t been able to successfully implement it.

Caddy makes some assumptions by default that don’t match what you’re trying to do. Caddy won’t assume that you want to use the wildcard cert for your other domains, because some people actually do want to use individual certificates.

The best option for you here I think is to use host matchers for your various subdomains in the wildcard site block:

*.website.org {
	tls {
		dns cloudflare {$CLOUDFLARE_API_KEY}
	}

	@sub1 host sub1.website.org
	handle @sub1 {
		reverse_proxy 127.0.0.1:9000
	}


	@sub2 host sub2.website.org
	handle @sub2 {
		reverse_proxy 127.0.0.1:8000
	}
}

If you used JSON config, you could specifically modify the TLS automation policy to only manage the wildcard certificate and to ignore the rest, and the connection policy would be configured pick up the requests using the wildcard certificate. With the Caddyfile, there’s no way to configure that yet.

@matt do you think it’s worth adding a tls option to explicitly tell the adapter to skip the domain(s) from a site block from the automation policy? Maybe something like:

tls {
	managed no
}
1 Like

Thank you very much!
In the handle block can you essentially put anything that you would in a separate website block? Such as to specify the root directory and such.

Most directives, yes. Only HTTP handlers though - for example not log or tls since those are per server block configuration.

2 Likes

Awesome, thank you. I assume http headers do not fall under this?

header is an HTTP handler so you can use that all you like.

This topic was automatically closed after 30 days. New replies are no longer allowed.