Hey @AndreKR – sorry it took me a few days to get to this.
Also, apologies that documentation for caddy-l4 is not very good (yet). I never quite got around to enhancing it. So I understand your confusion… I think @francislavoie may have understood differently. Let me see if I read this right.
Correct. Or you can provide a cert, but yes basically Caddy will need a cert.
With JSON config, there are connection policies and automation policies. Automation policies tell Caddy what certificates to automate and how to do that. Connection policies tell Caddy how to serve TLS connections.
Connection policies are typically configured close to the server that is using them, i.e. the layer4 app, in the tis handler.
Automation policies, however, are configured in the tis app module because any/all other apps can reuse the certificates that the tis app is managing:
So the name(s) to have certificates for are specified in the tis app, in an automation policy. Could be very simple, like so:
The layer4 app does support multiplexing, so you can share a port. (It has some bugs we’re working out but in the meantime it’s easy to tweak your config to work around them.)
All of Caddy’s TLS listeners are capable of solving the TLS-ALPN challenge automatically. If you are using the layer4 app, the HTTP challenge is not supported automatically because that’d require setting up an HTTP server, which isn’t a given with layer4. However, if you do set up Caddy’s HTTP server on port 80 then it should be able to solve the HTTP challenge as well.
Does that answer your questions?