I would like to redirect all domains coming from *.abc.com, *.bcd.com to abc.com, bcd.com and only serve on root domain. For this i need a wildcard certificate so i can redirect all on https to root domain.
My setup involves thousands of domains to be served on main page and redirect all subdomains to main page. I would need on demand tls.
I currently only allow www[1-10] subdomains on permission check to be issued certificates because i dont want to issue certs for every possible combination of subdomain.
The example shows to have wildcard domains to be mentioned in the Caddyfile.
*.example.com
reverse_proxy localhost:9000
But this is not possible for on demand tls.
Is there a way to achieve this?
2. Error messages and/or full log output:
3. Caddy version:
v2.10.2
4. How I installed and ran Caddy:
go build cmd/caddy/main.go
a. System environment:
Macos
b. Command:
ENVIRONMENT=local ./main run --envfile .env.dev
c. Service/unit/compose file:
d. My complete Caddy config:
{ dns custom_dns_module {
redis_config {
host xxx
port xxx
db xxx
}
}
on_demand_tls {
permission custom_permission_module {
redis_config {
host xxx
port xxx
db 0
}
}
}
}
https://: {
log {
format json
}
tls {
on_demand
}
respond 200
}
I might be wrong, but I don’t think Caddy supports on-demand wildcard certificates, if that’s what you’re asking.
That said, if you’ve already obtained a wildcard certificate for all the domains you’re hosting, you don’t need on-demand setup for those domains anymore, because:
As of Caddy 2.10, when automating a wildcard certificate, Caddy will use the wildcard certificate for individual subdomains in the configuration. It will not get certificates for individual subdomains unless explicitly configured to do so.
Just to expand on my previous post, based on my understanding, Caddy takes the name for on-demand processing from the SNI field. And as far as I know, you can’t send *.example.com as SNI.
So you’d need another way to obtain the wildcard certificate. It looks like you already have DNS-01 set up for it, but I believe you’d need to list those wildcard domains in your Caddyfile for DNS-01 to kick in. You might be able to write a custom module to pull the list of wildcard domains from your Redis and trigger DNS-01 certificate issuance without hardcoding the wildcard domains sites in the Caddyfile, I guess.
Once Caddy has the wildcard loaded, you no longer need on-demand for subdomains it covers, since the existing cert already matches them. And as of Caddy 2.10, the existing wildcard certificate takes precedence over any other attempts to obtain a new cert for a specific site.