Wildcard Plus certificate (*.mydomain.com and domain.com) with caddy

Help
1

1. The problem I’m having:

I am using Adguard home on my NAS with Caddy as reverse proxy.
I want to use DoT and with the Layer4 plugin, I got it working on adguard.mydomain.com
In order to detect my device, I would like to use a subdomain like myphone.adguard.mydomain.com

Caddy created the certificates properly, one for adguard.mydomain.com and one for *.adguard.mydomain.com
However, according to the documentation Adguard requires a single certificate for both:

Note that the TLS certificate must be valid both for *.example.org and example.org.

I found this post that says it’s not possible with Caddy, but it’s from 2021, so I’m not sure if this is still the case.

2. Error messages and/or full log output:

no error, it just doesn't work

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

Docker Compose

b. Command:

docker compose up -d

c. Service/unit/compose file:

services:
  caddy:
    build:
      context: .
      dockerfile: Dockerfile
    restart: always
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./site:/srv
      - ./caddy_data:/data
      - ./caddy_config:/config
      - ./caddy-logs:/var/log/caddy
    env_file:
      - .env
    networks:
      - caddy
    environment:
      - CROWDSEC_API_KEY=${CROWDSEC_API_KEY}

networks:
  caddy:
    external: true

d. My complete Caddy config:

{ 
  acme_dns cloudflare mycloudflareAPIKey
  email my@email.com

  layer4 {
    127.0.0.1:853 {
      route {
        tls
        proxy adguardhome:853
      }
    }
  }

}
adguard.mydomain.com {
  reverse_proxy adguardhome:19443
}

5. Links to relevant resources:

2

That’s not possible, Caddy does not support issuing multi-SAN certificates for a multitude of reasons. See docs/acme-ops.md at master · https-dev/docs · GitHub for an explanation.

Why do you think you need two certificates if Caddy is proxying the traffic anyway? Caddy can terminate TLS, you don’t need TLS between Caddy and adguard since it’s being proxied over your private network.

If that requirement is being imposed by Adguard for whatever reason, you should reach out to them and link them the above, multi-SAN certificates are not recommended and have a multitude of problems. They should allow you to configure multiple certificates.

2 Likes
3

Thank you so much for the explanation @francislavoie !

The requirement is really from adguard. I will get in touch with them. So far it also works with the subdomain only, maybe I will stick with that.
Thank you and take care