You need some way to tell Caddy to handle requests for the different subdomains differently.
There’s two ways you can go about it. You can split this site up into two separate sites - you can still have them both share the same wildcard cert if you need it - or you can use some hacky rewrites based on placeholders to differentiate (v2 is infinitely better in this regard than v1).
*.example.com {
tls {
dns cloudflare
}
rewrite {
if {label1} is bitwarden
to /bitwarden{uri}
}
proxy /bitwarden 192.168.10.50:8088 {
without /bitwarden
}
rewrite {
if {label1} is nextcloud
to /nextcloud{uri}
}
proxy /nextcloud 192.168.10.50:8080 {
without /nextcloud
}
}
Note that with this method there is no way to have error logging separate - it’s across the whole site or nothing. Also, tls { wildcard } is redundant in your own example (i.e. the one-site method), because the site is already a wildcard (*.example.com). You only need to specify wildcard when you want Caddy to pretend that a fully qualified domain name is in fact a wildcard (for the purposes of getting a certificate for it).
Anywhere inside the site. Before the proxies, between the proxies, above the TLS declaration. Usually I prefer to put general stuff like error logging at the top of the site, though, so I’d probably put it above the TLS as a matter of preference.
The earliest ACME limit likely to apply to you is Certificates per Registered Domain (50 per week). That means you could get 50 subdomains this week, and then 50 after 7 days, without problem.
The other noteworthy rate limit is 300 New Orders per account per 3 hours. A new order is essentially any new certificate request.
I would wager that you are not likely to go anywhere near either of these limits, and it would be simpler to simply stick with individual certificates and let Caddy manage them.
You have the correct method (setting the flag -ca https://acme-staging-v02.api.letsencrypt.org/directory when you run Caddy). How do you know it didn’t take?
Glad to hear it! Although, this changes a lot of things, with the Caddyfile especially as it’s almost entirely new. And you’ll want to update to the newer unit file.
i upgraded to 2.0 beta 15
now my caddy file is in /etc/caddy/Caddyfile
i ran
caddy run --config /etc/caddy/Caddyfile
i get this error message
2020/03/05 02:01:03.879 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
run: adapting config using caddyfile: parsing caddyfile tokens for 'tls': /etc/caddy/Caddyfile:3 - Error during parsing: getting DNS provider module named 'cloudflare': module not registered: tls.dns.cloudflare
In 1.0.4, in installed using the getcaddy bash script, with tls.cloudflare plugin
now how do i do that in 2.0?
is this what the caddy.json does? i have a file in /etc/caddy folder
do i need to modify the caddy.service?
i know i need to RTFM but i’m chewing more than i can from v1 to v2, sorry about that
There aren’t any published v1 → v2 Caddyfile guides I know of.
Nothing official either - at the very least until Caddy v2 is out of beta. There’s still features yet to be add and refined at this stage.
With some of the low level conceptual changes on how v2 handles vs v1, as well, it’s best to start from the top with a fresh understanding of some of the key concepts and functionality. The v2 docs are here:
The v2 Caddyfile doesn’t have a tls dns equivalent yet, but it’s configurable in JSON. I can’t find a wildcard-equivalent in JSON either though right now, so example 2 is the way to go.
Then run caddy adapt --pretty --validate in the same directory as that Caddyfile to get the JSON equivalent. From there, add your DNS provider to the challenges area of the acme JSON configuration.
2020/03/25 17:48:01 [INFO][cache:0xc0003e1b30] Started certificate maintenance routine
2020/03/25 17:48:01.516 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/03/25 17:48:01.516 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2020/03/25 17:48:01 [INFO][cache:0xc0003e1b30] Stopped certificate maintenance routine
the json has a http directive but the cloudflare is under tls.
what should i modify ?
i know i need to use this, please check if this is correct and where do i insert it in the json?
If you follow the link, at the top of the page is the breadcrumb for JSON Config Structure. You can follow that back all the way up to see how each section “nests” in the above section.
This isn’t the correct place to put the LetsEncrypt staging endpoint. This is to override the Cloudflare API endpoint.
but i’m chewing more than i can from v1 to v2, sorry about that