Wildcard subdomain, acme failing

1. The problem I’m having:

After a lot of trouble with DNS, I might have found a neat way to handle subdomains, and that is by using a wildcard in my cname record. Everything seems to be working, but one thing that I hadn’t accounted for is the fact that the wildcard seems to take precedence over the _acme-challenge.example.com subdomain added by caddy.
Is there a way to handle the acme challenge locally in its own directive, as in

*.example.com {
    @acme host _acme-challenge.example.com
    handle @acme {
        respond "<Acme response>"
    }
...
}

I definitely see the acme challenge in the dns records, but diging it, just redirects me to the wildcard.

2. Error messages and/or full log output:

solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/151202543/17045282153) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)

3. Caddy version:

2.7.6

4. How I installed and ran Caddy:

docker

b. Command:

docker compose start caddy

c. Service/unit/compose file:

not relevant?

d. My complete Caddy config:

{
    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
*.example.com {
    tls {
        dns provider key
    }
    @test test.example.com
    handle @test {
        respond "Hello"
    }
}

5. Links to relevant resources:

Why is that needed?

What trouble? What is “neat” about it? Not saying there isn’t something there, I just have no idea what the motivation is or what this solves.

1 Like

for me it mostly stems from the fact that I like to keep my configs as centralized as possible, but I’m facing issues with services like the nextcloud AIO container that just straight up refuse being hosted on a path instead of a subdomain.

I’m no DNS expert so it takes me often multiple tries to get a DNS config working properly, and each time I forget to lower the TTL so the changes apply more quickly.
I just want this centralized all in my caddy config. I don’t wanna have to mess with DNS every time I want to try a docker container.

This approach seems neat to me because both my subdomain and path handling is all done in the same caddy instance, making it really easy to maintain, and doesn’t restrain me with TTLs.

See The "subfolder problem", OR, "why can't I reverse proxy my app into a subfolder?", that’ll be true for most apps. It’s not an easy problem to solve. Subdomains are the way to go.

You don’t have to use a wildcard cert in Caddy if you used a wildcard DNS record. You can use individual subdomains in your Caddyfile and just have the one * wildcard DNS A record pointing to your IP address.

Please upgrade to the latest version, 2.8.4. It solves some issues surrounding DNS challenge propagation checks.

But are you sure you actually need a wildcard cert? You could just use the ACME HTTP challenge if I understand your setup, simpler config and no need for a DNS plugin.

1 Like

I think the way people choose subdomains over paths is wrong. In my opinion subdomains should indicate a different machine or some kind of intentional disconnection, not just a lazy workaround to just not have to deal with paths.
proxy_pass got me incredibly far, and I’ve managed to get pretty much every service onto a path that way.

I actually want to use a wildcard cert, so people cannot just figure out what stuff I’m hosting. Another benefit of paths is that nobody can see what else there is without brute forcing all the possible paths. Since I don’t have that luxury with everything I’d like to at least use a wildcard cert to make whatever possible invisible.

Does that specifically fix my current issue? I’m a little too lazy to change the version number in my config :confused:

Edit: Look how easy it is to find all subdomains for a website: https://crt.sh/?q=lbry.com

IMO that’s unfounded paranoia. Just knowing what’s hosted is not that useful. As long as you use authentication on anything relevant and use strong passwords, you’re fine.

Possibly, yes. You should always run the latest version.

1 Like

My paranoia stems from the fact that I don’t want people brute forcing whatever I host, and I’m having a bit of trouble with the rate limiter plugins that do exist. It’s either a configuration issue or the plugins somehow don’t work on my system.
I was gonna debug that too but I’m waiting for the dns TTL to reset after I made typo :roll_eyes:

Ok will check soon.
At the moment I’ve just left the wildcard unused.

No attacker really cares what self hosters have running. You’re not exactly a juicy target. They wouldn’t have anything to gain unless they think they could make money from you some way or another. Security through obscurity is not any kind of guarantee. Having strong authentication is a good guarantee of protection. Don’t run software you don’t trust to be secure.

4 Likes

well, xyproblem then, thanks for your help!

1 Like