Wildcard TLS Certificate with Auto HTTPS

rriccio · September 15, 2023, 11:33pm

1. The problem I’m having:

I have a wildcard TLS origin certificate that I have been issued by Cloudflare. I am not using a Cloudflare proxy for cloud.my-url.com, however I am for plex.my-url.com. When I try and use Auto HTTPS for cloud.my-url.com, it just pulls the loaded wildcard certificate from where I load it in using the Caddyfile under the plex.my-url.com. Since I am not using Cloudflare proxy for that subdomain, that certificate is invalid. I do not want to disable the Cloudflare strict TLS policy. How can I force cloud.my-url.com to use Auto-HTTPS while keeping my other subdomains using my provided certs?

If I don’t specify any TLS settings cloud.my-url.com works fine since that uses Auto HTTPS, but plex.my-url.com does not work since the Cloudflare proxy is looking for it’s issued origin certificate.

2. Error messages and/or full log output:

INF ts=1694819456.30839 msg=using provided configuration config_file=/etc/caddy/Caddyfile config_adapter=caddyfile
INF ts=1694819456.3112862 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]
INF ts=1694819456.311491 logger=tls.cache.maintenance msg=started background certificate maintenance cache=0xc000700900
WRN ts=1694819456.3119485 logger=tls msg=stapling OCSP error=no OCSP stapling for [cloudflare origin certificate *.my-url.com my-url.com]: no URL to issuing certificate
INF ts=1694819456.3119984 logger=http.auto_https msg=skipping automatic certificate management because one or more matching certificates are already loaded domain=cloud.my-url.com server_name=srv0
INF ts=1694819456.3120065 logger=http.auto_https msg=skipping automatic certificate management because one or more matching certificates are already loaded domain=plex.my-url.com server_name=srv0
INF ts=1694819456.3120098 logger=http.auto_https msg=enabling automatic HTTP->HTTPS redirects server_name=srv0

3. Caddy version:

v2.7.4

4. How I installed and ran Caddy:

a. System environment:

Docker being managed by a Portainer stack

b. Command:

Caddy starts on container start

c. Service/unit/compose file:

version: "3.9"

services:
  caddy:
    image: caddy:latest
    container_name: caddy
    restart: always
    #ports:
      #- 80:80
      #- 443:443
      #- 443:443/udp
    network_mode: host
    volumes:
      - /Caddyfile:/etc/caddy/Caddyfile
      - ./site:/srv
      - caddy_data:/data
      - caddy_config:/config

volumes:
  caddy_data:
  caddy_config:

d. My complete Caddy config:

https://cloud.my-url.com:443 {
        tls my-email@gmail.com
        reverse_proxy localhost:11000
}
https://plex.my-url.com:443 {
        reverse_proxy localhost:32400
        tls /data/my-url.com.pem /data/my-url.com.key
}

matt · September 16, 2023, 5:49am

I think it uses the wildcard because it qualifies in terms of SAN.

I am mobile, but real quick, you can have caddy always get a certificate with an option to ignore loaded certs. I will try to remember to get more details later.

But maybe if a cert is hard coded like that it shouldn’t be used by other sites. Something I could look into changing