Caddy: v2: wildcard hostnames with automatic TLS

Thanks for trying Caddy 2 while we're still in beta!

For wildcard certificates from Let's Encrypt, you need to enable the DNS challenge. This is the case in Caddy 1 as well.

(DNS providers have not yet been integrated into Caddy 2, although this is very easy to do and won't take long once we do it.)

I suppose my recommendation would be to wait until the DNS challenge can be configured in Caddy 2.

So I guess this is a duplicate of #2855.

I know a DNS challenge is required for wildcards, but caddy v1 would also do a http challenge on the first request for a new domain, was hoping caddy v2 could also do that.

but caddy v1 would also do a http challenge on the first request for a new domain, was hoping caddy v2 could also do that.

I don't understand... is this issue not about wildcards then?

Eg, on caddy v1 I could have *.theblazehen.com configured.

I could then make a request to example.theblazehen.com, and it would then block the connection for ~20 seconds while it did a http challenge to get the ssl cert for example.theblazehen.com and then serve the connection.

Hmm... Just tested that again with caddy v1 and I can't reproduce that behaviour. I know I had it working ~ 1 year ago.

That's called "on-demand TLS", which also has to be explicitly enabled using the ask subdirective of the tls directive: https://caddyserver.com/v1/docs/tls

On-Demand TLS and obtaining wildcard certificates are orthogonal (unrelated) concepts.

Ah! Thanks for the help. :)

I believe I was running a really old version in the past before ask was a thing

Gotcha. Yeah, Caddy 2 is capable of on-demand TLS already, but similarly requires configuring an "ask" endpoint to get permission to obtain a certificate at handshake-time.

Thanks! I see it in the docs for the json config format, but I can't get it working in the Caddyfile format using the example at https://caddyserver.com/v1/docs/automatic-https#on-demand

root@server:/tmp# cat /etc/Caddyfile 
*.theblazehen.com {
  tls {
    ask http://httpstat.us/200
  }
  reverse_proxy / {host}.home:80
}
root@server:/tmp# caddy adapt --config /etc/Caddyfile --adapter caddyfile --pretty
adapt: parsing caddyfile tokens for 'tls': Caddyfile:3 - Error during parsing: unknown subdirective: ask

I tried using max_certs instead of ask as well, but it seems it doesn't like the tls directive. Is that supported in the Caddyfile format or should I migrate to a JSON config?

I'm struggling to understand how to move out of this issue here. I'm on 2.1.1.

• For starters, as a user, "acme: could not determine solvers" does not tell me information about the cause of the problem or how to solve it.
• The documentation makes explicit mention of supporting wildcard certs provided certain conditions. (I think those are the docs for v2, but I'm not 100% sure)

As a workaround, I get my DNS at Porkbun, I haven't found a module for that, and to be honest, going about installing one is a last resort.

Even after trying to read all the question threads, I'm really confused as to what to do here. Regretfully, that seems to me like at least a UX error here.

@joallard

For starters, as a user, "acme: could not determine solvers" does not tell me information about the cause of the problem or how to solve it.

All the logs and error messages (well, most of them) like that one have been rewritten in 2.2 (currently in release candidate 1) because all the underlying ACME code has been replaced by acmez so we now have full control of the entire ACME stack.

The documentation makes explicit mention of supporting wildcard certs provided certain conditions. (I think those are the docs for v2, but I'm not 100% sure)

That's correct. The conditions are:

To get a wildcard from Let's Encrypt, you simply need to enable the DNS challenge and use a wildcard domain in your config.

(Other ACME CAs such as ZeroSSL may not require the DNS challenge.)

This issue was closed about a year ago, and is basically a duplicate. Can you please post on the forum and describe your question there instead? https://caddy.community

All the logs and error messages (well, most of them) like that one have been rewritten in 2.2 (currently in release candidate 1) because all the underlying ACME code has been replaced by acmez so we now have full control of the entire ACME stack.

Oh, nice. I just learned that ACME requires wildcards to be DNS challenges, so that is super helpful to know.

I'm unsure whether that's the case in the rewrite, but detecting wildcard domains and pointing a link to documentation would be ideal, I think.

I'm not sure this is the right place to say it, but it would have been helpful from the documentation to know that wildcards are in fact not supported and need a bit more configuration.

Can you please post on the forum and describe your question there instead? https://caddy.community

I'm currently unable to do that. I've spent a good hour chasing after different boilerplate things, and I'm out of energy at this point so I can't contribute more for now unfortunately.

I thought it would be helpful to add information to the same issue, sorry if that's not the right place.

In any way, thanks for your help!

I just learned that ACME requires wildcards to be DNS challenges, so that is super helpful to know.

It doesn't -- crucially, that's why the docs say _Let's Encrypt_ requires the DNS challenge, and why I emphasized that in my reply:

(Other ACME CAs such as ZeroSSL may not require the DNS challenge.)

Anyway, just want to make sure that's clear!

I'm not sure this is the right place to say it, but it would have been helpful from the documentation to know that wildcards are in fact not supported and need a bit more configuration.

Wildcards _are_ supported. I'm not sure if we're reading the same documentation?

I'm currently unable to do that. I've spent a good hour chasing after different boilerplate things, and I'm out of energy at this point so I can't contribute more for now unfortunately.

That's too bad, please come back when you have rested then!