Resurrecting this old thread as it seems like the best place to keep all the Caddy discussion together. Admittedly, I didn’t realise this thread was here when I started the Homelab Certificate Management thread a few months ago!
I spent a bit of time mucking around this afternoon with Caddy, and am really impressed. It was surprisingly easy to get running with a few basic test configurations.
I threw a few weird and wonderful scenarios into my Caddyfile, including an IDN using non-English characters I use for testing, and also implementing one of my usual test server configurations involving HTTP status 418.
(For anyone playing at home this was the entry in my Caddyfile, domain name redacted)
https://[xxxxxxx] {
respond / “I’m a teapot” 418 {
close
}
}
(And the output from Brave’s Developer Tools)
Every strange permutation I threw at Caddy worked flawlessly, as one would expect.
By the looks of the documentation, wildcard certificates rely on DNS challenge by the ACME provider. This makes sense in order to prove that the Caddy administrator controls the domain and its subdomains.
The Caddy documentation states that a custom build is required for DNS validation, either downloaded as a binary or compiled by the end user. Has anyone here gone down that path or otherwise somehow got wildcard certs working? I’m keen to do that for privacy reasons as stated in the Homelab Certificate Management thread I referenced earlier, and also covered in the Caddy documentation discussing ECH/ESNI. Do I really need to use a separate binary with the specific DNS provider support built into it, or have I totally misinterpreted the documentation? This afternoon’s messing about was using the excellent deSEC service, but I’m open to looking at other providers if there’s some other way to do this within Caddy.
Edit 15/8:
The answer to that is yes. I used the copr version on Fedora 42 (as an excuse to try out Fedora), but will revisit this using a custom build either via xcaddy, using one of the custom binaries available, or a custom build in Docker, when I get a chance.