-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auto HTTPS changes for better wildcard cert config ergonomics #5447
Comments
How abount adding an int param to |
@gzzchh that would necessarily require that the above proposal is accepted as-is since that's an addition to that. But besides that, I'm not sure that makes sense. I don't think the amount of hostnames is a relevant metric. You must configure the DNS challenge to be able to use wildcard certs. At that point, what's the benefit of using individual domain certs at all for those domains? Also it means there would be side effects from adding another domain to the config if it crosses the threshold, the other domains would suddenly stop using the cert they already had issued. I don't think it's something users should need to consider the implications of, I don't think it brings any value. |
I have an implementation ready for review/testing #6146 |
Followup on #3200, sparked by https://caddy.community/t/feature-request-reconsider-easier-wildcard-certificates-in-caddyfile/19348. See my reply on the forum question for context.
The gist is that we want to be careful with the amount of complexity we introduce. So we need to find a simple solution that doesn't complicate Automatic HTTPS too much.
My current thought is we could add an new option to
auto_https
called (tentatively)prefer_wildcard
. What this would do is change how Auto HTTPS collects hostnames from top-level routes, and what TLS automation policies it creates from those hostnames.Essentially, it would sort top-level hostnames according to specificity, then remove hostnames from the list if they're covered by another wildcard hostname in the list, and only make policies for the remainder.
So
*.foo.com
,bar.foo.com
andbaz.com
would result in two policies, only*.foo.com
andbaz.com
.If a site uses
tls
, then it might still get its own automation policy (depending on the options used in the directive), so it would ignore using the wildcard cert.A Caddyfile config using this pattern could look like this, which is flatter than the current recommendation from https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates:
The text was updated successfully, but these errors were encountered: