Skip to content

Combination of ech and a site block for the ech name cannot use tls resolver config #7354

New issue
New issue
Open
Open
Combination of ech and a site block for the ech name cannot use tls resolver config#7354
@Gunni

Description

@Gunni
Gunni
opened on Nov 19, 2025

Issue Details

{
        acme_dns cloudflare foo
        ech example.com
}

example.com {
        tls {
                resolvers 1.1.1.1
        }
}

Result:

Error: hostname appears in more than one automation policy, making certificate management ambiguous: example.com

I didn't even have to redact the file, any hostname triggers this, if set in both ech and a site block.

xCaddy Build script 
#!/bin/bash

IFS=$'\n\t'
set -euo pipefail

# Debug logs
#set -x

# Done by dependency
#/usr/libexec/xcaddy/install_golang.sh

export PATH=/opt/golang/latest/go/bin:$PATH

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest

export PATH=$PATH:${GOPATH}/bin

xcaddy build --output xcaddy master \
        --with github.com/caddy-dns/cloudflare \
        --with github.com/aksdb/caddy-cgi/v2

cd /opt/xcaddy

tmpdir=$(mktemp -d --tmpdir=/opt/xcaddy .xcaddy-XXXX)
chmod go+rx ${tmpdir}

tmpdir_nodot="${tmpdir//./}"

# Copy built files to tmpdir
cp -r \
        /tmp/xcaddy \
        ${tmpdir}/

restorecon -RvF ${tmpdir}
mv ${tmpdir} ${tmpdir_nodot}

sync /opt/xcaddy

ln --verbose --relative --force --no-dereference --symbolic $(basename ${tmpdir_nodot}) live

# Rename old directories for cleanup by systemd-tmpfiles
find . -maxdepth 1 -type d -name 'xcaddy-*' ! -name $(basename $(realpath /opt/xcaddy/live)) -exec bash -c 'mv -v $(basename {}) .$(basename {})'  \;

Assistance Disclosure

AI not used

If AI was used, describe the extent to which it was used.

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions