Skip to content

Wildcard domain throttled block valid definitions #7365

New issue
New issue
Open
Open
Wildcard domain throttled block valid definitions#7365
@Pyvonix

Description

@Pyvonix
Pyvonix
opened on Nov 25, 2025

Issue Details

It has been observed that as long as Caddy is unable to retrieve a certificate, in my case the wildcard because it has reached its limit, the service cannot serve other domains that have a valid certificate.

  • /etc/caddy/Caddyfile
domain.com, *.domain.com {
    root * /var/www/html

    rewrite * /default.html
    file_server
}

import conf.d/*.caddy

-/etc/caddy/conf.d/eg1.caddy

eg1.domain.com {
    reverse_proxy 127.0.0.1:8001
}
  • /etc/caddy/conf.d/eg2.caddy
eg2.domain.com {
    reverse_proxy 127.0.0.1:8002
}
  • Service log: journalctl -u caddy --no-pager
Nov 25 14:55:09 talos systemd[1]: Started caddy.service - Caddy.
Nov 25 14:55:09 talos caddy[167522]: {"level":"info","ts":1764078909.4350936,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.domain.com"}
Nov 25 14:55:09 talos caddy[167522]: {"level":"info","ts":1764078909.4381018,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.domain.com"}
Nov 25 14:55:09 talos caddy[167522]: {"level":"info","ts":1764078909.438182,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.domain.com"}
Nov 25 14:55:09 talos caddy[167522]: {"level":"info","ts":1764078909.4388652,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["*.domain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Nov 25 14:55:09 talos caddy[167522]: {"level":"info","ts":1764078909.4388914,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["*.domain.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Nov 25 14:55:09 talos caddy[167522]: {"level":"info","ts":1764078909.4389036,"logger":"http","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/0000000000","account_contact":[]}
Nov 25 14:55:10 talos caddy[167522]: {"level":"error","ts":1764078910.5658615,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.domain.com] solving challenges: *.domain.com: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/0000000000/0000000000) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
Nov 25 14:55:10 talos caddy[167522]: {"level":"error","ts":1764078910.5659215,"logger":"tls.obtain","msg":"will retry","error":"[*.domain.com] Obtain: [*.domain.com] solving challenges: *.domain.com: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/0000000000/0000000000) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":1.127805806,"max_duration":2592000}
Nov 25 14:56:10 talos caddy[167522]: {"level":"info","ts":1764078970.5671198,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.domain.com"}
Nov 25 14:56:10 talos caddy[167522]: {"level":"info","ts":1764078970.5683472,"logger":"http","msg":"using ACME account","account_id":"https://acme-staging-v02.api.letsencrypt.org/acme/acct/0000000000","account_contact":[]}
Nov 25 14:56:11 talos caddy[167522]: {"level":"error","ts":1764078971.6402583,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.domain.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.domain.com] solving challenges: *.domain.com: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/0000000000/0000000000) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
Nov 25 14:56:11 talos caddy[167522]: {"level":"error","ts":1764078971.6403286,"logger":"tls.obtain","msg":"will retry","error":"[*.domain.com] Obtain: [*.domain.com] solving challenges: *.domain.com: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/0000000000/0000000000) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":62.202212762,"max_duration":2592000}

If I remove , *.domain.com from the /etc/caddy/Caddyfile file and restart the service, the service works correctly.

What I understand, the loop for obtaining domain certificates is blocking the service from starting serving/proxifing connections. Is it possible to change this behavior?

Assistance Disclosure

AI not used

If AI was used, describe the extent to which it was used.

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions