[GH-ISSUE #26] auto_https prefer_wildcard broken in latest release #10

New issue

Closed

opened 2026-02-27 19:08:50 +03:00 by kerem · 2 comments

kerem commented

2026-02-27 19:08:50 +03:00

Owner

Originally created by @jfmercille on GitHub (Feb 24, 2026).
Original GitHub issue: https://github.com/CaddyBuilds/caddy-cloudflare/issues/26

Latest release (2.11) has the auto_https prefer_wilcard broken for some reason

Global caddyfile section:
{
acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}
auto_https prefer_wildcard
}

Error after upgrading:
Error: adapting config using caddyfile: parsing caddyfile tokens for 'auto_https': auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs', at /etc/caddy/Caddyfile:3

I pinned to the previous release (2.10) and everything works

Originally created by @jfmercille on GitHub (Feb 24, 2026). Original GitHub issue: https://github.com/CaddyBuilds/caddy-cloudflare/issues/26 Latest release (2.11) has the auto_https prefer_wilcard broken for some reason Global caddyfile section: { acme_dns cloudflare {$CLOUDFLARE_API_TOKEN} auto_https prefer_wildcard } Error after upgrading: _Error: adapting config using caddyfile: parsing caddyfile tokens for 'auto_https': auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs', at /etc/caddy/Caddyfile:3_ I pinned to the previous release (2.10) and everything works

kerem closed this issue

2026-02-27 19:08:50 +03:00

kerem commented

2026-02-27 19:08:51 +03:00

Author

Owner

@vkartk commented on GitHub (Feb 25, 2026):

Thanks for reporting this!

Good catch. This isn’t a bug in 2.11, but due to a behavior change introduced in 2.10.

The auto_https prefer_wildcard option is no longer needed and has effectively been removed.

As of Caddy 2.10:

➡️ When using the DNS challenge, Caddy now automatically prefers an existing wildcard certificate before issuing individual certs for subdomains. This behavior is now the default.

That’s why 2.11 throws:

auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs'

because prefer_wildcard is no longer a valid option.

👉 Fix: Simply remove this line:

auto_https prefer_wildcard

and things should work as expected on 2.11.

@vkartk commented on GitHub (Feb 25, 2026): Thanks for reporting this! Good catch. This isn’t a bug in **2.11**, but due to a behavior change introduced in **2.10**. The `auto_https prefer_wildcard` option is no longer needed and has effectively been removed. As of Caddy 2.10: ➡️ When using the DNS challenge, Caddy now *automatically prefers an existing wildcard certificate* before issuing individual certs for subdomains. This behavior is now the default. That’s why 2.11 throws: > auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs' because `prefer_wildcard` is no longer a valid option. Related: * [https://github.com/caddyserver/caddy/issues/7522](https://github.com/caddyserver/caddy/issues/7522) * [https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates](https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates) 👉 Fix: Simply remove this line: ``` auto_https prefer_wildcard ``` and things should work as expected on 2.11.

kerem commented

2026-02-27 19:08:51 +03:00

Author

Owner

@jfmercille commented on GitHub (Feb 25, 2026):

@vkartk Thank you!
Removing the auto_https line worked on latest version.
For people wanting to stick to wildcards to "hide" hostnames on certs from transparency logs, this new behavior works well.

@jfmercille commented on GitHub (Feb 25, 2026): @vkartk Thank you! Removing the auto_https line worked on latest version. For people wanting to stick to wildcards to "hide" hostnames on certs from transparency logs, this new behavior works well.