Feature request: Support multiple local TLS certificates (domain-based selection) #127

New Issue

Open

opened 2025-12-29 09:23:29 +01:00 by adam · 0 comments

adam commented 2025-12-29 09:23:29 +01:00

Owner

Copy Link

Originally created by @henryxrl on GitHub (Dec 22, 2025).

I’d like to request support for multiple local TLS certificates in GoDoxy, with domain-based matching.

Background

Right now, when using:

autocert:
  provider: local
  cert_path: /path/to/fullchain.pem
  key_path:  /path/to/privkey.pem

GoDoxy can only load a single certificate. This works fine for simple setups, but becomes limiting in more complex environments.

Use Case

I have multiple valid certificates, already issued elsewhere (e.g. via Traefik / ACME), such as:

/app/certs/example1.com/
  ├─ fullchain.pem
  └─ privkey.pem

/app/certs/example2.com/
  ├─ fullchain.pem
  └─ privkey.pem

These certificates cover different domain scopes, for example:

• *.example1.com (public / external)
• *.example2.com (internal / split-horizon DNS)

At the moment, I have to choose one certificate and lose correct TLS for the other domain set.

Requested capability

Support multiple local certificates, with automatic selection based on SNI / domain matching.

Conceptually something like:

autocert:
  provider: local
  certificates:
    - domains:
        - example1.com
        - "*.example1.com"
      cert_path: /app/certs/example1.com/fullchain.pem
      key_path:  /app/certs/example1.com/privkey.pem

    - domains:
        - example2.com
        - "*.example2.com"
      cert_path: /app/certs/example2.com/fullchain.pem
      key_path:  /app/certs/example2.com/privkey.pem

or alternatively:

• directory-based auto-loading (/app/certs/<domain>/)
• or explicit mapping, whichever fits GoDoxy’s architecture better

Why this matters

• Enables split-horizon DNS setups
• Allows clean internal vs external TLS
• Avoids forcing everything into a single wildcard cert
• Matches real-world deployments where cert issuance is delegated (Traefik, Caddy, ACME outside GoDoxy)

This would make GoDoxy much easier to adopt as a drop-in reverse proxy in existing infrastructures.

Originally created by @henryxrl on GitHub (Dec 22, 2025). I’d like to request support for multiple local TLS certificates in GoDoxy, with domain-based matching. ### Background Right now, when using: ```yaml autocert: provider: local cert_path: /path/to/fullchain.pem key_path: /path/to/privkey.pem ``` GoDoxy can only load a single certificate. This works fine for simple setups, but becomes limiting in more complex environments. ### Use Case I have multiple valid certificates, already issued elsewhere (e.g. via Traefik / ACME), such as: ```text /app/certs/example1.com/ ├─ fullchain.pem └─ privkey.pem /app/certs/example2.com/ ├─ fullchain.pem └─ privkey.pem ``` These certificates cover different domain scopes, for example: - `*.example1.com` (public / external) - `*.example2.com` (internal / split-horizon DNS) At the moment, I have to choose one certificate and lose correct TLS for the other domain set. ### Requested capability Support multiple local certificates, with automatic selection based on SNI / domain matching. Conceptually something like: ```yaml autocert: provider: local certificates: - domains: - example1.com - "*.example1.com" cert_path: /app/certs/example1.com/fullchain.pem key_path: /app/certs/example1.com/privkey.pem - domains: - example2.com - "*.example2.com" cert_path: /app/certs/example2.com/fullchain.pem key_path: /app/certs/example2.com/privkey.pem ``` or alternatively: - directory-based auto-loading (`/app/certs/<domain>/`) - or explicit mapping, whichever fits GoDoxy’s architecture better ### Why this matters - Enables split-horizon DNS setups - Allows clean internal vs external TLS - Avoids forcing everything into a single wildcard cert - Matches real-world deployments where cert issuance is delegated (Traefik, Caddy, ACME outside GoDoxy) This would make GoDoxy much easier to adopt as a drop-in reverse proxy in existing infrastructures.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

compat

feat/agent-stream

dev

main-backup

feat/custom-json-marshaling

feat/non-root-non-host-mode

v0.24.0

v0.23.1

v0.23.0

v0.22.1

v0.22.0

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.14

v0.20.13

v0.20.12

v0.20.11

v0.20.10

v0.20.9

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

v0.18.6

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.6

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.2

v0.16.0-pathfix

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.2

v0.14.1

v0.14.0

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.9

v0.11.8

v0.11.7

v0.11.6-buildfix

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2-2

v0.11.2-1

v0.11.2

v0.11.1

v0.11.0

v0.10.2

v0.10.1

v0.10.0

v0.9.10

v0.9.9-1

v0.9.9

v0.9.8

0.9.8

0.9.7

0.9.6

0.9.5

0.9.4-1

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.1

0.8.0

0.7.7

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.4-1

0.6.4

0.6.3

0.6.2

0.6.1

0.6

0.6-rp1

0.5.8

0.5.7

0.5.6

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5.0

0.5.0-rc6

0.5.0-rc5

0.5.0-rc4

0.5.0-rc3

0.5.0-rc2

0.5.0-rc1

0.5.0-beta3

0.5.0-beta2

0.5.0-beta

0.4.8-1

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.1

0.3

0.2.2

0.2.1

0.2-alpha

0.1-stable

Labels

Clear labels

bug

enhancement

pull-request

Mirrored from GitHub Pull Request

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/godoxy#127