Caddy + Cloudflare DNS: Wildcard SSL Without the Pain

Wildcard certs ( *.example.com ) require DNS-01 challenge. HTTP challenge can't prove you own every subdomain. If your DNS is on Cloudflare, that means building Caddy yourself, since the default binary ships without DNS provider modules. This guide walks through the full setup: custom build, secure token storage, and a working Caddyfile. Why a Custom Build? Caddy's DNS provider support ships as external modules that get compiled in at build time. The official xcaddy tool exists exactly for this. It's a thin wrapper around go build that handles module injection cleanly. 1. Install Base Caddy Follow the official install docs for your distro. Don't skip this step even though we're replacing the binary later. The package install handles systemd unit setup, user/group creation, and directory structure. 2. Install Go Avoid your distro's package manager here; Go versions in system repos tend to lag. Get the latest from go.dev/doc/install . 3. Install xcaddy go install github.com/caddyserver/x