vbump to v2.7.5HEADcaddy-cgi

12 files changed, 295 insertions, 115 deletions

diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index ca79981..5e79c2d 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -24,13 +24,14 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 7f216d5..ee25400 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -19,12 +19,14 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
-	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez"
 	"go.uber.org/zap"
+
+	"github.com/caddyserver/caddy/v2"
 )
 
 // AutomationConfig governs the automated management of TLS certificates.
@@ -84,7 +86,14 @@ type AutomationConfig struct {
 // TLS app to properly provision a new policy.
 type AutomationPolicy struct {
 	// Which subjects (hostnames or IP addresses) this policy applies to.
-	Subjects []string `json:"subjects,omitempty"`
+	//
+	// This list is a filter, not a command. In other words, it is used
+	// only to filter whether this policy should apply to a subject that
+	// needs a certificate; it does NOT command the TLS app to manage a
+	// certificate for that subject. To have Caddy automate a certificate
+	// or specific subjects, use the "automate" certificate loader module
+	// of the TLS app.
+	SubjectsRaw []string `json:"subjects,omitempty"`
 
 	// The modules that may issue certificates. Default: internal if all
 	// subjects do not qualify for public certificates; othewise acme and
@@ -94,9 +103,11 @@ type AutomationPolicy struct {
 	// Modules that can get a custom certificate to use for any
 	// given TLS handshake at handshake-time. Custom certificates
 	// can be useful if another entity is managing certificates
-	// and Caddy need only get it and serve it.
+	// and Caddy need only get it and serve it. Specifying a Manager
+	// enables on-demand TLS, i.e. it has the side-effect of setting
+	// the on_demand parameter to `true`.
 	//
-	// TODO: This is an EXPERIMENTAL feature. It is subject to change or removal.
+	// TODO: This is an EXPERIMENTAL feature. Subject to change or removal.
 	ManagersRaw []json.RawMessage `json:"get_certificate,omitempty" caddy:"namespace=tls.get_certificate inline_key=via"`
 
 	// If true, certificates will be requested with MustStaple. Not all
@@ -146,12 +157,21 @@ type AutomationPolicy struct {
 	Issuers  []certmagic.Issuer  `json:"-"`
 	Managers []certmagic.Manager `json:"-"`
 
-	magic   *certmagic.Config
-	storage certmagic.Storage
+	subjects []string
+	magic    *certmagic.Config
+	storage  certmagic.Storage
 }
 
 // Provision sets up ap and builds its underlying CertMagic config.
 func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
+	// replace placeholders in subjects to allow environment variables
+	repl := caddy.NewReplacer()
+	subjects := make([]string, len(ap.SubjectsRaw))
+	for i, sub := range ap.SubjectsRaw {
+		subjects[i] = repl.ReplaceAll(sub, "")
+	}
+	ap.subjects = subjects
+
 	// policy-specific storage implementation
 	if ap.StorageRaw != nil {
 		val, err := tlsApp.ctx.LoadModule(ap, "StorageRaw")
@@ -165,36 +185,6 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
 		ap.storage = cmStorage
 	}
 
-	// on-demand TLS
-	var ond *certmagic.OnDemandConfig
-	if ap.OnDemand {
-		ond = &certmagic.OnDemandConfig{
-			DecisionFunc: func(name string) error {
-				// if an "ask" endpoint was defined, consult it first
-				if tlsApp.Automation != nil &&
-					tlsApp.Automation.OnDemand != nil &&
-					tlsApp.Automation.OnDemand.Ask != "" {
-					if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil {
-						// distinguish true errors from denials, because it's important to log actual errors
-						if !errors.Is(err, errAskDenied) {
-							tlsApp.logger.Error("request to 'ask' endpoint failed",
-								zap.Error(err),
-								zap.String("endpoint", tlsApp.Automation.OnDemand.Ask),
-								zap.String("domain", name))
-						}
-						return err
-					}
-				}
-				// check the rate limiter last because
-				// doing so makes a reservation
-				if !onDemandRateLimiter.Allow() {
-					return fmt.Errorf("on-demand rate limit exceeded")
-				}
-				return nil
-			},
-		}
-	}
-
 	// we don't store loaded modules directly in the certmagic config since
 	// policy provisioning may happen more than once (during auto-HTTPS) and
 	// loading a module clears its config bytes; thus, load the module and
@@ -251,6 +241,46 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
 		storage = tlsApp.ctx.Storage()
 	}
 
+	// on-demand TLS
+	var ond *certmagic.OnDemandConfig
+	if ap.OnDemand || len(ap.Managers) > 0 {
+		// ask endpoint is now required after a number of negligence cases causing abuse;
+		// but is still allowed for explicit subjects (non-wildcard, non-unbounded),
+		// for the internal issuer since it doesn't cause ACME issuer pressure
+		if ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") {
+			return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details")
+		}
+		ond = &certmagic.OnDemandConfig{
+			DecisionFunc: func(name string) error {
+				if tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil {
+					return nil
+				}
+				if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil {
+					// distinguish true errors from denials, because it's important to elevate actual errors
+					if errors.Is(err, errAskDenied) {
+						tlsApp.logger.Debug("certificate issuance denied",
+							zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask),
+							zap.String("domain", name),
+							zap.Error(err))
+					} else {
+						tlsApp.logger.Error("request to 'ask' endpoint failed",
+							zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask),
+							zap.String("domain", name),
+							zap.Error(err))
+					}
+					return err
+				}
+				// check the rate limiter last because
+				// doing so makes a reservation
+				if !onDemandRateLimiter.Allow() {
+					return fmt.Errorf("on-demand rate limit exceeded")
+				}
+				return nil
+			},
+			Managers: ap.Managers,
+		}
+	}
+
 	template := certmagic.Config{
 		MustStaple:         ap.MustStaple,
 		RenewalWindowRatio: ap.RenewalWindowRatio,
@@ -261,12 +291,13 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
 			DisableStapling:    ap.DisableOCSPStapling,
 			ResponderOverrides: ap.OCSPOverrides,
 		},
-		Storage:  storage,
-		Issuers:  issuers,
-		Managers: ap.Managers,
-		Logger:   tlsApp.logger,
+		Storage: storage,
+		Issuers: issuers,
+		Logger:  tlsApp.logger,
 	}
-	ap.magic = certmagic.New(tlsApp.certCache, template)
+	certCacheMu.RLock()
+	ap.magic = certmagic.New(certCache, template)
+	certCacheMu.RUnlock()
 
 	// sometimes issuers may need the parent certmagic.Config in
 	// order to function properly (for example, ACMEIssuer needs
@@ -282,6 +313,35 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
 	return nil
 }
 
+// Subjects returns the list of subjects with all placeholders replaced.
+func (ap *AutomationPolicy) Subjects() []string {
+	return ap.subjects
+}
+
+func (ap *AutomationPolicy) onlyInternalIssuer() bool {
+	if len(ap.Issuers) != 1 {
+		return false
+	}
+	_, ok := ap.Issuers[0].(*InternalIssuer)
+	return ok
+}
+
+// isWildcardOrDefault determines if the subjects include any wildcard domains,
+// or is the "default" policy (i.e. no subjects) which is unbounded.
+func (ap *AutomationPolicy) isWildcardOrDefault() bool {
+	isWildcardOrDefault := false
+	if len(ap.subjects) == 0 {
+		isWildcardOrDefault = true
+	}
+	for _, sub := range ap.subjects {
+		if strings.HasPrefix(sub, "*") {
+			isWildcardOrDefault = true
+			break
+		}
+	}
+	return isWildcardOrDefault
+}
+
 // DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults.
 // This function is experimental and has no compatibility promises.
 func DefaultIssuers() []certmagic.Issuer {
@@ -400,29 +460,32 @@ type DNSChallengeConfig struct {
 // Caddy can "ask" if it should be allowed to manage
 // certificates for a given hostname.
 type OnDemandConfig struct {
-	// An optional rate limit to throttle the
-	// issuance of certificates from handshakes.
-	RateLimit *RateLimit `json:"rate_limit,omitempty"`
-
-	// If Caddy needs to obtain or renew a certificate
-	// during a TLS handshake, it will perform a quick
-	// HTTP request to this URL to check if it should be
-	// allowed to try to get a certificate for the name
-	// in the "domain" query string parameter, like so:
-	// `?domain=example.com`. The endpoint must return a
-	// 200 OK status if a certificate is allowed;
-	// anything else will cause it to be denied.
+	// REQUIRED. If Caddy needs to load a certificate from
+	// storage or obtain/renew a certificate during a TLS
+	// handshake, it will perform a quick HTTP request to
+	// this URL to check if it should be allowed to try to
+	// get a certificate for the name in the "domain" query
+	// string parameter, like so: `?domain=example.com`.
+	// The endpoint must return a 200 OK status if a certificate
+	// is allowed; anything else will cause it to be denied.
 	// Redirects are not followed.
 	Ask string `json:"ask,omitempty"`
+
+	// DEPRECATED. An optional rate limit to throttle
+	// the checking of storage and the issuance of
+	// certificates from handshakes if not already in
+	// storage. WILL BE REMOVED IN A FUTURE RELEASE.
+	RateLimit *RateLimit `json:"rate_limit,omitempty"`
 }
 
-// RateLimit specifies an interval with optional burst size.
+// DEPRECATED. RateLimit specifies an interval with optional burst size.
 type RateLimit struct {
-	// A duration value. A certificate may be obtained 'burst'
-	// times during this interval.
+	// A duration value. Storage may be checked and a certificate may be
+	// obtained 'burst' times during this interval.
 	Interval caddy.Duration `json:"interval,omitempty"`
 
-	// How many times during an interval a certificate can be obtained.
+	// How many times during an interval storage can be checked or a
+	// certificate can be obtained.
 	Burst int `json:"burst,omitempty"`
 }
 
diff --git a/modules/caddytls/certmanagers.go b/modules/caddytls/certmanagers.go
index 1b701ab..ad26468 100644
--- a/modules/caddytls/certmanagers.go
+++ b/modules/caddytls/certmanagers.go
@@ -9,11 +9,12 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/certmagic"
 	"github.com/tailscale/tscert"
 	"go.uber.org/zap"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
@@ -23,14 +24,6 @@ func init() {
 
 // Tailscale is a module that can get certificates from the local Tailscale process.
 type Tailscale struct {
-	// If true, this module will operate in "best-effort" mode and
-	// ignore "soft" errors; i.e. try Tailscale, and if it doesn't connect
-	// or return a certificate, oh well. Failure to connect to Tailscale
-	// results in a no-op instead of an error. Intended for the use case
-	// where this module is added implicitly for convenience, even if
-	// Tailscale isn't necessarily running.
-	Optional bool `json:"optional,omitempty"`
-
 	logger *zap.Logger
 }
 
@@ -60,16 +53,11 @@ func (ts Tailscale) GetCertificate(ctx context.Context, hello *tls.ClientHelloIn
 
 // canHazCertificate returns true if Tailscale reports it can get a certificate for the given ClientHello.
 func (ts Tailscale) canHazCertificate(ctx context.Context, hello *tls.ClientHelloInfo) (bool, error) {
-	if ts.Optional && !strings.HasSuffix(strings.ToLower(hello.ServerName), tailscaleDomainAliasEnding) {
+	if !strings.HasSuffix(strings.ToLower(hello.ServerName), tailscaleDomainAliasEnding) {
 		return false, nil
 	}
 	status, err := tscert.GetStatus(ctx)
 	if err != nil {
-		if ts.Optional {
-			// ignore error if we don't expect/require it to work anyway, but log it for debugging
-			ts.logger.Debug("error getting tailscale status", zap.Error(err), zap.String("server_name", hello.ServerName))
-			return false, nil
-		}
 		return false, err
 	}
 	for _, domain := range status.CertDomains {
diff --git a/modules/caddytls/certselection.go b/modules/caddytls/certselection.go
index 0311f11..1bef890 100644
--- a/modules/caddytls/certselection.go
+++ b/modules/caddytls/certselection.go
@@ -58,7 +58,8 @@ nextChoice:
 		if len(p.SerialNumber) > 0 {
 			var found bool
 			for _, sn := range p.SerialNumber {
-				if cert.Leaf.SerialNumber.Cmp(&sn.Int) == 0 {
+				snInt := sn.Int // avoid taking address of iteration variable (gosec warning)
+				if cert.Leaf.SerialNumber.Cmp(&snInt) == 0 {
 					found = true
 					break
 				}
diff --git a/modules/caddytls/cf.go b/modules/caddytls/cf.go
new file mode 100644
index 0000000..e61a59c
--- /dev/null
+++ b/modules/caddytls/cf.go
@@ -0,0 +1,24 @@
+//go:build cfgo
+
+package caddytls
+
+// This file adds support for X25519Kyber768Draft00, a post-quantum
+// key agreement that is currently being rolled out by Chrome [1]
+// and Cloudflare [2,3]. For more context, see the PR [4].
+//
+// [1] https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html
+// [2] https://blog.cloudflare.com/post-quantum-for-all/
+// [3] https://blog.cloudflare.com/post-quantum-to-origins/
+// [4] https://github.com/caddyserver/caddy/pull/5852
+
+import (
+	"crypto/tls"
+)
+
+func init() {
+	SupportedCurves["X25519Kyber768Draft00"] = tls.X25519Kyber768Draft00
+	defaultCurves = append(
+		[]tls.CurveID{tls.X25519Kyber768Draft00},
+		defaultCurves...,
+	)
+}
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index bce69bc..64fdd51 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -25,9 +25,10 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/caddyserver/caddy/v2"
 	"github.com/mholt/acmez"
 	"go.uber.org/zap"
+
+	"github.com/caddyserver/caddy/v2"
 )
 
 func init() {
@@ -54,7 +55,7 @@ func (cp ConnectionPolicies) Provision(ctx caddy.Context) error {
 		}
 
 		// enable HTTP/2 by default
-		if len(pol.ALPN) == 0 {
+		if pol.ALPN == nil {
 			pol.ALPN = append(pol.ALPN, defaultALPN...)
 		}
 
@@ -159,6 +160,18 @@ type ConnectionPolicy struct {
 	// is no policy configured for the empty SNI value.
 	DefaultSNI string `json:"default_sni,omitempty"`
 
+	// FallbackSNI becomes the ServerName in a ClientHello if
+	// the original ServerName doesn't match any certificates
+	// in the cache. The use cases for this are very niche;
+	// typically if a client is a CDN and passes through the
+	// ServerName of the downstream handshake but can accept
+	// a certificate with the origin's hostname instead, then
+	// you would set this to your origin's hostname. Note that
+	// Caddy must be managing a certificate for this name.
+	//
+	// This feature is EXPERIMENTAL and subject to change or removal.
+	FallbackSNI string `json:"fallback_sni,omitempty"`
+
 	// Also known as "SSLKEYLOGFILE", TLS secrets will be written to
 	// this file in NSS key log format which can then be parsed by
 	// Wireshark and other tools. This is INSECURE as it allows other
@@ -216,6 +229,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 				cfg.CertSelection = p.CertSelection
 			}
 			cfg.DefaultServerName = p.DefaultSNI
+			cfg.FallbackServerName = p.FallbackSNI
 			return cfg.GetCertificate(hello)
 		},
 		MinVersion: tls.VersionTLS12,
@@ -270,7 +284,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 			break
 		}
 	}
-	if !alpnFound {
+	if !alpnFound && (cfg.NextProtos == nil || len(cfg.NextProtos) > 0) {
 		cfg.NextProtos = append(cfg.NextProtos, acmez.ACMETLS1Protocol)
 	}
 
@@ -303,7 +317,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 			return err
 		}
 		logFile, _, err := secretsLogPool.LoadOrNew(filename, func() (caddy.Destructor, error) {
-			w, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0600)
+			w, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0o600)
 			return destructableWriter{w}, err
 		})
 		if err != nil {
diff --git a/modules/caddytls/distributedstek/distributedstek.go b/modules/caddytls/distributedstek/distributedstek.go
index 18ed694..f6d0de0 100644
--- a/modules/caddytls/distributedstek/distributedstek.go
+++ b/modules/caddytls/distributedstek/distributedstek.go
@@ -33,9 +33,10 @@ import (
 	"runtime/debug"
 	"time"
 
+	"github.com/caddyserver/certmagic"
+
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/modules/caddytls"
-	"github.com/caddyserver/certmagic"
 )
 
 func init() {
diff --git a/modules/caddytls/internalissuer.go b/modules/caddytls/internalissuer.go
index 3dd6c35..1cf2461 100644
--- a/modules/caddytls/internalissuer.go
+++ b/modules/caddytls/internalissuer.go
@@ -21,12 +21,13 @@ import (
 	"encoding/pem"
 	"time"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
-	"github.com/caddyserver/caddy/v2/modules/caddypki"
 	"github.com/caddyserver/certmagic"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"go.uber.org/zap"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+	"github.com/caddyserver/caddy/v2/modules/caddypki"
 )
 
 func init() {
diff --git a/modules/caddytls/matchers.go b/modules/caddytls/matchers.go
index f541220..af1f898 100644
--- a/modules/caddytls/matchers.go
+++ b/modules/caddytls/matchers.go
@@ -21,9 +21,10 @@ import (
 	"net/netip"
 	"strings"
 
-	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/certmagic"
 	"go.uber.org/zap"
+
+	"github.com/caddyserver/caddy/v2"
 )
 
 func init() {
diff --git a/modules/caddytls/storageloader.go b/modules/caddytls/storageloader.go
index ef9d51e..ddaaa51 100644
--- a/modules/caddytls/storageloader.go
+++ b/modules/caddytls/storageloader.go
@@ -18,8 +18,9 @@ import (
 	"crypto/tls"
 	"fmt"
 
-	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/certmagic"
+
+	"github.com/caddyserver/caddy/v2"
 )
 
 func init() {
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 8051653..02d5aae 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -25,10 +25,11 @@ import (
 	"sync"
 	"time"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/modules/caddyevents"
 	"github.com/caddyserver/certmagic"
 	"go.uber.org/zap"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/modules/caddyevents"
 )
 
 func init() {
@@ -36,12 +37,24 @@ func init() {
 	caddy.RegisterModule(AutomateLoader{})
 }
 
+var (
+	certCache   *certmagic.Cache
+	certCacheMu sync.RWMutex
+)
+
 // TLS provides TLS facilities including certificate
 // loading and management, client auth, and more.
 type TLS struct {
-	// Caches certificates in memory for quick use during
+	// Certificates to load into memory for quick recall during
 	// TLS handshakes. Each key is the name of a certificate
-	// loader module. All loaded certificates get pooled
+	// loader module.
+	//
+	// The "automate" certificate loader module can be used to
+	// specify a list of subjects that need certificates to be
+	// managed automatically. The first matching automation
+	// policy will be applied to manage the certificate(s).
+	//
+	// All loaded certificates get pooled
 	// into the same cache and may be used to complete TLS
 	// handshakes for the relevant server names (SNI).
 	// Certificates loaded manually (anything other than
@@ -70,12 +83,15 @@ type TLS struct {
 
 	certificateLoaders []CertificateLoader
 	automateNames      []string
-	certCache          *certmagic.Cache
 	ctx                caddy.Context
 	storageCleanTicker *time.Ticker
 	storageCleanStop   chan struct{}
 	logger             *zap.Logger
 	events             *caddyevents.App
+
+	// set of subjects with managed certificates,
+	// and hashes of manually-loaded certificates
+	managing, loaded map[string]struct{}
 }
 
 // CaddyModule returns the Caddy module information.
@@ -96,6 +112,7 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	t.ctx = ctx
 	t.logger = ctx.Logger()
 	repl := caddy.NewReplacer()
+	t.managing, t.loaded = make(map[string]struct{}), make(map[string]struct{})
 
 	// set up a new certificate cache; this (re)loads all certificates
 	cacheOpts := certmagic.CacheOptions{
@@ -114,7 +131,14 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	if cacheOpts.Capacity <= 0 {
 		cacheOpts.Capacity = 10000
 	}
-	t.certCache = certmagic.NewCache(cacheOpts)
+
+	certCacheMu.Lock()
+	if certCache == nil {
+		certCache = certmagic.NewCache(cacheOpts)
+	} else {
+		certCache.SetOptions(cacheOpts)
+	}
+	certCacheMu.Unlock()
 
 	// certificate loaders
 	val, err := ctx.LoadModule(t, "CertificatesRaw")
@@ -126,7 +150,12 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 			// special case; these will be loaded in later using our automation facilities,
 			// which we want to avoid doing during provisioning
 			if automateNames, ok := modIface.(*AutomateLoader); ok && automateNames != nil {
-				t.automateNames = []string(*automateNames)
+				repl := caddy.NewReplacer()
+				subjects := make([]string, len(*automateNames))
+				for i, sub := range *automateNames {
+					subjects[i] = repl.ReplaceAll(sub, "")
+				}
+				t.automateNames = subjects
 			} else {
 				return fmt.Errorf("loading certificates with 'automate' requires array of strings, got: %T", modIface)
 			}
@@ -181,8 +210,8 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
 	} else {
 		// remove any existing rate limiter
-		onDemandRateLimiter.SetMaxEvents(0)
 		onDemandRateLimiter.SetWindow(0)
+		onDemandRateLimiter.SetMaxEvents(0)
 	}
 
 	// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
@@ -197,7 +226,8 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	// provision so that other apps (such as http) can know which
 	// certificates have been manually loaded, and also so that
 	// commands like validate can be a better test
-	magic := certmagic.New(t.certCache, certmagic.Config{
+	certCacheMu.RLock()
+	magic := certmagic.New(certCache, certmagic.Config{
 		Storage: ctx.Storage(),
 		Logger:  t.logger,
 		OnEvent: t.onEvent,
@@ -205,16 +235,18 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 			DisableStapling: t.DisableOCSPStapling,
 		},
 	})
+	certCacheMu.RUnlock()
 	for _, loader := range t.certificateLoaders {
 		certs, err := loader.LoadCertificates()
 		if err != nil {
 			return fmt.Errorf("loading certificates: %v", err)
 		}
 		for _, cert := range certs {
-			err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
+			hash, err := magic.CacheUnmanagedTLSCertificate(ctx, cert.Certificate, cert.Tags)
 			if err != nil {
 				return fmt.Errorf("caching unmanaged certificate: %v", err)
 			}
+			t.loaded[hash] = struct{}{}
 		}
 	}
 
@@ -231,13 +263,13 @@ func (t *TLS) Validate() error {
 		var hasDefault bool
 		hostSet := make(map[string]int)
 		for i, ap := range t.Automation.Policies {
-			if len(ap.Subjects) == 0 {
+			if len(ap.subjects) == 0 {
 				if hasDefault {
 					return fmt.Errorf("automation policy %d is the second policy that acts as default/catch-all, but will never be used", i)
 				}
 				hasDefault = true
 			}
-			for _, h := range ap.Subjects {
+			for _, h := range ap.subjects {
 				if first, ok := hostSet[h]; ok {
 					return fmt.Errorf("automation policy %d: cannot apply more than one automation policy to host: %s (first match in policy %d)", i, h, first)
 				}
@@ -259,7 +291,7 @@ func (t *TLS) Start() error {
 	if t.Automation.OnDemand == nil ||
 		(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
 		for _, ap := range t.Automation.Policies {
-			if ap.OnDemand {
+			if ap.OnDemand && ap.isWildcardOrDefault() {
 				t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
 					zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
 				break
@@ -293,16 +325,44 @@ func (t *TLS) Stop() error {
 
 // Cleanup frees up resources allocated during Provision.
 func (t *TLS) Cleanup() error {
-	// stop the certificate cache
-	if t.certCache != nil {
-		t.certCache.Stop()
-	}
-
 	// stop the session ticket rotation goroutine
 	if t.SessionTickets != nil {
 		t.SessionTickets.stop()
 	}
 
+	// if a new TLS app was loaded, remove certificates from the cache that are no longer
+	// being managed or loaded by the new config; if there is no more TLS app running,
+	// then stop cert maintenance and let the cert cache be GC'ed
+	if nextTLS := caddy.ActiveContext().AppIfConfigured("tls"); nextTLS != nil {
+		nextTLSApp := nextTLS.(*TLS)
+
+		// compute which certificates were managed or loaded into the cert cache by this
+		// app instance (which is being stopped) that are not managed or loaded by the
+		// new app instance (which just started), and remove them from the cache
+		var noLongerManaged, noLongerLoaded []string
+		for subj := range t.managing {
+			if _, ok := nextTLSApp.managing[subj]; !ok {
+				noLongerManaged = append(noLongerManaged, subj)
+			}
+		}
+		for hash := range t.loaded {
+			if _, ok := nextTLSApp.loaded[hash]; !ok {
+				noLongerLoaded = append(noLongerLoaded, hash)
+			}
+		}
+
+		certCacheMu.RLock()
+		certCache.RemoveManaged(noLongerManaged)
+		certCache.Remove(noLongerLoaded)
+		certCacheMu.RUnlock()
+	} else {
+		// no more TLS app running, so delete in-memory cert cache
+		certCache.Stop()
+		certCacheMu.Lock()
+		certCache = nil
+		certCacheMu.Unlock()
+	}
+
 	return nil
 }
 
@@ -327,6 +387,9 @@ func (t *TLS) Manage(names []string) error {
 		if err != nil {
 			return fmt.Errorf("automate: manage %v: %v", names, err)
 		}
+		for _, name := range names {
+			t.managing[name] = struct{}{}
+		}
 	}
 
 	return nil
@@ -388,8 +451,8 @@ func (t *TLS) AddAutomationPolicy(ap *AutomationPolicy) error {
 		// first see if existing is superset of ap for all names
 		var otherIsSuperset bool
 	outer:
-		for _, thisSubj := range ap.Subjects {
-			for _, otherSubj := range existing.Subjects {
+		for _, thisSubj := range ap.subjects {
+			for _, otherSubj := range existing.subjects {
 				if certmagic.MatchWildcard(thisSubj, otherSubj) {
 					otherIsSuperset = true
 					break outer
@@ -398,7 +461,7 @@ func (t *TLS) AddAutomationPolicy(ap *AutomationPolicy) error {
 		}
 		// if existing AP is a superset or if it contains fewer names (i.e. is
 		// more general), then new AP is more specific, so insert before it
-		if otherIsSuperset || len(existing.Subjects) < len(ap.Subjects) {
+		if otherIsSuperset || len(existing.SubjectsRaw) < len(ap.SubjectsRaw) {
 			t.Automation.Policies = append(t.Automation.Policies[:i],
 				append([]*AutomationPolicy{ap}, t.Automation.Policies[i:]...)...)
 			return nil
@@ -420,10 +483,10 @@ func (t *TLS) getConfigForName(name string) *certmagic.Config {
 // public certificate or not.
 func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
 	for _, ap := range t.Automation.Policies {
-		if len(ap.Subjects) == 0 {
+		if len(ap.subjects) == 0 {
 			return ap // no host filter is an automatic match
 		}
-		for _, h := range ap.Subjects {
+		for _, h := range ap.subjects {
 			if certmagic.MatchWildcard(name, h) {
 				return ap
 			}
@@ -437,8 +500,27 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
 
 // AllMatchingCertificates returns the list of all certificates in
 // the cache which could be used to satisfy the given SAN.
-func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate {
-	return t.certCache.AllMatchingCertificates(san)
+func AllMatchingCertificates(san string) []certmagic.Certificate {
+	return certCache.AllMatchingCertificates(san)
+}
+
+func (t *TLS) HasCertificateForSubject(subject string) bool {
+	certCacheMu.RLock()
+	allMatchingCerts := certCache.AllMatchingCertificates(subject)
+	certCacheMu.RUnlock()
+	for _, cert := range allMatchingCerts {
+		// check if the cert is manually loaded by this config
+		if _, ok := t.loaded[cert.Hash()]; ok {
+			return true
+		}
+		// check if the cert is automatically managed by this config
+		for _, name := range cert.Names {
+			if _, ok := t.managing[name]; ok {
+				return true
+			}
+		}
+	}
+	return false
 }
 
 // keepStorageClean starts a goroutine that immediately cleans up all
@@ -552,7 +634,9 @@ type Certificate struct {
 //
 // Technically, this is a no-op certificate loader module that is treated as
 // a special case: it uses this app's automation features to load certificates
-// for the list of hostnames, rather than loading certificates manually.
+// for the list of hostnames, rather than loading certificates manually. But
+// the end result is the same: certificates for these subject names will be
+// loaded into the in-memory cache and may then be used.
 type AutomateLoader []string
 
 // CaddyModule returns the Caddy module information.
diff --git a/modules/caddytls/zerosslissuer.go b/modules/caddytls/zerosslissuer.go
index 0209294..697bab0 100644
--- a/modules/caddytls/zerosslissuer.go
+++ b/modules/caddytls/zerosslissuer.go
@@ -25,11 +25,12 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {