I noticed a number of certificates issued in the caddy/certificates/acme-v02.api.letsencrypt.org-directory/ that I do not recognise.
Is that an indication the installation has been compromised?
How could these certificates be issued?
Just answered my own question.
The default docker-compose config for Caddy responds to any URL that hits the server. It will go through the process of issuing a certificate.
So if you have a wildcard DNS configured, any time a request to any URL under any subdomain comes through, a new certificate will get issued.
If you’re using LetsEncrypt, that’ll very quickly hit a rate limit and block your root domain from getting any more certificates.
Not sure if it helps but maybe tighten up the default Caddy config to only serve EXTERNAL_URL specified in .env.