--internal seems a bit ambiguous, maybe --internal-certs or something instead?

Note that Caddy uses its own ("internal") certificates by default if the hostname is like localhost or foo.local` or an IP address, so... is this flag really that useful/necessary? Why not just use localhost or .local or IP address?

While using localhost or .local might work for something running on the same machine, but for something running on another system or has expectations, that is too limiting. As an example, bitwarden_rs requires HTTPS to work, even if you're just testing it, and if you're testing it in an existing infrastructure (e.g. any cloud or kubernetes setup) then you can't use domains local to the host it's running on.

As for the flag name, anything that works is fine.

I can work on this. Since I'm still trying to find my way around the codebase, is there a Slack where I can ask questions if needed?

@divbhasin Yeah there is. Although I can probably just answer the question of where in the code base to look right here. :) This whole file is the reverse-proxy command, specifically its flags:

@mholt So I have the flag added, but I don't know how to set up the internal certificate. I see that tls internal is handled according to the following snippets:

But, the function where those snippets come from returns an array of ConfigValue. Are there any "global" config vals that contain the cert_issuer which can be modified?

@divbhasin That's the Caddyfile adapter; the command line doesn't use the Caddyfile. If you were writing a Caddyfile directive that changed the certificate issuer for a site, then yes you would use that. But in this case you just need the JSON.

What I would do is make a config (using the Caddyfile, for example) that does what you want. Then run caddy adapt to see its JSON. Then make sure your flag produces the relevant part of the JSON for what you want. Does that make sense?