Hopefully you all can help!

I’ve been to hundreds of threads over the last few days trying to puzzle this out, with no luck.

The problem:

  1. Caddy v2 with acme HTTP-1 ACME challenge (Changed from TLS-ALPN challenge)
  2. Cloudflair DNS with proxy ON
  3. All cloudflair https is off
  4. This is a .co domain

Any attempt to get certificates fails with an invalid challenge response. If I try and navigate (or curl) to the challenge directly I always get SSL validation errors as if all the requests are trying to upgrade to HTTPS.

I’m kind of at my wit’s end here and am running out of things to try.

If I turn Cloud flare proxy off and go back to TLS-ALPN challenge, everything works as expected. However I do not wish to expose myself directly and want to use the proxy.

What should I be doing?


I have now solved this by using Cloudflair DNS ACME challenge. Cloudflair SSL turned back on. Everything works as expected now, I can have external clients terminate SSL at cloudflair, cloudflair communicate with my proxy through HTTPS, and have internal clients terminate SSL at caddy.

  • Akinzekeel@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    Can’t speak for OP but I was also attempting this and couldn’t get it working. My use case is that CF tunnels make multiple of my self hosted services available on the Internet via HTTPS and without directly exposing my home IP.

    It does however mean that even when I use a service on my home network, everything is being proxied through CF which makes things much slower than they need to be 90% of the time. So my idea is to use caddy in parallel to CF and have a local DNS server point to my homelab, thereby circumventing the proxy whenever I’m on my home network.

    But like I said I could not get this working just yet.

    • mik@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      I run the setup you’re aiming for, and as the other guy said, DNS challenge is the way to go. That’s what I do, and it works beautifully. It even works with Caddy auto-https, you just need to build Caddy with the cloudflare-dns plugin.