Automatic Cloudflare certs stopped working for root of domain but still work on sub domains

headband · January 3, 2026, 4:31pm

1. The problem I’m having:

Hello! I set up Caddy last year and it’s been plugging along great since then but recently (a couple weeks ago?) the certificate for my root domain stopped working. When I visit that page I’m told the connection is insecure, and the certificate is expired. However, all of the subdomains still work properly. I am using Cloudflare for automatic certificates.

For what it’s worth the A record for my domain points to a Tailscale IP address so Cloudflare cannot ‘see’ the website though that hasn’t been a problem in the past. Any ideas as to what is going on? Does it have something to do with the www.queasy.cc > queasy.cc redirect?

2. Error messages and/or full log output:

Your connection is not private
net::ERR_CERT_DATE_INVALID

3. Caddy version:

2.10.2

4. How I installed and ran Caddy:

Caddy is installed via Docker on UbuntuServer

a. System environment:

UbuntuServer 22.04.5 LTS w/ Docker installed via Docker instructions (not Snap)

b. Command:

docker compose up -d

d. My complete Caddy config:

(cloudflare) {
    tls {
      dns cloudflare [KEY_REDACTED]
    }
}

queasy.cc {
    reverse_proxy 192.168.0.4:3001
    import cloudflare
}

www.queasy.cc {
    redir https://queasy.cc{uri}
    import cloudflare
}

tv.queasy.cc {
    reverse_proxy 192.168.0.4:8096
    import cloudflare
}

rss.queasy.cc {
    reverse_proxy 192.168.0.4:8082
    import cloudflare
}

music.queasy.cc {
    reverse_proxy 192.168.0.4:4533
    import cloudflare
}

audiobooks.queasy.cc {
    reverse_proxy 192.168.0.4:13378
    import cloudflare

ebooks.queasy.cc {
    reverse_proxy 192.168.0.4:8083
    import cloudflare
}

Thanks for the help!

headband · January 4, 2026, 3:51pm

tenor-3364444762

Mohammed90 · January 4, 2026, 4:35pm

Please check and share Caddy logs, not just what you see in the browser.

headband · January 4, 2026, 5:17pm

No problem, is there a best command to use for this? Thank you for the reply, much appreciated!

Mohammed90 · January 4, 2026, 5:30pm

You will need to check the Docker container logs. It depends on you’re running the Docker container.

Mohammed90 · January 4, 2026, 7:28pm

This is a temporary subdomain which Caddy creates to prove to Let’s Encrypt the server requesting the certificate controls the domain.

This seems to be an issue with the DNS resolver is your system. Another user had similar issue here.

headband · January 4, 2026, 7:34pm

The same DNS is working fine to resolve and certify all of the sub-domains so it can’t be that, right?

Mohammed90 · January 4, 2026, 7:46pm

Per the previously reported experience, your resolver doesn’t like querying SOA records. Queries of A and AAAA records work fine, but are different. Try the workaround in the linked post and confirm it fixes your issue.

Mohammed90 · January 4, 2026, 10:39pm

It seems like your domain is managed partially by Tailscale. The domain `_acme-challenge.queasy.cc` is CNAME-ed to Tailscle endpoint. This is likely wasn't there when you first set it up. I don't know much about the automatic-HTTPS of Tailscale, so you'll need to gather this information on your own or if another forum visitor or helper can pitch in.

headband · January 4, 2026, 10:55pm

Woah, good catch, thanks! I just checked the DNS settings for my domain over at Cloudflare and for some reason it had an entry of CNAME * [mytailnetdomain].ts.net. I sure don’t remember adding that but I guess I must have at some point? Either way when I deleted it everything started working again.

Thanks a bunch for your help!

system · February 3, 2026, 10:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.