Caddy 2 behind Cloudflare CDN

Can Caddy 2 renew the ssl cert if it is behind a Cloudflare CDN? Do I still need to use the API keys provided by Cloudflare?

If you are using the full SSL mode, you can use the certificate signed by the locally trusted CA with tls internal. With the full strict mode, you’ll need to use a Cloudflare issued origin certificate.

Caddy 2 can and will renew certificates behind Cloudflare’s CDN.

The ideal way to do this is DNS validation (which will require building Caddy with the Cloudflare module, and configuration with your Cloudflare API keys).

Caddy 2 is capable of renewing certificates without this, though. There are two challenge types, TLS-ALPN (this will fail behind Cloudflare) and HTTP (this will succeed). If Caddy tries TLS-ALPN first and fails it will fall back to the HTTP challenge.


Alternately as @samjmckenzie advises, you can configure Caddy manually to use a Cloudflare-issued origin certificate. You can get very long life origin certificates from Cloudflare as they are only ever trusted by Cloudflare itself.

As an optional extra you could require mutual authentication - forcing Cloudflare to produce a client certificate when connecting to your origin (they provide their client CA for this purpose). That means that not only will your origin not be trusted by third parties, Caddy will reject third parties (allowing access only through Cloudflare).

It’s a bit of a rabbit hole, you can go as deep as you like.

2 Likes

Is there anything to configure on Cloudflare to configure beforehand? Like using the full or flexible mode, etc.

This topic was automatically closed after 30 days. New replies are no longer allowed.