So I was doing an installation with a customer, and they wanted to use a firewall proxy in front of our application which is served by Caddy. When we tried to boot it up, Automatic TLS failed. As a workaround for now, we just disabled the proxy and had traffic point directly to the server.
I guess this is more of a question of how proxy firewalls work, I don’t have too much experience with advanced networking infrastructure. What are the possible symptoms for a proxy firewall causing the initial cert issuance to fail? What would I need to change in the Caddy config and/or my application for it to be supported?
Unfortunately, I wasn’t able to write down what the error was when I was with the customer, so I don’t really know what the error message was, but I’m pretty sure it had to do with LE trying to reach the server via the IP address of the proxy (as specified by DNS) and failing to reach it (which I guess is pretty much 90% of errors in setting up the cert ).
I hope this isn’t too vague of a question, I’m having a hard time understanding what to ask to get this sorted out
Firewalls block ports, so if ports 80 or 443 are blocked, LE won’t be able to verify the site (unless it uses the DNS challenge, which doesn’t access your server at all), and Caddy won’t be able to serve sites on those ports.
The proxy part of it must also be forwarding traffic properly. How did you confirm that it’s properly forwarding all traffic on ports 80 and 443 to Caddy, without changing anything?
We didn’t really try anything to confirm if it was working, our customer just kinda took the shotgun approach and turned off the proxy to get it working. We’ll probably have to try more things with them later, but I don’t know a whole lot about how the proxy should behave, so I was just poking around hoping to learn more in preparation. According to the customer, the ports should’ve been open on the virtualization stack, but they might not have been in the proxy.
Proxies and firewalls re a red flag whenever cert validations fail; they’re almost always misconfigured. They should be as transparent as possible (not meddling with the contents) on ports 80 and 443. I dunno what else to say at this point, but let me know how it goes! Hopefully that was helpful.