Caddy behind Cloudflare SSL

Karthik_Kamalakannan · January 23, 2023, 1:03pm

1. Caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I installed, and run Caddy:

Package manager for Ubuntu (APT)

a. System environment:

Ubuntu 22.04.1 LTS

b. Command:

sudo systemctl reload caddy

c. Service/unit/compose file:

Not using Docker

d. My complete Caddy config:

{
    on_demand_tls {
        ask https://webhook.site/275424e6-4864-4743-b8c6-c9328aa2cfbf
    }
}

:443
tls {
    on_demand
}


.example.app {
	file_server
	reverse_proxy 127.0.0.1:3000
	tls /etc/ssl/certs/cfcertificate.pem /etc/ssl/private/cfprivate.pem
}

3. The problem I’m having:

I’m trying to run Caddy behind Cloudflare Proxy using Cloudflare SSL for SaaS. I’m unable to serve the app via Caddy with SSL via Cloudflare, since it is failing SSL Handshake. This happens when a custom domain is mapped to cname.example.app, and when I try to access that domain.

The origin domain (example.app) certificate was provisioned using Cloudflare Origin Certificate and Caddy is configured to use that.

4. Error messages and/or full log output:

5. What I already tried:

Removing the Orange Cloud icon to pass requests directly to Caddy.

6. Links to relevant resources:

victor · January 23, 2023, 2:29pm

The wildcard matcher is actually *.example.com

And caddy can be configured to issue its own certificate using Cloudflare DNS. Then the “Full (Strict)” mode proxy should work.

You should not need an origin certificate. If caddy has its own cert, and Cloudflare Edge has its own, then Full (Strict) mode works on its own for me.

Karthik_Kamalakannan · January 23, 2023, 2:55pm

Thanks for the suggestion @victor. Appreciate it. I’m going to try this now. Do you think this is the way my customers can configure custom domains as well?

victor · January 23, 2023, 3:27pm

It’s hard for me to say. I don’t have any experience with this. I know caddy can do that, but I don’t know if cloudflare can do wildcard domains.

EDIT: Wildcard DNS records · Cloudflare DNS docs

It looks like it is supported.

emilylange · January 24, 2023, 7:55am

Your Caddyfile is invalid.
Caddy shouldn’t even be able to start.
Are you sure the posted Caddyfile is the one you are running?

You can use caddy validate to check it before running systemctl reload caddy.

Also note, that Caddy won’t load your invalid config with systemctl reload caddy.
It will keep using the previous version.
Check your logs.
You can also enable debug logging with the debug global option

system · February 23, 2023, 7:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.