I’m trying to run Caddy behind Cloudflare Proxy using Cloudflare SSL for SaaS. I’m unable to serve the app via Caddy with SSL via Cloudflare, since it is failing SSL Handshake. This happens when a custom domain is mapped to cname.example.app, and when I try to access that domain.
The origin domain (example.app) certificate was provisioned using Cloudflare Origin Certificate and Caddy is configured to use that.
And caddy can be configured to issue its own certificate using Cloudflare DNS. Then the “Full (Strict)” mode proxy should work.
You should not need an origin certificate. If caddy has its own cert, and Cloudflare Edge has its own, then Full (Strict) mode works on its own for me.
Thanks for the suggestion @victor. Appreciate it. I’m going to try this now. Do you think this is the way my customers can configure custom domains as well?
It’s hard for me to say. I don’t have any experience with this. I know caddy can do that, but I don’t know if cloudflare can do wildcard domains.
Your Caddyfile is invalid.
Caddy shouldn’t even be able to start.
Are you sure the posted Caddyfile is the one you are running?
You can use caddy validate to check it before running systemctl reload caddy.
Also note, that Caddy won’t load your invalid config with systemctl reload caddy.
It will keep using the previous version.
Check your logs.
You can also enable debug logging with the debug global option