Caddy behind Cloudflare Tunnel on a subdomain

1. The problem I’m having:

Hi,

I now have an ISP that doesn’t allow any port opening so I need to use Cloudflare Tunnel to expose my self hosted apps like Home Assistant. I first tried to redirect a Cloudflare Tunnel to Home Assistant directly (without Caddy) and it works perfectly.

Now, I am trying something more complicated : having Caddy between Cloudflared and my apps. This will allow me to integrate Authentik for authentication for my app access. I know Cloudflare can integrate something similar but I am already an Authentik user so I prefer to do it that way.

The problem is that I am trying to make my tunnel point to a subdomain, server2.website.com , because I already have a server running without tunnel on website.com . I then want to have services like homeassistant.website.com working on server2.website.com and not website.com.

I first set up a CNAME homeassistant.website.com redirecting to server2.website.com

I have set up my Cloudflare Tunnel so it connects to server2.website.com and redirects locally to https://caddy:443 . I am running everything in docker so it is the DNS name on the docker network. It seems caddy has issues succeeding ACME challenges to get its certificates. I tried following Caddy with Cloudflare Tunnel , following the Internal HTTPS section but it doesn’t seem to work. I have set server2.website.com in Origin Server Name and HTTP Host Header settings.

What should I do so Caddy can get its certificates and work with full HTTPS ?

Thanks in advance and have a great day

2. Error messages and/or full log output:

{"level":"info","ts":1703360613.707556,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"homeassistant.website.com","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1703360614.2765284,"logger":"http.acme_client","msg":"challenge failed","identifier":"homeassistant.website.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com","instance":"","subproblems":[]}}
{"level":"error","ts":1703360614.2766743,"logger":"http.acme_client","msg":"validating authorization","identifier":"homeassistant.website.com","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1480819546/231363773556","attempt":1,"max_attempts":3}
{"level":"info","ts":1703360615.7290094,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"homeassistant.website.com","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1703360616.3176894,"logger":"http.acme_client","msg":"challenge failed","identifier":"homeassistant.website.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com","instance":"","subproblems":[]}}
{"level":"error","ts":1703360616.3179293,"logger":"http.acme_client","msg":"validating authorization","identifier":"homeassistant.website.com","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1480819546/231363777856","attempt":2,"max_attempts":3}
{"level":"error","ts":1703360616.3181286,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"homeassistant.website.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com"}
{"level":"info","ts":1703360616.3231282,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["homeassistant.website.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
{"level":"info","ts":1703360616.3232503,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["homeassistant.website.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"caddy@zerossl.com"}
{"level":"error","ts":1703360618.4472892,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"homeassistant.website.com","issuer":"acme.zerossl.com-v2-DV90","error":"[homeassistant.website.com] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/9I5fAv1xtIe0pTnQhepOog has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/LQWPUgHIpCnOfegNStL6lA) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1703360618.4474444,"logger":"tls.obtain","msg":"will retry","error":"[homeassistant.website.com] Obtain: [homeassistant.website.com] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/9I5fAv1xtIe0pTnQhepOog has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/LQWPUgHIpCnOfegNStL6lA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":6.046940209,"max_duration":2592000}
{"level":"info","ts":1703360678.4491036,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"homeassistant.website.com"}
{"level":"info","ts":1703360679.6252222,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"homeassistant.website.com","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1703360680.25347,"logger":"http.acme_client","msg":"challenge failed","identifier":"homeassistant.website.com","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com","instance":"","subproblems":[]}}
{"level":"error","ts":1703360680.2535858,"logger":"http.acme_client","msg":"validating authorization","identifier":"homeassistant.website.com","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/130006994/13166717354","attempt":1,"max_attempts":3}
{"level":"info","ts":1703360681.6588871,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"homeassistant.website.com","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1703360682.2944815,"logger":"http.acme_client","msg":"challenge failed","identifier":"homeassistant.website.com","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com","instance":"","subproblems":[]}}
{"level":"error","ts":1703360682.2946312,"logger":"http.acme_client","msg":"validating authorization","identifier":"homeassistant.website.com","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/130006994/13166717624","attempt":2,"max_attempts":3}
{"level":"error","ts":1703360682.294731,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"homeassistant.website.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for homeassistant.website.com; no valid AAAA records found for homeassistant.website.com"}
{"level":"error","ts":1703360684.9800153,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"homeassistant.website.com","issuer":"acme.zerossl.com-v2-DV90","error":"[homeassistant.website.com] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/9I5fAv1xtIe0pTnQhepOog has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/LQWPUgHIpCnOfegNStL6lA) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1703360684.980155,"logger":"tls.obtain","msg":"will retry","error":"[homeassistant.website.com] Obtain: [homeassistant.website.com] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/9I5fAv1xtIe0pTnQhepOog has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/LQWPUgHIpCnOfegNStL6lA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":72.579650922,"max_duration":2592000}

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

version: "3.7"
services:

  cloudflared: 
    image: cloudflare/cloudflared 
    platform: "linux/arm64"
    container_name: cloudflared
    networks:
      - caddy
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - TUNNEL_TOKEN=redacted
    restart: unless-stopped
    command: tunnel run 

  caddy:
    image: lucaslorentz/caddy-docker-proxy:ci-alpine
    platform: "linux/arm64"
    container_name: caddy
    #ports:
    #  - 80:80
    #  - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=services
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
    networks:
      services:
        ipv4_address: 172.18.0.100
      caddy:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${CONFIG_FOLDER}/caddy:/data
    restart: unless-stopped

networks:
  caddy:
    name: caddy
    ipam:
      driver: default
      config:
        - subnet: ${CADDY_NETWORK_IP}.0/24
  services:
    name: services
    external: true

version: "3.7"
services:

  homeassistant:
    image: lscr.io/linuxserver/homeassistant:latest
    platform: "linux/arm64"
    container_name: homeassistant
    restart: unless-stopped
    #network_mode: host
    networks:
      - services
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - DOCKER_MODS=linuxserver/mods:homeassistant-hacs
    volumes:
      - ${CONFIG_FOLDER}/homeassistant:/config
    #ports:
    #  - 8123:8123
    #devices:
    #  - /path/to/device:/path/to/device
    labels:
      caddy: homeassistant.website.com
      caddy.reverse_proxy: homeassistant:8123



networks:
  services:
    name: services
    external: true

a. System environment:

Docker

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

Caddy config is generated from the compose files and labels above

homeassistant.website.com {
        reverse_proxy homeassistant:8123
}

5. Links to relevant resources:

The error message says:

You say

Does server2.website.com have a valid A/AAAA record?

P.S.: Redacting domain names does not increase the security in any way. DNS is public data. It only makes our troubleshooting efforts harder.

I misconfigured the DNS at Cloudflare. I am using a tunnel, and what I needed to set is a new public hostname in the Zero Trust Network settings, and not a CNAME.

Teeeeeechnically the new public hostname in the tunnel settings merely configures the CNAME in your DNS settings.

You can go inspect it in the Cloudflare dashboard after you’ve added it in your Zero Trust dashboard! It should look like [tunnel ID].cfargotunnel.com with the orange cloud enabled.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.