Caddy certificate

1. The problem I’m having:

I’m trying to setup a reverse proxy to go from my public IP to localhost:22023. I run it successfully, but curl -v 151.74.122.201 is failing to verify the legitimacy of the server, so it closes the connection.

Previously I issued the certificate using ZeroSSL to that IP by hosting an HTTP server using XAMPP. I got ca_bundle.crt, certificate.crt and private.key

To tell caddy to use it, I provided the certificate and the private key using tls fullchain.pem privkey.pem I got by running these two commands.

copy /b certificate.crt+ca_bundle.crt fullchain.pem
rename private.key privkey.pem

The files are next to Caddyfile, that’s where I run all the caddy commands from.

2. Error messages and/or full log output:

I:\Impostor-Server_1.10.3_win-x64\ReverseProxy>caddy adapt && caddy run
2025/07/29 01:01:42.810 INFO    using adjacent Caddyfile
{"apps":{"http":{"servers":{"srv0":{"listen":[":443"],"routes":[{"match":[{"host":["151.74.122.201"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":":22023"}]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["151.74.122.201"]},"certificate_selection":{"any_tag":["cert0"]}},{}]}}},"tls":{"certificates":{"load_files":[{"certificate":"fullchain.pem","key":"privkey.pem","tags":["cert0"]}]}}}}
2025/07/29 01:01:42.893 INFO    maxprocs: Leaving GOMAXPROCS=32: CPU quota undefined
2025/07/29 01:01:42.893 INFO    GOMEMLIMIT is updated   {"package": "github.com/KimMachineGun/automemlimit/memlimit", "GOMEMLIMIT": 59584617676, "previous": 9223372036854775807}
2025/07/29 01:01:42.894 INFO    using adjacent Caddyfile
2025/07/29 01:01:42.895 INFO    adapted config to JSON  {"adapter": "caddyfile"}
2025/07/29 01:01:42.902 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//[::1]:2019", "//127.0.0.1:2019", "//localhost:2019"]}
2025/07/29 01:01:42.903 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0005fc180"}
2025/07/29 01:01:42.904 INFO    http.auto_https skipping automatic certificate management because one or more matching certificates are already loaded  {"domain": "151.74.122.201", "server_name": "srv0"}
2025/07/29 01:01:42.904 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2025/07/29 01:01:42.904 WARN    http    HTTP/2 skipped because it requires TLS  {"network": "tcp", "addr": ":80"}
2025/07/29 01:01:42.904 WARN    http    HTTP/3 skipped because it requires TLS  {"network": "tcp", "addr": ":80"}
2025/07/29 01:01:42.905 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2025/07/29 01:01:42.905 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2025/07/29 01:01:42.905 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/07/29 01:01:42.906 INFO    autosaved config (load with --resume flag)      {"file": "C:\\Users\\Jeki\\AppData\\Roaming\\Caddy\\autosave.json"}
2025/07/29 01:01:42.906 INFO    serving initial configuration
2025/07/29 01:01:42.910 INFO    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:C:\\Users\\Jeki\\AppData\\Roaming\\Caddy", "instance": "53ba76f6-863d-43e0-b181-1da8619eff11", "try_again": "2025/07/30 01:01:42.910", "try_again_in": 86400}
2025/07/29 01:01:42.911 INFO    tls     finished cleaning storage units
C:\Users\Jeki>curl -v https://151.74.122.201
*   Trying 151.74.122.201:443...
* Connected to 151.74.122.201 (151.74.122.201) port 443
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
* Closing connection
* schannel: shutting down SSL/TLS connection with 151.74.122.201 port 443
curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

3. Caddy version:

C:\Users\Jeki>caddy -v
v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=

4. How I installed and ran Caddy:

I install it using scoop, so scoop caddy

a. System environment:

C:\Users\Jeki>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19045 N/A Build 19045

b. Command:

caddy run

d. My complete Caddy config:

151.74.122.201 {
	tls fullchain.pem privkey.pem

	reverse_proxy :22023
}

5. Links to relevant resources:

Per the error message, Caddy is clearly providing the certificate it was configured with, and curl doesn’t like it. Check the link for how to fix it for curl.

2 Likes

Hello Mohammed, thank you for replying!

I read the link you sent, and as I understand you suggest me to directly tell curl what certificate to use, so I took the ca_bundle.crt I previously was issued by ZeroSSL, and renamed it to curl_ca_bundle.crt, and put it next to other related configs.

That should suffice it because the article is stating the following:

If you are using the curl command line tool on Windows, curl searches for a CA cert file named curl-ca-bundle.crt in these directories and in this order:
[…]
2. current working directory
[…]

However, that didn’t seem to help. I also tried providing the CA explicitly with --cacert curl_ca_bundle.crt at the end of curl command, but same result.

The output:

I:\Impostor-Server_1.10.3_win-x64\ReverseProxy>dir
 Volume in drive I is Windows Home
 Volume Serial Number is 2C38-7122

 Directory of I:\Impostor-Server_1.10.3_win-x64\ReverseProxy

07/30/2025  03:52 PM    <DIR>          .
07/30/2025  03:52 PM    <DIR>          ..
07/29/2025  02:25 AM                73 Caddyfile
07/28/2025  11:13 PM             2,431 curl_ca_bundle.crt
07/29/2025  01:54 AM             4,704 fullchain.pem
07/28/2025  11:13 PM             1,702 privkey.pem
               4 File(s)          8,910 bytes
               2 Dir(s)  549,504,294,912 bytes free

I:\Impostor-Server_1.10.3_win-x64\ReverseProxy>curl -v https://151.74.122.201 --cacert curl_ca_bundle.crt
*   Trying 151.74.122.201:443...
* Connected to 151.74.122.201 (151.74.122.201) port 443
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* schannel: added 1 certificate(s) from CA file 'curl_ca_bundle.crt'
* schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT
* Closing connection
* schannel: shutting down SSL/TLS connection with 151.74.122.201 port 443
curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above

The certificate is being read by curl, but it still doesn’t like it.

I think that this isn’t specifically a curl problem as I’m unable to reach the reverse proxy using any other means like web browser or game client the proxy is designed for.

Looking forward for your reply

Please run this:

curl -kv https://151.74.122.201

and share the response. I just want to see what Caddy is responding with.

Also, if you have openssl command available, run the following and share the result:

openssl s_client -connect 151.74.122.201:443 -showcerts

It connects to router settings

I:\Impostor-Server_1.10.3_win-x64\ReverseProxy>curl -kv https://151.74.122.201
*   Trying 151.74.122.201:443...
* Connected to 151.74.122.201 (151.74.122.201) port 443
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 151.74.122.201
> User-Agent: curl/8.4.0
> Accept: */*
>
* schannel: failed to decrypt data, need more data
< HTTP/1.1 200 OK
< Content-Type: text/html
< Cache-Control: no-cache
< Last-Modified: Tue, 21 Apr 2020 16:47:15 GMT
< Content-Length: 1511
< Date: Wed, 30 Jul 2025 17:35:22 GMT
< X-Frame-Options: sameorigin
< Content-Security-Policy: frame-ancestors 'self'
<
<!DOCTYPE html><html><head><meta charset=utf-8><meta http-equiv=Cache-Control content=no-store><meta http-equiv=cache-control content=no-cache><meta http-equiv=cache-control content="max-age=0"><meta name=viewport content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1"><title>.::Home&Life Hub::.</title><link rel=stylesheet href=./static/plugins/bootstrap-4.0.0/bootstrap.min.css><link rel=stylesheet type=text/css href="//fonts.googleapis.com/css?family=Roboto"><link rel=stylesheet href="//fonts.googleapis.com/css?family=Roboto" type=text/css><link rel=stylesheet href=./static/plugins/glyphicons/glyphicons.css><link type=text/css href=./static/plugins/zyxel-icon/styles.css rel=stylesheet><link rel=stylesheet href=./static/css/layout.css><link rel=stylesheet href=./static/css/colorTheme.css><link href=/static/css/app.d42312dc1da08db03e4d4a46082b515e.css rel=stylesheet></head><body><div id=app class=yellow></div><script src=./static/plugins/jquery-3.2.1.slim.min.js></script><script src=./static/plugins/popper/popper.min.js></script><script src=./static/plugins/bootstrap-4.0.0/bootstrap.min.js></script><script src=./static/js/site.js></script><script src=./static/js/zyxel.js></script><script src=./static/js/jsencrypt.min.js></script><script src=./static/js/aes.js></script><script type=text/javascript src=/static/js/manifest.js></script><script type=text/javascript src=/static/js/vendor.js></script><script type=text/javascript src=/static/js/app.js></script></body></html>* Connection #0 to host 151.74.122.201 left intact
I:\Impostor-Server_1.10.3_win-x64\ReverseProxy>openssl s_client -connect 151.74.122.201:443 -showcerts
Connecting to 151.74.122.201
CONNECTED(00000170)
Can't use SSL_get_servername
depth=0 C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
verify error:num=10:certificate has expired
notAfter=Jan  1 12:00:00 2025 GMT
verify return:1
depth=0 C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
notAfter=Jan  1 12:00:00 2025 GMT
verify return:1
---
Certificate chain
 0 s:C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
   i:C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
   a:PKEY: RSA, 1024 (bit); sigalg: sha512WithRSAEncryption
   v:NotBefore: Jan  1 12:00:00 2015 GMT; NotAfter: Jan  1 12:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIICdDCCAd2gAwIBAgIJAOiZD+oOWIozMA0GCSqGSIb3DQEBDQUAMFMxCzAJBgNV
BAYTAlRXMQwwCgYDVQQIDANUV04xDjAMBgNVBAoMBVp5WEVMMRIwEAYDVQQLDAla
eVhFTGNlcnQxEjAQBgNVBAMMCVp5WEVMY2VydDAeFw0xNTAxMDExMjAwMDBaFw0y
NTAxMDExMjAwMDBaMFMxCzAJBgNVBAYTAlRXMQwwCgYDVQQIDANUV04xDjAMBgNV
BAoMBVp5WEVMMRIwEAYDVQQLDAlaeVhFTGNlcnQxEjAQBgNVBAMMCVp5WEVMY2Vy
dDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlGMhqLqpGc+Qycd1VGxYoIxb
BjB6Ckjpj3xeeBbOC7edrFdqcoUj0lQp45Nsh8ru72+eHjR7DQEBJaRLnLC5DmiS
8Y9+OoyjXOduWZr7E+0TkSn7YoT+BZuUNK6o34DQsHBxH8331Pjn0bA++5Wnp41u
qbC1JBjxRh4SqiLG7ecCAwEAAaNQME4wHQYDVR0OBBYEFHS3dE5UZYq5as/F6t7w
9NcY+AyNMB8GA1UdIwQYMBaAFHS3dE5UZYq5as/F6t7w9NcY+AyNMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQENBQADgYEAMn1PSCoaROX+D0xvDNy3P3ak3cVTz9cf
A4j8cE4LOOgVw3qCQ2MYO8szM+XU1NZ6InNTL27KGLlnDpIVBD0g4B3U8W1UgU1i
jrLrTv/CLtr4PKscFfeLiuoTrygUStASKHYLx5XuoJc7R2grSii1QVZvLvJXzqn4
9ClaZ4sqLBQ=
-----END CERTIFICATE-----
---
Server certificate
subject=C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
issuer=C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pkcs1_sha256
Peer Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1158 bytes and written 1650 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 1C96E1CBCC3FE15AB666AF3891F69BFA61A444A13FC8BF19F7ADA9E097DA1025
    Session-ID-ctx:
    Master-Key: 38AEF45E95FE15897E97722CB3C1108AA4A95F5784FA73F0F801B6A7F05BDC5874ABF071DCD6D356C8F1855CBB506FBD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 00 0e 11 6f 25 21 63-b9 d7 6c d6 01 95 80 ef   9...o%!c..l.....
    0010 - f1 30 cd a7 ff 32 38 a4-b6 83 a5 31 e6 4e 34 e4   .0...28....1.N4.
    0020 - 4e 2c ab c5 78 60 e7 9a-ba 0d 47 6e 1e 32 ab 7d   N,..x`....Gn.2.}
    0030 - e9 e6 40 69 75 bc 6e 19-6e 88 a0 da b7 ee 4e c9   ..@iu.n.n.....N.
    0040 - c7 f4 15 19 82 16 cc fd-7b d6 fa d0 a3 78 30 a1   ........{....x0.
    0050 - f4 3a ae 94 ff 4a 33 dd-80 c4 f5 6c 84 83 b3 e9   .:...J3....l....
    0060 - 0d 29 d4 ca d2 5d 91 d0-cd 4d ad 9f e3 2a 89 f6   .)...]...M...*..
    0070 - 69 b6 40 49 18 64 62 b9-f0 a3 0d 02 73 27 48 ba   i.@I.db.....s'H.
    0080 - f8 1c c2 af 21 8a 51 7d-8b 16 16 1d d9 9a 5c 08   ....!.Q}......\.
    0090 - ea 17 3e 9e cf 66 eb b6-03 a1 d2 86 c8 f5 11 ea   ..>..f..........

    Start Time: 1753896987
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---

You seem to be talking to your Zyxel router(?) rather than to Caddy.

Update: just to clarify - what your curl sees when talking to https://151.74.122.201 is a self-signed certificate issued by Zyxel, rather than Caddy with ZeroSSL certificate. That’s why your command

curl -v https://151.74.122.201 --cacert curl_ca_bundle.crt

is failing too.

1 Like

I’m not aware what Zyxel is. 443 should be caddy as XAMPP wasn’t letting me boot up the server when Caddy was running on 443

Connecting to 151.74.122.201
CONNECTED(00000170)
Can't use SSL_get_servername
depth=0 C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
verify error:num=10:certificate has expired
notAfter=Jan  1 12:00:00 2025 GMT
verify return:1
depth=0 C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
notAfter=Jan  1 12:00:00 2025 GMT
verify return:1
---
Certificate chain
 0 s:C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
   i:C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
   a:PKEY: RSA, 1024 (bit); sigalg: sha512WithRSAEncryption
   v:NotBefore: Jan  1 12:00:00 2015 GMT; NotAfter: Jan  1 12:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIICdDCCAd2gAwIBAgIJAOiZD+oOWIozMA0GCSqGSIb3DQEBDQUAMFMxCzAJBgNV
BAYTAlRXMQwwCgYDVQQIDANUV04xDjAMBgNVBAoMBVp5WEVMMRIwEAYDVQQLDAla
eVhFTGNlcnQxEjAQBgNVBAMMCVp5WEVMY2VydDAeFw0xNTAxMDExMjAwMDBaFw0y
NTAxMDExMjAwMDBaMFMxCzAJBgNVBAYTAlRXMQwwCgYDVQQIDANUV04xDjAMBgNV
BAoMBVp5WEVMMRIwEAYDVQQLDAlaeVhFTGNlcnQxEjAQBgNVBAMMCVp5WEVMY2Vy
dDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlGMhqLqpGc+Qycd1VGxYoIxb
BjB6Ckjpj3xeeBbOC7edrFdqcoUj0lQp45Nsh8ru72+eHjR7DQEBJaRLnLC5DmiS
8Y9+OoyjXOduWZr7E+0TkSn7YoT+BZuUNK6o34DQsHBxH8331Pjn0bA++5Wnp41u
qbC1JBjxRh4SqiLG7ecCAwEAAaNQME4wHQYDVR0OBBYEFHS3dE5UZYq5as/F6t7w
9NcY+AyNMB8GA1UdIwQYMBaAFHS3dE5UZYq5as/F6t7w9NcY+AyNMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQENBQADgYEAMn1PSCoaROX+D0xvDNy3P3ak3cVTz9cf
A4j8cE4LOOgVw3qCQ2MYO8szM+XU1NZ6InNTL27KGLlnDpIVBD0g4B3U8W1UgU1i
jrLrTv/CLtr4PKscFfeLiuoTrygUStASKHYLx5XuoJc7R2grSii1QVZvLvJXzqn4
9ClaZ4sqLBQ=
-----END CERTIFICATE-----
---
Server certificate
subject=C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
issuer=C=TW, ST=TWN, O=ZyXEL, OU=ZyXELcert, CN=ZyXELcert
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pkcs1_sha256
Peer Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1158 bytes and written 1650 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 1C96E1CBCC3FE15AB666AF3891F69BFA61A444A13FC8BF19F7ADA9E097DA1025
    Session-ID-ctx:
    Master-Key: 38AEF45E95FE15897E97722CB3C1108AA4A95F5784FA73F0F801B6A7F05BDC5874ABF071DCD6D356C8F1855CBB506FBD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 39 00 0e 11 6f 25 21 63-b9 d7 6c d6 01 95 80 ef   9...o%!c..l.....
    0010 - f1 30 cd a7 ff 32 38 a4-b6 83 a5 31 e6 4e 34 e4   .0...28....1.N4.
    0020 - 4e 2c ab c5 78 60 e7 9a-ba 0d 47 6e 1e 32 ab 7d   N,..x`....Gn.2.}
    0030 - e9 e6 40 69 75 bc 6e 19-6e 88 a0 da b7 ee 4e c9   ..@iu.n.n.....N.
    0040 - c7 f4 15 19 82 16 cc fd-7b d6 fa d0 a3 78 30 a1   ........{....x0.
    0050 - f4 3a ae 94 ff 4a 33 dd-80 c4 f5 6c 84 83 b3 e9   .:...J3....l....
    0060 - 0d 29 d4 ca d2 5d 91 d0-cd 4d ad 9f e3 2a 89 f6   .)...]...M...*..
    0070 - 69 b6 40 49 18 64 62 b9-f0 a3 0d 02 73 27 48 ba   i.@I.db.....s'H.
    0080 - f8 1c c2 af 21 8a 51 7d-8b 16 16 1d d9 9a 5c 08   ....!.Q}......\.
    0090 - ea 17 3e 9e cf 66 eb b6-03 a1 d2 86 c8 f5 11 ea   ..>..f..........

    Start Time: 1753896987
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---

It’s a Taiwanese company that makes network devices: routers, switches, wifi access points, etc.

Can you run ipconfig /all on your Windows machine and share the result? Is it the same machine where you run Caddy?

Yes, I’m running caddy on my local machine I’m doing everything from.

I:\Impostor-Server_1.10.3_win-x64\ReverseProxy>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DESKTOP-Tony
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : home-life.hub

Ethernet adapter Radmin VPN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Famatech Radmin VPN Ethernet Adapter
   Physical Address. . . . . . . . . : 02-50-94-8A-AD-85
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fdfd::1ae6:3354(Preferred)
   Link-local IPv6 Address . . . . . : fe80::eb11:523c:bf6b:9d4a%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 26.230.51.84(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Default Gateway . . . . . . . . . : 26.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 604131476
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-60-5A-94-C8-7F-54-56-CC-AD
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : home-life.hub
   Description . . . . . . . . . . . : Realtek Gaming 2.5GbE Family Controller
   Physical Address. . . . . . . . . : C8-7F-54-56-CC-AD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::577b:2b71:3ef0:1c57%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.34(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, July 30, 2025 7:03:23 AM
   Lease Expires . . . . . . . . . . : Thursday, July 31, 2025 7:03:34 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 113803092
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-60-5A-94-C8-7F-54-56-CC-AD
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
   Physical Address. . . . . . . . . : 0A-00-27-00-00-0E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::901b:d1c5:dcb4:fae1%14(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 688521255
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-60-5A-94-C8-7F-54-56-CC-AD
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 8C-88-2B-05-A5-7D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:1428:8f18:1cac:278:da99:f226(Preferred)
   Link-local IPv6 Address . . . . . : fe80::1cac:278:da99:f226%12(Preferred)
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 100663296
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-60-5A-94-C8-7F-54-56-CC-AD
   NetBIOS over Tcpip. . . . . . . . : Disabled

Thank you. Can you please clarify for me what 151.74.122.201 is? Where did that IP come from in your setup?

The reason why I’m asking all this is to understand better your setup and why you are seeing a Zyxel device responding to your connections to https://151.74.122.201 instead of Caddy.

That’s my public IP

root@DESKTOP-Tony:~# wget -qO- http://ipecho.net/plain | xargs echo
151.74.122.201

OK, so your ISP - Wind TRE - appears to be using Zyxel hardware, at least for the last-mile connections. For example:

So my best guess is that it’s their Zyxel device responding at https://151.74.122.201. The self-signed certificate on 151.74.122.201:443 is issued by Zyxel.

Here’s what you can try - update your Caddyfile like this:

:443 {
    tls fullchain.pem privkey.pem
    reverse_proxy localhost:22023
}

You should now be able to connect from your Windows machine to https://localhost and https://192.168.1.34 (your local network IP). You’ll likely still see a certificate warning, depending on the details in your ZeroSSL cert. You can then try to run the following and share the result, if you like:

openssl s_client -connect 192.168.1.34:443 -showcerts

Next, log into your ISP’s router and set up port forwarding for external port 443 to 192.168.1.34:443. After that, you can test from the internet to see if it’s working.

Caddy definitely isn’t what’s listening on 151.74.122.201:443. That’s not even the IP of the machine running Caddy.

If port forwarding works and your router supports Hairpin NAT (also called NAT loopback or NAT reflection), you should now be able to connect to 151.74.122.201:443 also from within your local network and get the traffic forwarded to Caddy.

In any case, this is not Caddy’s problem but rather your network setup.

2 Likes

Thank you for your extensive answer

C:\Users\Jeki>openssl s_client -connect 192.168.1.34:443 -showcerts
Connecting to 192.168.1.34
CONNECTED(00000188)
Can't use SSL_get_servername
depth=1 C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=151.74.122.201
verify return:1
---
Certificate chain
 0 s:CN=151.74.122.201
   i:C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA
   a:PKEY: RSA, 2048 (bit); sigalg: sha384WithRSAEncryption
   v:NotBefore: Jul 28 00:00:00 2025 GMT; NotAfter: Oct 26 23:59:59 2025 GMT
-----BEGIN CERTIFICATE-----
MIIGYTCCBEmgAwIBAgIRAMkw5qn8bmEPh4cMxMQ0EAgwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yNTA3MjgwMDAwMDBaFw0y
NTEwMjYyMzU5NTlaMBkxFzAVBgNVBAMTDjE1MS43NC4xMjIuMjAxMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmbzJUiScewZDP2XutAqy/urt+jxiIFy9
2BXR2LQ0Rf6xeXHmNImGmr2sIFjjUDimUo9lpqBjJeFD4kknTFfMWQbSNRWbRq+Y
w9Az6wXnr5+np8s2sL58R08rINS325/NiGd9iF4IQIHD5P8JAkIGgTO4upHr7jBk
Bu9lSuSjP2cwgZcds07smwMtM+kZTr5vcyAbEBikKNFeVYtdw/5sS8CqGiBIwizk
GJPPmZaVI+SqOmFFMr5sOyw7kOFkSIikN1ih8bbx+Na/DPzQ5ktSV4lbavbkgqcp
RrIieYeyFQuzlpMjHfOepRT39dEeSMGWy7amYv0kEhfzUYsm5Zq4NwIDAQABo4IC
cDCCAmwwHwYDVR0jBBgwFoAUyNl4aKLZGWjVPXLeXwo+3LWGhqYwHQYDVR0OBBYE
FDxOBH8DXuM/qQlBirVBgd/tmOfkMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQG
CysGAQQBsjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20v
Q1BTMAgGBmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRw
Oi8vemVyb3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTFJTQURvbWFpblNlY3Vy
ZVNpdGVDQS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2Vj
dGlnby5jb20wggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDd3Mo0ldfhFgXnlTL6
x5/4PRxQ39sAOhQSdgosrLvIKgAAAZhTN4z0AAAEAwBGMEQCIGHBZ0wMEsdpTlVJ
Hxn9X03md5qYd6M+GVrnNSvxG5CoAiBqzqcrT+LxWhaSxXcdZJ7TTjDQwKmQyeT5
4Q4UVlY0qQB3AA3h8jAr0w3BQGISCepVLvxHdHyx1+kw7w5CHrR+Tqo0AAABmFM3
jNsAAAQDAEgwRgIhAJPLtH6gAdWr+E8UdfxN2vqvTStETfiBjVqGSpgZQf0mAiEA
8sOhCjmbKGveIxx9SSGKCS0T7FbtPdLxvwGLt64Q18UwDwYDVR0RBAgwBocEl0p6
yTANBgkqhkiG9w0BAQwFAAOCAgEAbSx2sA+sRFURDPCWtOl9mTlJXVCvQcNQc1/A
KtqxKhFOYFQVrzpkfnTQ0Dm1RV4kQvA/le0Ko3ph2bddT5Ttv4t3V3t0pJgbc1kq
3F4el6g3AFvruEiztd7bJNmofogfVgbfhMRhDixm8iHoCl9R7vwYN/3qgsZ2mRl3
T0nvMLyfSkv/pTKwhLnNgp9VrM03SXv4Ez0EBTPieEMP+stLkfr/esPKTgwNEE+m
r8WQ118zgnGnbiz+ODMcgShR1nGp+fKMnaeAL9EQDsdBXN3x/9Cw5XXIPDl8TTnD
NqTqCxER4v1zXRph41lMwFGEaXlhP+Wn57p/e0wZsTAvjNscmJqUoKfnZROPHn40
dvArdt/G8SfzeXJhQPDGkvYzAgTDwaq9dApTqmtdmF4RPebGmNy/jYnw/B+gsRTv
WDF4XjVGK6x2QE74GL2angN8xdehvbTbZfZDprzoluharUPhS+aR3adKTM+jPWaC
oqKgQlZRWInbwS5XhAK3j7XTjySsJrF8zZ0/SSpOB25zcb81d6qyGTz02Z2sL3Md
1nkPTD837lazBD31UesdtVY7I+YcKvXt1S5eaHx2tZPi+LlkfXjGQhGsgowDZXt7
inE8CRNh8iXDywPvmwQUmUSLpZ0755qosnYpG21gxqeXLddo0oRy4qfwpt2r/kxx
RLF3YEw=
-----END CERTIFICATE-----
 1 s:C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
   a:PKEY: RSA, 4096 (bit); sigalg: sha384WithRSAEncryption
   v:NotBefore: Jan 30 00:00:00 2020 GMT; NotAfter: Jan 29 23:59:59 2030 GMT
-----BEGIN CERTIFICATE-----
MIIG1TCCBL2gAwIBAgIQbFWr29AHksedBwzYEZ7WvzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAw
MTMwMDAwMDAwWhcNMzAwMTI5MjM1OTU5WjBLMQswCQYDVQQGEwJBVDEQMA4GA1UE
ChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBSU0EgRG9tYWluIFNlY3VyZSBT
aXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhmlzfqO1Mdgj
4W3dpBPTVBX1AuvcAyG1fl0dUnw/MeueCWzRWTheZ35LVo91kLI3DDVaZKW+TBAs
JBjEbYmMwcWSTWYCg5334SF0+ctDAsFxsX+rTDh9kSrG/4mp6OShubLaEIUJiZo4
t873TuSd0Wj5DWt3DtpAG8T35l/v+xrN8ub8PSSoX5Vkgw+jWf4KQtNvUFLDq8mF
WhUnPL6jHAADXpvs4lTNYwOtx9yQtbpxwSt7QJY1+ICrmRJB6BuKRt/jfDJF9Jsc
RQVlHIxQdKAJl7oaVnXgDkqtk2qddd3kCDXd74gv813G91z7CjsGyJ93oJIlNS3U
gFbD6V54JMgZ3rSmotYbz98oZxX7MKbtCm1aJ/q+hTv2YK1yMxrnfcieKmOYBbFD
hnW5O6RMA703dBK92j6XRN2EttLkQuujZgy+jXRKtaWMIlkNkWJmOiHmErQngHvt
iNkIcjJumq1ddFX4iaTI40a6zgvIBtxFeDs2RfcaH73er7ctNUUqgQT5rFgJhMmF
x76rQgB5OZUkodb5k2ex7P+Gu4J86bS15094UuYcV09hVeknmTh5Ex9CBKipLS2W
2wKBakf+aVYnNCU6S0nASqt2xrZpGC1v7v6DhuepyyJtn3qSV2PoBiU5Sql+aARp
wUibQMGm44gjyNDqDlVp+ShLQlUH9x8CAwEAAaOCAXUwggFxMB8GA1UdIwQYMBaA
FFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBTI2XhootkZaNU9ct5fCj7c
tYaGpjAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIgYDVR0gBBswGTANBgsrBgEEAbIxAQIC
TjAIBgZngQwBAgEwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1
c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYG
CCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu
Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRw
Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQAVDwoIzQDV
ercT0eYqZjBNJ8VNWwVFlQOtZERqn5iWnEVaLZZdzxlbvz2Fx0ExUNuUEgYkIVM4
YocKkCQ7hO5noicoq/DrEYH5IuNcuW1I8JJZ9DLuB1fYvIHlZ2JG46iNbVKA3ygA
Ez86RvDQlt2C494qqPVItRjrz9YlJEGT0DrttyApq0YLFDzf+Z1pkMhh7c+7fXeJ
qmIhfJpduKc8HEQkYQQShen426S3H0JrIAbKcBCiyYFuOhfyvuwVCFDfFvrjADjd
4jX1uQXd161IyFRbm89s2Oj5oU1wDYz5sx+hoCuh6lSs+/uPuWomIq3y1GDFNafW
+LsHBU16lQo5Q2yh25laQsKRgyPmMpHJ98edm6y2sHUabASmRHxvGiuwwE25aDU0
2SAeepyImJ2CzB80YG7WxlynHqNhpE7xfC7PzQlLgmfEHdU+tHFeQazRQnrFkW2W
kqRGIq7cKRnyypvjPMkjeiV9lRdAM9fSJvsB3svUuu1coIG1xxI1yegoGM4r5QP4
RGIVvYaiI76C0djoSbQ/dkIUUXQuB8AL5jyH34g3BZaaXyvpmnV4ilppMXVAnAYG
ON51WhJ6W0xNdNJwzYASZYH+tmCWI+N60Gv2NNMGHwMZ7e9bXgzUCZH5FaBFDGR5
S9VWqHB73Q+OyIVvIbKYcSc2w/aSuFKGSA==
-----END CERTIFICATE-----
---
Server certificate
subject=CN=151.74.122.201
issuer=C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 5023 bytes and written 1588 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 0D9D29C4B47372406735F82D4F181994B0611F7348BF49C8B1A16E3611564730
    Session-ID-ctx:
    Resumption PSK: 1119E489414C3B2B071ABBE4183AB677476C84724C646F157DB5F4D6C95F1FC6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 14 2a 01 46 96 90 1c 84-4b 3d cb f5 e1 a4 7f 1f   .*.F....K=......
    0010 - 1a 0e e9 b2 5a b3 7d 81-ab 31 1f 54 78 21 42 47   ....Z.}..1.Tx!BG
    0020 - 16 ff dc 7b 79 5d 76 ad-7c 62 16 df 32 bc 1f 0b   ...{y]v.|b..2...
    0030 - 52 63 b8 29 67 16 c6 d4-3c 48 70 a0 b5 8f 16 1b   Rc.)g...<Hp.....
    0040 - a6 a5 ca 1d 72 c2 97 6d-29 ff 1a 3f f7 4f a8 86   ....r..m)..?.O..
    0050 - d4 87 f4 91 bc de 9f 1d-2a 1d 89 b7 44 5b 43 51   ........*...D[CQ
    0060 - 55 bf 33 8c ec ad c1 55-b4                        U.3....U.

    Start Time: 1753917185
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

I think I already have done that previously. I’m attaching a screenshot just in case.

Accessing https://192.168.1.34:443 works as intended when opened in browser, but when I’m running curl, it’s failing

C:\Users\Jeki>curl -v https://192.168.1.34:443
*   Trying 192.168.1.34:443...
* Connected to 192.168.1.34 (192.168.1.34) port 443
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
* Closing connection
* schannel: shutting down SSL/TLS connection with 192.168.1.34 port 443
curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Sadly https://151.74.122.201:443 gives me the same result

C:\Users\Jeki>curl -v https://151.74.122.201:443
*   Trying 151.74.122.201:443...
* Connected to 151.74.122.201 (151.74.122.201) port 443
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
* Closing connection
* schannel: shutting down SSL/TLS connection with 151.74.122.201 port 443
curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

What makes you think that?

This should my router Home&Life Hub vmg8825b50b. I tried looking for something mentioning NAT loopback or NAT reflection, but I personally couldn’t find anything.

Thank you for your patience

Alright, now you’re talking to Caddy configured with ZeroSSL :+1:

If you have then it doesn’t seem to be working. If I try 151.74.122.201:443 from the Internet, I get no response. There is a couple of possible options why:

  • a Windows firewall on your Caddy computer may be enabled and blocking inbound traffic to port 443 from the network, or
  • your ISP may be doing a double NAT, so creating port-forwarding on your router has no effect, or
  • your ISP blocks inbound port 443 or a whole range of inbound ports, so creating port-forwarding on your router or port-forwarding on port 443 has no effect, or
  • something else

Obviously. That’s why I mentioned in my previous comments that “You’ll likely still see a certificate warning, depending on the details in your ZeroSSL cert.

You are connecting to https://192.168.1.34 but the certificate used by Caddy has CN=151.74.122.201:

192.168.1.34 != 151.74.122.201, that’s why the certificate warning.

If you look closely, they are not the same. The error messages point to significant differences:

In the first case, when connecting to 192.168.1.34:443, you got SEC_E_WRONG_PRINCIPAL with The target principal name is incorrect, which is something I’ve already explained above - you are connecting to https://192.168.1.34 but the certificate used by Caddy has CN=151.74.122.201.

In the second case, when connecting to 151.74.122.201:443, you got SEC_E_UNTRUSTED_ROOT with The certificate chain was issued by an authority that is not trusted, which is something I also have already explained before - you’re talking to a Zyxel network device which is using a self-signed untrusted certificate:

Your ipconfig /all and this:

1 Like

Tried disabling firewall on my local machine, but same result

C:\Users\Jeki>curl -v https://151.74.122.201:443
*   Trying 151.74.122.201:443...
* Connected to 151.74.122.201 (151.74.122.201) port 443
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
* Closing connection
* schannel: shutting down SSL/TLS connection with 151.74.122.201 port 443
curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Previously I forwarded some ports to host a Perforce and Unreal Engine servers, and people were able to connect to them with no problem. That makes me think that this shouldn’t be the case.

To test this, I tried to change the reverse proxy port from 443 to 7777, so the config is as follows:

:7777 {
	tls fullchain.pem privkey.pem
	reverse_proxy :22023
}

And then run curl locally to test it

C:\Users\Jeki>curl -v https://151.74.122.201:7777
*   Trying 151.74.122.201:7777...
* Connected to 151.74.122.201 (151.74.122.201) port 7777
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET / HTTP/1.1
> Host: 151.74.122.201:7777
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Alt-Svc: h3=":7777"; ma=2592000
< Content-Type: text/plain; charset=utf-8
< Date: Thu, 31 Jul 2025 18:11:11 GMT
< Server: Kestrel
< Via: 1.1 Caddy
< Transfer-Encoding: chunked
<
Impostor is running, please configure your Among Us to connect to a game
To generate a region file, go to https://impostor.github.io/Impostor* Connection #0 to host 151.74.122.201 left intact

Remotely it fails though, I would assume it has something to do with it not being an http/https port.

So, it does seem to be something related to 443 specifically. Do you have any idea what I could do to narrow the problem?

No idea. It could be anything on your router or your ISP. Your Caddy is working exactly the same way it works in my home network, just my home router and my ISP have no issues with port-forwarding.

You can share again your port-forwarding configuration, if you like. Also, in your port-forwarding config, click at the WAN Interface drop-down and share what other options are in there. Right now it says Default. You may want to play with that to see if it makes any changes.

At this point it is really just an issue of your network gear configuration.