Caddy + Cloudflare: TLS challenge fails

1. The problem I’m having:

Hi there,

I am trying to use cloudflare DDoS protection on DNS level. Now I am getting HTTP 525 as the cert is invalid.

I found this source How to use Caddy with Cloudflare's SSL settings

So I would need to download GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare in order to get this working?

2. Error messages and/or full log output:

The logs tell me:

Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge

3. Caddy version:

v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=

4. How I installed and ran Caddy:

Ubuntu repository

a. System environment:

Ubuntu 24.04 LTS

Yeah, TLS-ALPN validation requires that LetsEncrypt is able to negotiate TLS directly with Caddy. When there’s a Cloudflare proxy in the way, it can’t talk TLS to Caddy at all; it talks to Cloudflare, and Cloudflare talks to Caddy.

You either need an alternative method of validation, or you need an alternative way to get a certificate, or you need to remove the requirement for a certificate.

1. HTTP validation will work through Cloudflare. If Caddy is given enough time it should eventually try this and succeed. That said, it would probably be prudent to tell Caddy not to bother trying ALPN validation at all so it doesn’t waste time and resources.

   • You can do that with the tls directive - you’re looking for disable_tlsapln_challenge. https://caddyserver.com/docs/caddyfile/directives/tls#issuers
   • It can be configured globally for the whole server with the cert_issuer global directive. https://caddyserver.com/docs/caddyfile/options#cert-issuer

2. DNS validation is another option. Install the Cloudflare DNS provider, get an API key from Cloudflare, configure acme_dns. https://caddyserver.com/docs/caddyfile/options#acme-dns

3. Alternatively, if you’re not planning on having anyone connect directly to the server (i.e. you’re having all traffic route through Cloudflare), you don’t actually need a publicly trusted certificate. You just need a certificate that Cloudflare will trust. The link you provided details that under the heading 1. Using Cloudflare’s origin certificate. You can also combine that with Authenticated origin pull, also documented in that link, to ensure that non-Cloudflare clients aren’t connecting to your server.

4. And finally, last and certainly the least best option, you can use self-signed or even HTTP and relax Cloudflare’s strictness to make the above workarounds unnecessary. This is obviously much, much less secure.