From the log file seems like the wilcard cert is generate but when I use ha.xyz.com, browser will show error page with
# This site can’t be reached
**ha.xyz.com** ’s server IP address could not be found.
* [Try running Windows Network Diagnostics](javascript:diagnoseErrors()).
DNS_PROBE_FINISHED_NXDOMAIN
This issue is client-side, assuming your domain exists and is registered and pointed to your server. Your browser tried to locate the domain name you wanted to browse to and couldn’t resolve it. Check DNS caching, try with another browser or in incognito mode, and check your DNS servers are set correctly.
If I alter the caddy file to just point xyz.com directly to a single docker container, it works.
Appreciate this is not a caddy issue but if you have any other ideas, would be greatly appreciated.
I can only really think of three possibilities to explain this:
You’ve misspelled the domain name
There is no A / CNAME record for ha.xyz.com
Cloudflare’s resolver (1.1.1.1) is incorrectly reporting NXDOMAIN for this DNS request
What do you get from dig @8.8.8.8 ha.xyz.com?
What about if you find out your Cloudflare nameserver for the domain (it will be somename.ns.cloudflare.com) and query it directly, i.e. dig @jean.ns.cloudflare.com ha.xyz.com?
ok, thanks, just found my noob error. (I think)
Did not understand that I also need to put a cname for each subdomain in cloudflare as well as my caddy file.
Once added cname ha to cloudflare, everything worked.
Thanks!
Final question, the ssl cert being shown in the browser is cloudflare rather than the LetsEncrypt - would that be normal?
[admin@dockerhost ~]$ dig @8.8.8.8 ha.xyz.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> @8.8.8.8 ha.xyz.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13358
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ha.xyz.com. IN A
;; ANSWER SECTION:
ha.xyz.com. 299 IN A 104.31.81.115
ha.xyz.com. 299 IN A 104.31.80.115
;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Nov 30 13:47:49 GMT 2018
;; MSG SIZE rcvd: 70
[admin@dockerhost ~]$ dig @john.ns.cloudflare.com ha.xyz.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> @john.ns.cloudflare.com ha.xyz.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48285
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ha.xyz.com. IN A
;; ANSWER SECTION:
ha.xyz.com. 300 IN A 104.31.80.115
ha.xyz.com. 300 IN A 104.31.81.115
;; Query time: 18 msec
;; SERVER: 173.245.59.185#53(173.245.59.185)
;; WHEN: Fri Nov 30 13:48:44 GMT 2018
;; MSG SIZE rcvd: 70
[admin@dockerhost ~]$
You’ll note that the response from dig - that is, 104.31.80.115 and 104.31.81.115 - doesn’t match the IP address you put in the Cloudflare dashboard.
This is because you’ve configured your DNS records as “orange-cloud” - that is, enabling a bunch of Cloudflare functionality. They provide this functionality by responding to DNS requests with their own IP instead of yours, and then when the client connects to them, they reverse proxy to your origin server. They can provide caching, DDOS protection, etc this way. They also provide SSL certificates, as you’ve noticed.