Caddy getting LE certificate through ALPN even with TLS client auth enabled

1. The problem I’m having:

I am attempting to set Caddy with TLS Client Auth, but also have it get a Letsencrypt certificate via ALPN.

I don’t really have a problem, as it just works, isn’t TLS Client Auth supposed to make the ALPN check fail? HTTP-01 is disabled, port 80 is firewalled. Am I just ignorant about how it should work or is there any tunable for this? I wish to know why it succeded and how to make it fail (not that I am stupid, I just wish to know what allowed it to succeed).

TIA!

2. Error messages and/or full log output:

"challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}

3. Caddy version:

2.10.0

4. How I installed and ran Caddy:

apt repo

a. System environment:

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:


This is mostly a test caddyfile, some things may not make much sense, I am just test-driving TLS Client auth, I redacted the  server's IP and the domain names.

{
auto_https disable_redirects
order abort before handle
}



https://PLAIN IP ADDRESS:443  {

        log syslog {
        output file /var/log/caddy/sys.log {
        mode 660
        roll_size 100MiB
        roll_keep 100
        roll_keep_for 30d
        }
	format console
        level info
       	}
	}


https://DOMAIN NAME:443 {

	tls { 
	protocols  tls1.3
        client_auth {
        mode require_and_verify
	trust_pool file {
	pem_file  /ca/cert_name.crt	
        }
	}
	}

	respond / "root"
		
	handle /cert {
	respond "handler"
	}
	
	
	


	log certlog {
	output file /var/log/caddy/cert.log {
	mode 660
	roll_size 100MiB
	roll_keep 100
	roll_keep_for 30d
	#roll_local_time 23:59
	}
	format console
	level debug
	}
}

5. Links to relevant resources:

Do the Caddy logs (debug mode enabled) give any clue? What do they say?

Hello Matt and thank you for chiming in!

The logs only claim that the ALPN check was successful, and I now seem to understand why:

ALPN checking simply appears to happen before mTLS, so that the LE servers will just need to identify my own website, without exchanging any more information or going through TLS next steps.

It also does not use HTTP calls at all, which is what misled me at first, I was expecting a failure to visit the .well-known path, which it simply never does as it all happens at the TLS layer, soon enough to not get to the mTLS point.

Caddy is functioning as intended (and greatly so), my knowledge about ACME challenges and TLS, not as much.

I assume this may come in handy for others who may have doubts about this, if so, I am glad I may help some users who may have my very same doubt.

Thanks!

1 Like

Yep, sounds about right. Thanks for following-up for others who have the same question!