Caddy on OPNsense - cannot get it to work

ricostuart · February 18, 2025, 11:11am

1. The problem I’m having:

I have OPNsense running on my network running with the following:

OPNsense (as proxmox VM)
AdGuard Home (plugin)
Unbound (plugin)
Crowdsec (plugin)
Kea DHCP (plugin)

I have it all running well together. Then as I started getting annoyed with my homelab setup and trying to remember ports, etc, I setup a caddy LXC in proxmox. Used unbound and set its over-rides to split off some local network addresses to point to my caddy lxc. Had the caddy LXC running fine. Everything works as intended. But as I spin up and down lxc/vm’s quite a bit, its a headache to set a static ip in kea (also I have a spreadsheet for quick and simple access to know what ip numbers are avail, etc), then set up an override hostname in unbound. Then I have to SSH in to proxmox so I can pcm enter into the lxc. Then I have to manually edit the caddyfile. Then wait for a min or two for it to setup the https and have it accessible.

So my hope was to be able to skip a few of those steps and also have an easy access gui to add/change/delete reverse proxy hostnames by changing from a caddy instance in an lxc to the opnsense plugin.

In opnsense, I disabled my overrides in unbound and followed all instructions as per the website for the plugin.
Caddy Plugin:

is enabled with a valid ACME email address
(advanced) http 1.1,2,3 all enabled with ports 80 + 443 (opnsense gui using 8443)
DNS provider of cloudflare set with custom api token (zone.zone and zone.dns), set resolvers to 1.1.1.1
LAN and WAN firewall rules set for ipv4 and ipv6

2. Error messages and/or full log output:

debug log to be cleared out as too large to fit due to unrelated error in a device trying to find a non-existing lxc

2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"ha.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"c1b79d2b-55e0-420d-87a1-acf54bf017b2","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"ha.epserver.co.uk","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.32.0.22","Port":36368,"Zone":""},"LocalAddr":{"IP":"77.98.48.62","Port":443,"Zone":""}}}}
2025-02-18T11:09:06	Error	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.32.0.22:36362: no certificate available for 'ha.epserver.co.uk'"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.32.0.22","remote_port":"36362","server_name":"ha.epserver.co.uk","remote":"10.32.0.22:36362","identifier":"ha.epserver.co.uk","cipher_suites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"ha.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"7d173564-a4f2-490f-afd7-16cd70878b67","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"ha.epserver.co.uk","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.32.0.22","Port":36362,"Zone":""},"LocalAddr":{"IP":"77.98.48.62","Port":443,"Zone":""}}}}
2025-02-18T11:09:06	Error	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.32.0.22:36352: no certificate available for 'ha.epserver.co.uk'"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.32.0.22","remote_port":"36352","server_name":"ha.epserver.co.uk","remote":"10.32.0.22:36352","identifier":"ha.epserver.co.uk","cipher_suites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"ha.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"ed157eea-37af-47de-8b68-c5422c4cbb60","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"ha.epserver.co.uk","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.32.0.22","Port":36352,"Zone":""},"LocalAddr":{"IP":"77.98.48.62","Port":443,"Zone":""}}}}
2025-02-18T11:09:06	Error	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.32.0.22:36340: no certificate available for 'ha.epserver.co.uk'"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.32.0.22","remote_port":"36340","server_name":"ha.epserver.co.uk","remote":"10.32.0.22:36340","identifier":"ha.epserver.co.uk","cipher_suites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"ha.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"4551e857-ae27-4aa6-9544-dc4e4af5f362","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"ha.epserver.co.uk","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.32.0.22","Port":36340,"Zone":""},"LocalAddr":{"IP":"77.98.48.62","Port":443,"Zone":""}}}}
2025-02-18T11:09:06	Error	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.32.0.22:39904: no certificate available for 'ha.epserver.co.uk'"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.32.0.22","remote_port":"39904","server_name":"ha.epserver.co.uk","remote":"10.32.0.22:39904","identifier":"ha.epserver.co.uk","cipher_suites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"ha.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"5e3fde1f-50f6-4922-a554-ed1e06d25de4","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"ha.epserver.co.uk","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.32.0.22","Port":39904,"Zone":""},"LocalAddr":{"IP":"77.98.48.62","Port":443,"Zone":""}}}}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"dynamic_dns","msg":"no IP address change; no update needed"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"dynamic_dns.ip_sources.simple_http","msg":"lookup","type":"IPv4","endpoint":"https://icanhazip.com","ip":"77.98.48.62"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"admin","msg":"stopped previous server","address":"unix//var/run/caddy/caddy.sock|0220"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"admin.api","msg":"load complete"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","msg":"autosaved config (load with --resume flag)","file":"/var/db/caddy/config/caddy/autosave.json"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"events","msg":"event","name":"cached_managed_cert","id":"9537988c-98aa-419c-9c13-d9ed1450cc4f","origin":"tls","data":{"sans":["*.epnet.work"]}}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"tls.cache","msg":"added certificate to cache","subjects":["*.epnet.work"],"expiration":"2025-05-19T07:56:11Z","managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"30e1f5672e30b0252405c2a1c6a82eacf2c32e4c50269ee57ff8baf8754522e8","cache_size":1,"cache_capacity":10000}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.epnet.work"]}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
2025-02-18T11:09:03	Warning	caddy	 "warn","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
2025-02-18T11:09:03	Warning	caddy	 "warn","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"dynamic_dns","msg":"beginning IP address check"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["*.epnet.work"]},{}]}},"http":{"http_port":80,"https_port":443,"grace_period":10000000000,"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}],"logs":{"should_log_credentials":true}},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"10.32.0.5:8096"}]}]}]}]}]}],"match":[{"host":["emby2"]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"logs":{"should_log_credentials":true},"protocols":["h1","h2","h3"]}}}}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x870794080"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"admin","msg":"admin endpoint started","address":"unix//var/run/caddy/caddy.sock|0220","enforce_origin":false,"origins":["","//127.0.0.1","//::1"]}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"admin.api","msg":"received request","method":"POST","host":"127.0.0.1","uri":"/load","remote_ip":"","remote_port":"","headers":{"Accept-Encoding":["gzip"],"Cache-Control":["must-revalidate"],"Content-Length":["1176"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}
2025-02-18T11:09:02	Informational	caddy	 "info","ts":"2025-02-18T11:09:02Z","logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x87076a600"}
2025-02-18T11:09:02	Debug	caddy	 "debug","ts":"2025-02-18T11:09:02Z","logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["*.epnet.work"]},{}]}},"http":{"http_port":80,"https_port":443,"grace_period":10000000000,"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}],"logs":{"should_log_credentials":true}},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"10.32.0.5:8096"}]}]}]}]}]}],"match":[{"host":["emby2"]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"logs":{"should_log_credentials":true},"protocols":["h1","h2","h3"]}}}}
2025-02-18T11:09:02	Informational	caddy	 "info","ts":"2025-02-18T11:09:02Z","logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2025-02-18T11:09:02	Informational	caddy	 "info","ts":"2025-02-18T11:09:02Z","logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2025-02-18T11:09:02	Informational	caddy	 "info","ts":"2025-02-18T11:09:02Z","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x87076a600"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"admin","msg":"stopped previous server","address":"unix//var/run/caddy/caddy.sock|0220"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"admin.api","msg":"load complete"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","msg":"autosaved config (load with --resume flag)","file":"/var/db/caddy/config/caddy/autosave.json"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x8708d5900"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"http","msg":"servers shutting down; grace period initiated","duration":10}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"admin","msg":"admin endpoint started","address":"unix//var/run/caddy/caddy.sock|0220","enforce_origin":false,"origins":["","//127.0.0.1","//::1"]}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"admin.api","msg":"received request","method":"POST","host":"127.0.0.1","uri":"/load","remote_ip":"","remote_port":"","headers":{"Accept-Encoding":["gzip"],"Cache-Control":["must-revalidate"],"Content-Length":["173"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}

3. Caddy version:

os-caddy - 1.8.2

4. How I installed and ran Caddy:

a. System environment:

OPNsense

b. Command:

N/A

c. Service/unit/compose file:

{
  "apps": {
    "dynamic_dns": {
      "dns_provider": {
        "api_token": "<token>",
        "name": "cloudflare"
      },
      "domains": {
        "emby2": [
          "@"
        ]
      },
      "versions": {
        "ipv4": true,
        "ipv6": false
      }
    },
    "http": {
      "grace_period": 10000000000,
      "http_port": 80,
      "https_port": 443,
      "servers": {
        "srv0": {
          "listen": [
            ":443"
          ],
          "logs": {
            "should_log_credentials": true
          },
          "protocols": [
            "h1",
            "h2",
            "h3"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "subroute",
                          "routes": [
                            {
                              "handle": [
                                {
                                  "handler": "subroute",
                                  "routes": [
                                    {
                                      "handle": [
                                        {
                                          "handler": "reverse_proxy",
                                          "upstreams": [
                                            {
                                              "dial": "10.32.0.5:8096"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  ]
                                }
                              ]
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "host": [
                            "emby2"
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "*.epnet.work"
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    },
    "tls": {
      "automation": {
        "policies": [
          {
            "issuers": [
              {
                "challenges": {
                  "dns": {
                    "provider": {
                      "api_token": "<token>",
                      "name": "cloudflare"
                    },
                    "resolvers": [
                      "1.1.1.1"
                    ]
                  },
                  "http": {
                    "alternate_port": 80
                  },
                  "tls-alpn": {
                    "alternate_port": 443
                  }
                },
                "email": "<email>",
                "module": "acme"
              }
            ],
            "subjects": [
              "*.epnet.work"
            ]
          }
        ]
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "encoder": {
          "format": "json",
          "time_format": "rfc3339"
        },
        "level": "DEBUG",
        "writer": {
          "address": "unixgram//var/run/caddy/log.sock",
          "output": "net"
        }
      }
    }
  }
}

d. My complete Caddy config:

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
	log {
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
		level DEBUG
	}

	http_port 80
	https_port 443

	servers {
		protocols h1 h2 h3
		log_credentials
	}

	dynamic_dns {
		provider cloudflare <token>
		domains {
			emby2
		}
		versions ipv4
	}

	email psfrwrd.ricostuart@gmail.com
	grace_period 10s
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "3a71227a-3469-4d49-b195-e012883cfd43"
*.epnet.work {
	tls {
		issuer acme {
			dns cloudflare <token>
			resolvers 1.1.1.1
		}
	}

	@3fbe7e3e-d1a2-4ab0-8f07-8f0af3f35d62 {
		host emby2
	}
	handle @3fbe7e3e-d1a2-4ab0-8f07-8f0af3f35d62 {
		handle {
			reverse_proxy 10.32.0.5:8096 {
			}
		}
	}
}

import /usr/local/etc/caddy/caddy.d/*.conf

5. Links to relevant resources:

2

Monviech · February 18, 2025, 7:06pm

Why does it search a certificate for

ha.epserver.co.uk

in the logs?

In your caddyfile you configured

emby2.epnet.work

Maybe 10.32.0.22:36340 is https:// and not http://? You could try setting it to https and enable tls_insecure_skip_verify

Benny · February 18, 2025, 10:15pm

ricostuart:

025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"ha.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"ed157eea-37af-47de-8b68-c5422c4cbb60","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"ha.epserver.co.uk","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.32.0.22","Port":36352,"Zone":""},"LocalAddr":{"IP":"77.98.48.62","Port":443,"Zone":""}}}}
2025-02-18T11:09:06	Error	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.32.0.22:36340: no certificate available for 'ha.epserver.co.uk'"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.32.0.22","remote_port":"36340","server_name":"ha.epserver.co.uk","remote":"10.32.0.22:36340","identifier":"ha.epserver.co.uk","cipher_suites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"ha.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"4551e857-ae27-4aa6-9544-dc4e4af5f362","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"ha.epserver.co.uk","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.32.0.22","Port":36340,"Zone":""},"LocalAddr":{"IP":"77.98.48.62","Port":443,"Zone":""}}}}
2025-02-18T11:09:06	Error	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"http.stdlib","msg":"http: TLS handshake error from 10.32.0.22:39904: no certificate available for 'ha.epserver.co.uk'"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.32.0.22","remote_port":"39904","server_name":"ha.epserver.co.uk","remote":"10.32.0.22:39904","identifier":"ha.epserver.co.uk","cipher_suites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"ha.epserver.co.uk"}
2025-02-18T11:09:06	Debug	caddy	 "debug","ts":"2025-02-18T11:09:06Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"5e3fde1f-50f6-4922-a554-ed1e06d25de4","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"ha.epserver.co.uk","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.32.0.22","Port":39904,"Zone":""},"LocalAddr":{"IP":"77.98.48.62","Port":443,"Zone":""}}}}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"dynamic_dns","msg":"no IP address change; no update needed"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"dynamic_dns.ip_sources.simple_http","msg":"lookup","type":"IPv4","endpoint":"https://icanhazip.com","ip":"77.98.48.62"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"admin","msg":"stopped previous server","address":"unix//var/run/caddy/caddy.sock|0220"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"admin.api","msg":"load complete"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","msg":"autosaved config (load with --resume flag)","file":"/var/db/caddy/config/caddy/autosave.json"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"events","msg":"event","name":"cached_managed_cert","id":"9537988c-98aa-419c-9c13-d9ed1450cc4f","origin":"tls","data":{"sans":["*.epnet.work"]}}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"tls.cache","msg":"added certificate to cache","subjects":["*.epnet.work"],"expiration":"2025-05-19T07:56:11Z","managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"30e1f5672e30b0252405c2a1c6a82eacf2c32e4c50269ee57ff8baf8754522e8","cache_size":1,"cache_capacity":10000}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.epnet.work"]}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
2025-02-18T11:09:03	Warning	caddy	 "warn","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
2025-02-18T11:09:03	Warning	caddy	 "warn","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"dynamic_dns","msg":"beginning IP address check"}
2025-02-18T11:09:03	Debug	caddy	 "debug","ts":"2025-02-18T11:09:03Z","logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["*.epnet.work"]},{}]}},"http":{"http_port":80,"https_port":443,"grace_period":10000000000,"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}],"logs":{"should_log_credentials":true}},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"10.32.0.5:8096"}]}]}]}]}]}],"match":[{"host":["emby2"]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"logs":{"should_log_credentials":true},"protocols":["h1","h2","h3"]}}}}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x870794080"}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"admin","msg":"admin endpoint started","address":"unix//var/run/caddy/caddy.sock|0220","enforce_origin":false,"origins":["","//127.0.0.1","//::1"]}
2025-02-18T11:09:03	Informational	caddy	 "info","ts":"2025-02-18T11:09:03Z","logger":"admin.api","msg":"received request","method":"POST","host":"127.0.0.1","uri":"/load","remote_ip":"","remote_port":"","headers":{"Accept-Encoding":["gzip"],"Cache-Control":["must-revalidate"],"Content-Length":["1176"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}
2025-02-18T11:09:02	Informational	caddy	 "info","ts":"2025-02-18T11:09:02Z","logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x87076a600"}
2025-02-18T11:09:02	Debug	caddy	 "debug","ts":"2025-02-18T11:09:02Z","logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["*.epnet.work"]},{}]}},"http":{"http_port":80,"https_port":443,"grace_period":10000000000,"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}],"logs":{"should_log_credentials":true}},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"10.32.0.5:8096"}]}]}]}]}]}],"match":[{"host":["emby2"]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"logs":{"should_log_credentials":true},"protocols":["h1","h2","h3"]}}}}
2025-02-18T11:09:02	Informational	caddy	 "info","ts":"2025-02-18T11:09:02Z","logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2025-02-18T11:09:02	Informational	caddy	 "info","ts":"2025-02-18T11:09:02Z","logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2025-02-18T11:09:02	Informational	caddy	 "info","ts":"2025-02-18T11:09:02Z","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x87076a600"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"admin","msg":"stopped previous server","address":"unix//var/run/caddy/caddy.sock|0220"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"admin.api","msg":"load complete"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","msg":"autosaved config (load with --resume flag)","file":"/var/db/caddy/config/caddy/autosave.json"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x8708d5900"}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"http","msg":"servers shutting down; grace period initiated","duration":10}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"admin","msg":"admin endpoint started","address":"unix//var/run/caddy/caddy.sock|0220","enforce_origin":false,"origins":["","//127.0.0.1","//::1"]}
2025-02-18T11:08:58	Informational	caddy	 "info","ts":"2025-02-18T11:08:58Z","logger":"admin.api","msg":"received request","method":"POST","host":"127.0.0.1","uri":"/load","remote_ip":"","remote_port":"","headers":{"Accept-Encoding":["gzip"],"Cache-Control":["must-revalidate"],"Content-Length":["173"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}

3. Caddy version:

It seems you enable all options in global Caddy. let’s focus on protocol you have protocol h3 enabled This is HTTP/3 uses QUIC instead of TCP+TLS. and use UDP protocol. Try disable h3 protocol.