Caddy seems to be serving wrong certificate when a snippet is enabled on ANOTHER host?

1. The problem I’m having:

I’m trying to use snippets so that I can use my cloudflare origin certificate for sites that will sit behind cloudflare, and use ACME certificates from my ACME server for other sites.

I have got the ACME snippet working with other sites, but when I use the import command to use the snippet I wrote for cloudflare sites with ANOTHER host, a site that doesn’t have this import statement suddenly starts using the wrong certificate, causing errors as the cloudflare origin CA isn’t trusted by my browser!

2. Error messages and/or full log output:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

Docker container

a. System environment:

Docker container

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
	http_port 80
	https_port 443
}

(graylog-logging) {
	log graylog-logging {
		output net udp/graylog:12400
		format json
	}
}

(cloudflare-host) {
	## Blocking requests not originating from cloudflare IP adresses ##
	@not-cloudflare-ip not client_ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32 192.168.5.0/24 192.168.10.0/24
	## TODO: put a good 403 page on ##
	handle @not-cloudflare-ip {
		header Content-Type text/html
		respond "<h1>403 - Access Denied</h1>" 403
	}
	## Use our custom cloudflare origin TLS cert ##
	tls /data/caddy/custom-certs/cf-origin/cf-origin.pem /data/caddy/custom-certs/cf-origin/cf-origin.key
}

(step-ca-acme-cert) {
	## Uses my internal CA to get certs via ACME! ##
        tls {
                issuer acme {
                        dir https://ca.infra.lab.liamriley.me:8443/acme/acme/directory
                        trusted_roots /data/caddy/custom-certs/step-ca/step-ca.pem
                        disable_http_challenge
                }
        }
}

weather.liamriley.me {
	import graylog-logging
	#import cloudflare-host
	reverse_proxy * http://192.168.5.38:80
	reverse_proxy /weatherws http://192.168.5.38:7890
	@admin-request path /admin*
	handle @admin-request {
		header Content-Type text/html
		respond "<h1>403 - Access Denied</h1>" 403
	}
}


mail.liamriley.me {
	import step-ca-acme-cert
	import graylog-logging
	
	## Redirect the web root (/) to /SOGo, as this is the only content we are proxying! ##
	redir / /SOGo/
	reverse_proxy * http://nginx-mailcow:80
}

5. Links to relevant resources:

I’ve managed to solve it by just removing various parts of the config until it worked properly again. It seems like I’ve just added the exact same config back in again, and it works fine which is odd, but no odd errors so I’m not complaining!

1 Like

FYI you can simplify this by using these plugins: GitHub - tuzzmaniandevil/caddy-dynamic-clientip: http.matchers.dynamic_client_ip matches requests by the client IP address, the ip addresses to match against is provided my a module that implements IPRangeSource and GitHub - WeidiDeng/caddy-cloudflare-ip, so you can do @not-cloudflare not dynamic_client_ip cloudflare

You can delete this, it’s redundant to re-state the defaults for these options.