Caddy & Tailscale & Cloudflare (Certificate issue)

Hello, new here but thanks for your help in advance

1. The problem I’m having:

I’m trying to setup caddy as a reverse proxy, via tailscale network with cloudflare CNAME redirection. But I’m having problems getting Caddy to accept my token to generate SSL certificate.

Following the steps at https://www.youtube.com/watch?v=Vt4PDUXB_fg,

2. Error messages and/or full log output:

Redacted part of the Cloudflare token. In the video the token did not have the cftu_ prefix. But this is what cloudflare is giving now, and full token was validate with curl for Zones and DNS

caddy      | {"level":"info","ts":1774076881.271653,"msg":"maxprocs: Leaving GOMAXPROCS=2: CPU quota undefined"}
caddy      | {"level":"info","ts":1774076881.271817,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":30076316467,"previous":9223372036854775807}
caddy      | {"level":"info","ts":1774076881.2726083,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy      | {"level":"info","ts":1774076881.2738512,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy      | {"level":"warn","ts":1774076881.2739635,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":1}
caddy      | {"level":"info","ts":1774076881.2749794,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy      | {"level":"info","ts":1774076881.2753055,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000015300"}
caddy      | {"level":"info","ts":1774076881.275449,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc000015300"}
caddy      | {"level":"info","ts":1774076881.2755399,"logger":"http","msg":"servers shutting down with eternal grace period"}
caddy      | {"level":"info","ts":1774076881.2756388,"msg":"maxprocs: No GOMAXPROCS change to reset"}
caddy      | Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: loading TLS automation management module: position 0: loading module 'acme': provision tls.issuance.acme: loading DNS provider module: loading module 'cloudflare': provision dns.providers.cloudflare: API token 'cfut_1bgW...0c' appears invalid; ensure it's correctly entered and not wrapped in braces nor quotes

3. Caddy version:

can’t get the version as the container closes out because of invalid token message

4. How I installed and ran Caddy:

dockerfile:

FROM caddy:builder AS builder

–mount=type=cache,target=/go/pkg/mod #    --mount=type=cache,target=/root/.cache/go-build \RUN xcaddy build \    --with     --with  #    --with github.com/hairyhenderson/caddy-teapot-module@v0.0.3-0

FROM caddy:latestCOPY --from=builder /usr/bin/caddy /usr/bin/caddy

a. System environment:

Docker with Tailscale and Caddy

b. Command/Dockercompose:

services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    hostname: caddy-node
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - tailscale_state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    environment:
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_PERMIT_CERT_UID=0
    network_mode: host
  caddy:
    image: ghcr.io/caddy-dns/cloudflare:latest
    container_name: caddy
    cap_add:
      - NET_ADMIN
    ports:
      - 80:80
      - 443:443
    volumes:
      - /mnt/homelab/dockercompose/caddy/Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
      - /var/run/tailscale:/var/run/tailscale:ro
    environment:
      - CF_API_TOKEN=cfut_1bgW....820c
    depends_on:
      - tailscale
    networks:
      - proxy
volumes:
  caddy_data: null
  caddy_config: null
  tailscale_state: null
networks:
  proxy:
    driver: bridge

d. My complete Caddy config:

setup works with tls internal (commented out), but fails for cloudflare

(cloudflare) {
  tls {
    dns cloudflare {env.CF_API_TOKEN}
  }
}

# immich
photos.houseofinfinity.net {
  reverse_proxy 192.168.100.40:2283
  import cloudflare
  #tls internal
}

5. Links to relevant resources:

Possibly similar issue to Caddy & Tailscale & Cloudflare, Oh my! (certificate issue)

I too am having this same issue.

Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: loading TLS automation management module: position 0: loading module ‘acme’: provision tls.issuance.acme: loading DNS provider module: loading module ‘cloudflare’: provision dns.providers.cloudflare: API token ‘cfat_AC…6’ appears invalid; ensure it’s correctly entered and not wrapped in braces nor quotes

I tried CNAMEs and A records. Also tried switching to traefik, there it showed that it was trying to set caddy-node.tailf4b92.ts.net domain ( clearly not going to work as that was within my tailnet).

@senhorb The issue from your logs is the Cloudflare API key format. Likewise, this is my issue as well.

@nz_monkey I’m hopping it is. As I see it there are a couple of possibilities from least likely to most likely:

1. No-one else is using caddy/cloudflare/tailscale at the moment, and there is an open issue. Highly unlikely
2. The token format changed, and caddy/underlining library are having trouble. Unlikely as I don’t see them creating such a breaking change. Only suspicious as even the docs have to old format were it doesnt start with cfut_...
3. I’m doing something wrong when entering the token, or with the setup of API options

This is what I have on cloudflare domains:

image1260×306 29.1 KB

And the token options:

image958×838 78 KB

If I test the token per CF recommendations, it seems to be valid:

arthur@pop-os:~$ curl "https://api.cloudflare.com/client/v4/user/tokens/verify" \
-H "Authorization: Bearer cfut_6redacted3"
{"result":{"id":"55redacteda","status":"active"},"success":true,"errors":[],"messages":[{"code":10000,"message":"This API Token is valid and active","type":null}]}

So I’m at a lost. Everything but the SSL works, and I like the format of the Caddyfile

I’m picking that the token format has changed….

It was the token format change!

Created a patch at Update token regex by arthurbenemann · Pull Request #131 · caddy-dns/cloudflare · GitHub. But in the meantime it’s working with the following dockerfile:

FROM caddy:builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare=github.com/arthurbenemann/cloudflare@token-length

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

and compose:

services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    hostname: caddy-node
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - tailscale_state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
      - /var/run/tailscale:/var/run/tailscale
    environment:
      - TS_AUTHKEY=tskey-auth-redacted
      - TS_STATE_DIR=/var/lib/tailscale
    network_mode: host

  caddy:
    build: .
    container_name: caddy
    depends_on:
      - tailscale
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    network_mode: service:tailscale   # ← joins tailscale's host network
    volumes:
      - /mnt/homelab/dockercompose/caddy/Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro
    # no ports: — not compatible with network_mode
    environment:
      - CF_API_TOKEN=cfut_redacted

  whoami:
    image: traefik/whoami
    container_name: whoami
    ports:
      - 804:80

volumes:
  caddy_data:
  caddy_config:
  tailscale_state:

Thanks. I applied the patch and everything is working perfectly now.