Cannot use Caddy when run with Cloudflare SSL (strict)

Hi guys,

I want to use Caddy for my customer when they need to create your own website with your DNS on Cloudflare. The problem is when I enabled SL(strict) in Cloudflare, Caddy docker cannot start and prompt this error:

ERROR LOG

Activating privacy features… 2019/05/29 04:19:55 [INFO][cache:0xc000032730] Started certificate maintenance routine

Your sites will be served over HTTPS automatically using Let’s Encrypt.
By continuing, you agree to the Let’s Encrypt Subscriber Agreement at:
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Please enter your email address to signify agreement and to be notified
in case of issues. You can leave it blank, but we don’t recommend it.
Email address: 2019/05/29 04:19:56 [INFO] [blogdemo.haidv.online] acme: Obtaining bundled SAN certificate
2019/05/29 04:19:57 [INFO] [blogdemo.yourdomain.online] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/aIZJm_RG6J7cR7CN5PZV8KjIT6jNZImVSogh1nfjnfQ
2019/05/29 04:19:57 [INFO] [blogdemo.yourdomain.online] acme: use tls-alpn-01 solver
2019/05/29 04:19:57 [INFO] [blogdemo.yourdomain.online] acme: Trying to solve TLS-ALPN-01
2019/05/29 04:19:58 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/aIZJm_RG6J7cR7CN5PZV8KjIT6jNZImVSogh1nfjnfQ
2019/05/29 04:19:58 [blogdemo.yourdomain.online] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[blogdemo.yourdomain.online] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge, url:
exit status 1

When I pause Cloudflare for my site, Caddy is ok, and it’s going to use Let’s Encrypt certificate.
I want to use Cloudflare certificate and it’s automation too. If the customers don’t use Cloudflare, they can use other provider and that why I need Caddy to automation generate SSL for all provider?

Howdy @naviat, welcome to the Caddy community.

The default TLS-ALPN challenge is not viable with Cloudflare’s “orange-cloud” MITM in the way. When Cloudflare’s in the middle, it terminates the client’s TLS before it reaches your server, and negotiates a new TLS connection on their behalf.

The HTTP challenge works fine through the Cloudflare proxy, though. You can disable TLS-ALPN challenges and fall back to HTTP with a command line flag.

https://caddyserver.com/docs/cli#disable-tls-alpn-challenge

1 Like

@Whitestrake thanks so much, you saved my day.

2 Likes

Note that I just pushed a patch for this so in the next release you won’t need to disable that challenge, it’ll try the http challenge right away as a failover.

3 Likes

Cool, Thanks Matt

I guess a whole lot of people face this problem.