Cannot use Caddy when run with Cloudflare SSL (strict)

Hi guys,

I want to use Caddy for my customer when they need to create your own website with your DNS on Cloudflare. The problem is when I enabled SL(strict) in Cloudflare, Caddy docker cannot start and prompt this error:


Activating privacy features… 2019/05/29 04:19:55 [INFO][cache:0xc000032730] Started certificate maintenance routine

Your sites will be served over HTTPS automatically using Let’s Encrypt.
By continuing, you agree to the Let’s Encrypt Subscriber Agreement at:
Please enter your email address to signify agreement and to be notified
in case of issues. You can leave it blank, but we don’t recommend it.
Email address: 2019/05/29 04:19:56 [INFO] [] acme: Obtaining bundled SAN certificate
2019/05/29 04:19:57 [INFO] [] AuthURL:
2019/05/29 04:19:57 [INFO] [] acme: use tls-alpn-01 solver
2019/05/29 04:19:57 [INFO] [] acme: Trying to solve TLS-ALPN-01
2019/05/29 04:19:58 [INFO] Unable to deactivated authorizations:
2019/05/29 04:19:58 [] failed to obtain certificate: acme: Error → One or more domains had a problem:
[] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge, url:
exit status 1

When I pause Cloudflare for my site, Caddy is ok, and it’s going to use Let’s Encrypt certificate.
I want to use Cloudflare certificate and it’s automation too. If the customers don’t use Cloudflare, they can use other provider and that why I need Caddy to automation generate SSL for all provider?

Howdy @naviat, welcome to the Caddy community.

The default TLS-ALPN challenge is not viable with Cloudflare’s “orange-cloud” MITM in the way. When Cloudflare’s in the middle, it terminates the client’s TLS before it reaches your server, and negotiates a new TLS connection on their behalf.

The HTTP challenge works fine through the Cloudflare proxy, though. You can disable TLS-ALPN challenges and fall back to HTTP with a command line flag.

1 Like

@Whitestrake thanks so much, you saved my day.


Note that I just pushed a patch for this so in the next release you won’t need to disable that challenge, it’ll try the http challenge right away as a failover.


Cool, Thanks Matt

I guess a whole lot of people face this problem.