Can't access Caddy server from the outside - Curl gives "wrong version number"

tikktakk · November 13, 2025, 8:40am

1. The problem I’m having:

I can’t reach the server on my local port 3000 that I’ve meant to make available through Caddy from the outside. I have confirmed that ports 443 and 80 are open. The error that I get from curl (SSL routines::wrong version number) seems to imply that there is something wrong with the certificate, but I don’t know what to try.

2. Error messages and/or full log output:

Response from Curl:

tikktakk@CW-1V5YXL3:~$ curl -vL https://backend.sjoburger.com
* Host backend.sjoburger.com:443 was resolved.
* IPv6: (none)
* IPv4: 94.254.111.244
*   Trying 94.254.111.244:443...
* Connected to backend.sjoburger.com (94.254.111.244) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
* Closing connection
curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number

Caddy log:

Nov 11 08:05:25 pimorteno caddy[2573672]: INVOCATION_ID=d4b21cf3ec5947dc9f11638a63bb0241
Nov 11 08:05:25 pimorteno caddy[2573672]: JOURNAL_STREAM=9:33644104
Nov 11 08:05:25 pimorteno caddy[2573672]: SYSTEMD_EXEC_PID=2573672
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.2088616,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"warn","ts":1762844725.20979,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":1}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.2105339,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.2106645,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.2106788,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.210752,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x4000327a40"}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.2109182,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.2109218,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.210981,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"debug","ts":1762844725.2110379,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.211045,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"debug","ts":1762844725.2110724,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.2110782,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.2110825,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["backend.sjoburger.com"]}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"debug","ts":1762844725.2113488,"logger":"tls","msg":"loading managed certificate","domain":"backend.sjoburger.com","expiration":1769587836,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.2114496,"logger":"tls","msg":"finished cleaning storage units"}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"warn","ts":1762844725.2115984,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [backend.sjoburger.com]: no OCSP server specified in certificate","identifiers":["backend.sjoburger.com"]}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"debug","ts":1762844725.211611,"logger":"tls.cache","msg":"added certificate to cache","subjects":["backend.sjoburger.com"],"expiration":1769587836,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"501191593d5d5b2fa1c7f1394e4a3cca013fbd35dd5c08b3a08f0f022277f096","cache_size":1,"cache_capacity":10000}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"debug","ts":1762844725.2116294,"logger":"events","msg":"event","name":"cached_managed_cert","id":"55050dcf-82f9-44c4-9f9e-19da59747b10","origin":"tls","data":{"sans":["backend.sjoburger.com"]}}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.21257,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Nov 11 08:05:25 pimorteno caddy[2573672]: {"level":"info","ts":1762844725.212612,"msg":"serving initial configuration"}
Nov 11 08:05:25 pimorteno systemd[1]: Started caddy.service - Caddy.

3. Caddy version:

2.6.2

4. How I installed and ran Caddy:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /usr/share/keyrings/caddy-stable-archive-keyring.gpg >/dev/null
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list

sudo apt install caddy -y

a. System environment:

Debian GNU/Linux 12 / Raspberry Pi 5

b. Command:

I run Caddy as a service

systemctl start caddy

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
    debug
}

backend.sjoburger.com {
    reverse_proxy localhost:3000
}

5. Links to relevant resources:

timelordx · November 13, 2025, 12:31pm

There seems to be a plain HTTP server with Express.js framework listening on port 443. You can try:

curl -v http://backend.sjoburger.com:443/

tikktakk · November 14, 2025, 9:54am

Thanks, Yes, my local server on (local port 3000) with http express.js. I thought it was OK to use http locally and that caddy would handle https and forward over http to port 3000 internally?