CDNs providers and Caddy


Some of my clients set up their domain names behind CDN providers like Cloudflare, Cloudfront, etc.
Regular customer domain will be like that:

  • Have unique domain set up under our CNAME the point right to Caddy server.
  • Caddy gets the request and sent it to Let’sEncrypt.
  • Let’sEncrypt go back to Caddy server and can confirm the website (with HTTP validation)

CDN customers will be like that:

  • CNAME record under the CDN provider.
  • They get the SSL from the CDN provider.
  • Every request from the CDN provider proxy to our Caddy server
  • Caddy servers don’t have the SSL for this domain so they try to get one from Let’sEncrypt.
  • Let’sEncrypt check the CNAME but got the CDN provider server so can’t validate the domain.

What I can do to make it work?


Tell them to not use the CDN for TLS. There’s no way for On-Demand TLS to work if the CDN is intercepting TLS handshakes. For Cloudflare, there’s a “grey cloud” setting I think, which turns this off.

This topic was automatically closed after 30 days. New replies are no longer allowed.