Hmm, well you requested curl https://auth_test.example.rocks but you’re listening on port 8443. That doesn’t align.
The SSL error is correct though, because TLS verification happens when the TLS handshake is made, which is before HTTP. So any issues there won’t result in HTTP errors, but instead with a failed TLS handshake. That’s working as intended.
The verify_if_given mode does not require certs, so it will just keep going if the user never presented a cert. If you present a bad cert though (untrusted one), then it will fail.
What you can do is check the value of {http.request.tls.client.subject} with the expression matcher and return an HTTP error if it’s empty. Maybe something like this:
@nocert expression {http.request.tls.client.subject} == ''
respond @nocert "No cert provided" 403
I haven’t tested that, you’ll need to play around with it to see what works.
As an aside, why are you using a separate lego container for managing wildcard certs from cloudflare? You know you can use Caddy for this, right?
You just need to build Caddy with the cloudflare plugin. See the docs on docker hub for how to write the Dockerfile. It’s very easy. Docker