Cloudflare connection timed out

1. Output of caddy version:

2.5.2

2. How I run Caddy:

DOCKER COMPOSE

a. System environment:

UBUNTU SERVER/DOCKER

b. Command:

docker-compose up -d

Paste command here.

c. Service/unit/compose file:

version: "3"

services:
        caddy:
                container_name: caddy
                image: caddy:2-alpine
                restart: unless-stopped
                ports:
                        - "80:80"
                        - "443:443"
                volumes:
                        - /docker/caddy/Caddyfile:/etc/caddy/Caddyfile
                        - /docker/caddy/data:/data
                        - /docker/caddy/srv:/srv
                        - /docker/caddy/config:/config
                networks:
                        - t2_proxy
networks:
  t2_proxy:
    external: true

d. My complete Caddy config:

{
    # Global options block. Entirely optional, https is on by default
    # Optional email key for lets encrypt
    email ryan.naff@gmail.com
    # Optional staging lets encrypt for testing. Comment out for production.
#     acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
port.naff.casa {
    reverse_proxy 192.168.1.37:9443
}
www.naff.casa {
    reverse_proxy 192.168.1.37:1111
}
sonarr.naff.casa {
    reverse_proxy 192.168.1.37:8989
}
plex.naff.casa {
    reverse_proxy 192.168.1.37:32400
}
radarr.naff.casa {
    reverse_proxy 192.168.1.37:7878
}
ombi.naff.casa {
    reverse_proxy 192.168.1.37:3579
}
remote.naff.casa {
    reverse_proxy 192.168.1.37:6969
}
bw.naff.casa {
    reverse_proxy 192.168.1.37:8711
}
cloud.naff.casa {
    reverse_proxy 192.168.1.37:8814 {
        transport http {
                tls_insecure_skip_verify
        }
    }
    header {
        Strict-Transport-Security max-age=31536000;
    }
    redir /.well-known/webfinger /public.php?service=webfinger 301
}
cctv.naff.casa {
    reverse_proxy 192.168.1.39:8123
}
jellyfin.naff.casa {
    reverse_proxy 192.168.1.37:8096
}
naff.casa {
  root * /srv/www
  encode gzip
  file_server
}


3. The problem I’m having:

Cannot connect to static webpage – just trying to host a simple index.html for learning purposes on home lab.

4. Error messages and/or full log output:

{"level":"info","ts":1661287835.7232783,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1661287835.7273011,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1661287835.7297251,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"info","ts":1661287835.732739,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1661287835.7329063,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1661287835.7331548,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000868380"}
{"level":"info","ts":1661287835.7353787,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["port.naff.casa","remote.naff.casa","ombi.naff.casa","bw.naff.casa","jellyfin.naff.casa","radarr.naff.casa","plex.naff.casa","cctv.naff.casa","www.naff.casa","sonarr.naff.casa","cloud.naff.casa"]}
{"level":"info","ts":1661287835.7355058,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1661287835.744143,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1661287835.746029,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1661287835.7460988,"msg":"serving initial configuration"}
{"level":"info","ts":1661287957.8709655,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1661287957.8710673,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":1661287969.096957,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1661287969.101679,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1661287969.1041563,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1661287969.1049354,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000926070"}
{"level":"info","ts":1661287969.1050003,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1661287969.1051006,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1661287969.1076643,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.naff.casa","bw.naff.casa","naff.casa","cloud.naff.casa","remote.naff.casa","plex.naff.casa","jellyfin.naff.casa","radarr.naff.casa","port.naff.casa","ombi.naff.casa","cctv.naff.casa","sonarr.naff.casa"]}
{"level":"info","ts":1661287969.108425,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1661287969.114429,"logger":"tls.obtain","msg":"acquiring lock","identifier":"naff.casa"}
{"level":"info","ts":1661287969.115026,"msg":"[INFO][FileStorage:/data/caddy] Lock for 'issue_cert_naff.casa' is stale (created: 2022-08-23 18:57:40.137677826 +0000 UTC, last update: 2022-08-23 19:48:40.450926145 +0000 UTC); removing then retrying: /data/caddy/locks/issue_cert_naff.casa.lock"}
{"level":"info","ts":1661287969.117956,"logger":"tls.obtain","msg":"lock acquired","identifier":"naff.casa"}
{"level":"info","ts":1661287969.1188917,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1661287969.1197028,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["naff.casa"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ryan.naff@gmail.com"}
{"level":"info","ts":1661287969.119793,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["naff.casa"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"ryan.naff@gmail.com"}
{"level":"info","ts":1661287969.121443,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1661287969.12149,"msg":"serving initial configuration"}
{"level":"info","ts":1661287969.88405,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661287970.2386084,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661287970.238734,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/127013746/118935071467","attempt":1,"max_attempts":3}
{"level":"info","ts":1661287971.385481,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661287971.730858,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/XhM01SCqWc6hjHZeS0CGDVlt_Av1COpN8VIxDa4EIE4: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661287971.7310746,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/XhM01SCqWc6hjHZeS0CGDVlt_Av1COpN8VIxDa4EIE4: 403","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/127013746/118935074497","attempt":2,"max_attempts":3}
{"level":"error","ts":1661287971.7311814,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - 2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/XhM01SCqWc6hjHZeS0CGDVlt_Av1COpN8VIxDa4EIE4: 403"}
{"level":"info","ts":1661287971.7319148,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["naff.casa"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ryan.naff@gmail.com"}
{"level":"info","ts":1661287971.7320268,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["naff.casa"],"ca":"https://acme.zerossl.com/v2/DV90","account":"ryan.naff@gmail.com"}
{"level":"info","ts":1661287993.6329064,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661288186.4946084,"logger":"http.log.error","msg":"dial tcp 192.168.1.37:1111: connect: connection refused","request":{"remote_ip":"192.168.1.1","remote_port":"9040","proto":"HTTP/2.0","method":"GET","host":"www.naff.casa","uri":"/","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"104\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"104\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Purpose":["prefetch"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["en-US,en;q=0.9"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.naff.casa"}},"duration":0.001010169,"status":502,"err_id":"phdgu96fz","err_trace":"reverseproxy.statusError (reverseproxy.go:1184)"}
{"level":"error","ts":1661288301.0419633,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/P-rUVs0YSNv8gXMjGfi-zw) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661288301.0420623,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/P-rUVs0YSNv8gXMjGfi-zw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":331.924072782,"max_duration":2592000}
{"level":"info","ts":1661288361.3881571,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661288361.7337716,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/jOaUzvigXMdQjXxg4rUlxwHb1bsxcbxc9S765mde_Gg: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661288361.7339041,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/jOaUzvigXMdQjXxg4rUlxwHb1bsxcbxc9S765mde_Gg: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3771805784","attempt":1,"max_attempts":3}
{"level":"info","ts":1661288362.8436286,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661288363.190342,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661288363.1904476,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3771805994","attempt":2,"max_attempts":3}
{"level":"error","ts":1661288363.1905048,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661288374.401656,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661288687.6170526,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/SU3o1lhcdQUI2RgxuUiWkQ) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661288687.6171775,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/SU3o1lhcdQUI2RgxuUiWkQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":718.499187566,"max_duration":2592000}
{"level":"info","ts":1661288808.12972,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661288808.7734842,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/To9MUzw0enVT291Lok_JxJ6XSgiVXqXwto2ylas_NJw: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661288808.7736177,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/To9MUzw0enVT291Lok_JxJ6XSgiVXqXwto2ylas_NJw: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3771868374","attempt":1,"max_attempts":3}
{"level":"info","ts":1661288809.8901477,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661288811.709706,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661288811.7098074,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3771868574","attempt":2,"max_attempts":3}
{"level":"error","ts":1661288811.7098873,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661288841.2099123,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}

5. What I already tried:

spent most of the day trying to figure this out on my own.

I tried hosting apache container and pointing to it via Caddyfile (like my other containers which work fine) but i wasn’t able to get that going either.

6. Links to relevant resources:

Looks like Caddy didn’t even see the challenge request; your domain is probably pointing to another server instead.

I have it working fine with 10 other containers and everything is running on the same box/docker network.

What do I need to change in my code to get it to connect to the correct box?

My cloudflare is sending it to correct IP.

Did you recently add Cloudflare to your setup? Like after setting up the rest of your domains?

nope.

I was using traefik 2 previously with cloudflare and have had this working with cloudflare with my other subdomains for over a year.

Weird that I can’t just get a simple static website working with it but really complex services work fine haha

To be clear, your Caddyfile looks fine. The problem is something with Cloudflare. Did you set up somekind of rule in Cloudflare to make ACME HTTP challenges work for your other domains? Is that rule missing for your apex domain? Try using a subdomain for your static site instead of the apex, see if that works.

1 Like


Do my settings look okay?

I will get a new IP address once we figure this out so that no one can hax0r me.

Why does naff.casa have a different IP address than jellyfin?

But what I was talking about is not DNS, but rather page rules. Do you have any page rules for /.well-known/acme-challenge?

1 Like

To follow on, do you have any “Always Use HTTPS” page rules?

(And definitely follow up on the different IP for the apex domain, that’s a highly plausible culprit given it’s the apex domain you’re having trouble with while your other containers - I assume which have subdomains - seem fine.)

i changed the dns ip for naff.casa and now I get a handshake SSL error.

Looks like we’re making progress? hahaha

Please be more specific. We can’t really suggest anything from here unless you show us your logs and such.

naff.casa –

logs from caddy container:


{"level":"error","ts":1661288811.7098873,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661288841.2099123,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661289158.5896466,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/3Xf4cDgF9mbaXRhrQPz2Dg) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661289158.5897424,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/3Xf4cDgF9mbaXRhrQPz2Dg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":3,"retrying_in":120,"elapsed":1189.471752558,"max_duration":2592000}
{"level":"info","ts":1661289278.8983588,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661289279.5352721,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/d4dpRQNGXXo7sPnAB4h5tUnM2Hq_8miwYDhyK6z6TLY: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661289279.5353994,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/d4dpRQNGXXo7sPnAB4h5tUnM2Hq_8miwYDhyK6z6TLY: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3771936934","attempt":1,"max_attempts":3}
{"level":"info","ts":1661289280.6443303,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661289280.9891922,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661289280.9895017,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3771937244","attempt":2,"max_attempts":3}
{"level":"error","ts":1661289280.989598,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661289299.645919,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661289623.6970189,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/4NVIovy7H_I9xgVkvrGU4Q) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661289623.6971736,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/4NVIovy7H_I9xgVkvrGU4Q) (ca=https://acme.zerossl.com/v2/DV90)","attempt":4,"retrying_in":300,"elapsed":1654.5791552,"max_duration":2592000}
{"level":"info","ts":1661289923.9948294,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661289924.3408463,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/x6ljrXNG-FFqAl2k72_VE0gGQY00_eX0m1vaHV_07RA: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661289924.3409436,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/x6ljrXNG-FFqAl2k72_VE0gGQY00_eX0m1vaHV_07RA: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772031874","attempt":1,"max_attempts":3}
{"level":"info","ts":1661289925.5009882,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661289925.8483407,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661289925.848448,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772031994","attempt":2,"max_attempts":3}
{"level":"error","ts":1661289925.8485115,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661289937.6424458,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661290250.1180704,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/WNo31Nlsm_ejKu_08Y5LnA) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661290250.118177,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/WNo31Nlsm_ejKu_08Y5LnA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":5,"retrying_in":600,"elapsed":2281.000187103,"max_duration":2592000}
{"level":"error","ts":1661290619.1261513,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","error":"context canceled"}
{"level":"error","ts":1661290619.163509,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","error":"context canceled"}
{"level":"info","ts":1661290851.0912,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661290851.7324445,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/C3lupQSCdTkqJMz_lKeiS4RFxfxMcywdFgxajSsXe78: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661290851.7325885,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/C3lupQSCdTkqJMz_lKeiS4RFxfxMcywdFgxajSsXe78: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772134624","attempt":1,"max_attempts":3}
{"level":"info","ts":1661290852.8506827,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661290853.1946182,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661290853.194704,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772134744","attempt":2,"max_attempts":3}
{"level":"error","ts":1661290853.1947522,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661290864.017898,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661291185.1756263,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/wUuO7QPcGKm90T7nu70mZA) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661291185.1760316,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/wUuO7QPcGKm90T7nu70mZA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":6,"retrying_in":1200,"elapsed":3216.058041403,"max_duration":2592000}
{"level":"info","ts":1661292385.6827345,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661292386.3226025,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/FWCp-Lk6DUTsh7Y6OhLBhlu0zq-15i7NGXyvdqTg6Fc: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661292386.3227227,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/FWCp-Lk6DUTsh7Y6OhLBhlu0zq-15i7NGXyvdqTg6Fc: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772339884","attempt":1,"max_attempts":3}
{"level":"info","ts":1661292387.4449754,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661292387.79061,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661292387.7907436,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772340094","attempt":2,"max_attempts":3}
{"level":"error","ts":1661292387.7908127,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661292402.8712542,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661292720.9083295,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/xjOeSCiV-BKBo6gtaB8Azw) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661292720.9084551,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/xjOeSCiV-BKBo6gtaB8Azw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":7,"retrying_in":1200,"elapsed":4751.790465059,"max_duration":2592000}
{"level":"info","ts":1661293921.4348845,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661293922.0730703,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/43H9uR5lvgGcRFMTSNFE40BB1NJu8Dh0utL9rU02X28: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661293922.073148,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/43H9uR5lvgGcRFMTSNFE40BB1NJu8Dh0utL9rU02X28: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772546844","attempt":1,"max_attempts":3}
{"level":"info","ts":1661293923.1864035,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661293923.5317783,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661293923.531883,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772547154","attempt":2,"max_attempts":3}
{"level":"error","ts":1661293923.5319302,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661293937.311601,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661294251.061191,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/H4UlNEL91ZlFKWRdvB9taw) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661294251.0613012,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/H4UlNEL91ZlFKWRdvB9taw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":8,"retrying_in":1800,"elapsed":6281.943310573,"max_duration":2592000}
{"level":"info","ts":1661296051.6783683,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661296052.3297584,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/HkPL0zM4iK-HjDArIwJ0d2QZ2P8TcBmOcaJU9T2ujYY: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661296052.3300285,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/HkPL0zM4iK-HjDArIwJ0d2QZ2P8TcBmOcaJU9T2ujYY: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772841724","attempt":1,"max_attempts":3}
{"level":"info","ts":1661296053.4523244,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661296053.8065996,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661296053.8067043,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3772841894","attempt":2,"max_attempts":3}
{"level":"error","ts":1661296053.806782,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661296066.954923,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661296378.4124656,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/NMsPc_brYFkT1-09htWoWg) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661296378.4125915,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/NMsPc_brYFkT1-09htWoWg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":9,"retrying_in":1800,"elapsed":8409.294600367,"max_duration":2592000}
{"level":"info","ts":1661298179.4845698,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661298179.833795,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/11TZSa5cduBXtQNiDSH1oX1AGEwIu_tH7NLPq_hqL00: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661298179.8339326,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/11TZSa5cduBXtQNiDSH1oX1AGEwIu_tH7NLPq_hqL00: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3773123124","attempt":1,"max_attempts":3}
{"level":"info","ts":1661298180.95913,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661298181.3146272,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661298181.3147073,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3773123294","attempt":2,"max_attempts":3}
{"level":"error","ts":1661298181.314756,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"info","ts":1661298197.6500285,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme.zerossl.com/v2/DV90"}
{"level":"error","ts":1661298504.7562852,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/VXi4HCDYJiqWki2jqY4Crw) (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661298504.756393,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenges: [naff.casa] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/VXi4HCDYJiqWki2jqY4Crw) (ca=https://acme.zerossl.com/v2/DV90)","attempt":10,"retrying_in":3600,"elapsed":10535.638403328,"max_duration":2592000}
{"level":"info","ts":1661302105.112193,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661302105.7567742,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/X3GBwEIU-93WW1RNDL737TZxpLJq0yTvZcWvUNW0oOI: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661302105.7569957,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/X3GBwEIU-93WW1RNDL737TZxpLJq0yTvZcWvUNW0oOI: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3773776094","attempt":1,"max_attempts":3}
{"level":"info","ts":1661302106.88743,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661302107.2345865,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1661302107.2346897,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3773776264","attempt":2,"max_attempts":3}
{"level":"error","ts":1661302107.234759,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"error","ts":1661302107.7702823,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme.zerossl.com-v2-DV90","error":"[naff.casa] creating new order: fetching new nonce from server: HTTP 500:  (ca=https://acme.zerossl.com/v2/DV90)"}
{"level":"error","ts":1661302107.7703602,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] creating new order: fetching new nonce from server: HTTP 500:  (ca=https://acme.zerossl.com/v2/DV90)","attempt":11,"retrying_in":10800,"elapsed":14138.652371062,"max_duration":2592000}

@naffhouse could you please:

  1. Check your Page Rules on the Cloudflare dashboard and tell us what’s configured there, and;
  2. Add the following configuration to your Caddyfile for the naff.casa site:
# ↓ Change your site labels ↓
http://naff.casa, https://naff.casa {

  # ↓ Add below ↓
  log
  tls {
    issuer acme {
      dir https://acme-staging-v02.api.letsencrypt.org/directory
      disable_tlsalpn_challenge
    }
  }
  # ↑ Add above ↑

  root * /srv/www
  encode gzip
  file_server
}

This will:

  • Configure access logging for your site
  • Explicitly configure the HTTP listener so the access log can see HTTP requests that are normally handled separately by the HTTP->S upgrade listener
  • Define our ACME endpoint as staging for the duration of our investigations, to be removed when we get a good result

The magic phrase we want to see here in our logs is some variant of "Cf-Visitor":["{\"scheme\":\"http\"}"] which will confirm that Cloudflare is behaving under its default configuration (connecting to the origin with the same scheme requested by Cloudflare’s client).

I have tested on a spare VPS with a spare subdomain to confirm that with no Page Rules, and SSL set to Full (Strict), Caddy does receive HTTP requests forwarded through Cloudflare and can solve HTTP-01 challenges:

When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.
Full - SSL/TLS encryption modes · Cloudflare SSL/TLS docs

When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.
Full (strict) - SSL/TLS encryption modes · Cloudflare SSL/TLS docs

2 Likes

Matthew,

Thank you for your incredibly detailed response.

Is this a passion project and you’re helping out of the kindness of your heart or are you guys supporting caddy in an effort to turn it on to enterprise?

I guess it doesn’t matter, either way, you’re being really helpful and I appreciate your guidance.

Here are my page rules from cloudflare for my domain, let me know if this isn’t what you’re looking for.

I’m going to adjust my settings as you requested and see if that works.

1 Like

I believe I’ve added what you asked correctly, I restarted Caddy and don’t seem to be experiencing any errors.

here’s my Caddyfile

}
http://naff.casa, https://naff.casa {
  log
  tls {
    issuer acme {
      dir https://acme-staging-v02.api.letsencrypt.org/directory
      disable_tlsalpn_challenge
    }
  }
  root * /srv/www
  encode gzip
  file_server
}

Here are my logs from Caddy since the restart:

{"level":"info","ts":1661310398.198556,"logger":"tls.obtain","msg":"releasing lock","identifier":"naff.casa"}
{"level":"info","ts":1661310398.198494,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc000926070"}
{"level":"error","ts":1661310398.1991012,"msg":"unable to clean up lock in storage backend","signal":"SIGTERM","storage":"FileStorage:/data/caddy","lock_key":"issue_cert_naff.casa","error":"remove /data/caddy/locks/issue_cert_naff.casa.lock: no such file or directory"}
{"level":"error","ts":1661310398.1992729,"logger":"tls","msg":"job failed","error":"naff.casa: obtaining certificate: context canceled"}
{"level":"info","ts":1661310398.2005143,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
{"level":"info","ts":1661310398.2005694,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"info","ts":1661310399.487557,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1661310399.49254,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1661310399.495841,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1661310399.4967272,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000306770"}
{"level":"info","ts":1661310399.4969203,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1661310399.4971015,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":1661310399.4971907,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
{"level":"info","ts":1661310399.4998946,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1661310399.5002158,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cloud.naff.casa","sonarr.naff.casa","port.naff.casa","cctv.naff.casa","www.naff.casa","jellyfin.naff.casa","radarr.naff.casa","naff.casa","remote.naff.casa","bw.naff.casa","plex.naff.casa","ombi.naff.casa"]}
{"level":"info","ts":1661310399.519256,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1661310399.5194404,"msg":"serving initial configuration"}
{"level":"info","ts":1661310399.5198152,"logger":"tls.obtain","msg":"acquiring lock","identifier":"naff.casa"}
{"level":"info","ts":1661310399.5222192,"logger":"tls.obtain","msg":"lock acquired","identifier":"naff.casa"}
{"level":"info","ts":1661310399.5233858,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["naff.casa"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"ryan.naff@gmail.com"}
{"level":"info","ts":1661310399.523434,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["naff.casa"],"ca":"https://acme-staging-v02.api.letsencrypt.org/directory","account":"ryan.naff@gmail.com"}
{"level":"info","ts":1661310399.5311246,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1661310400.0327463,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661310400.6902966,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/ku1MLm_lSmOoyXtn4Hb7ByT1hasW_KNJAScl2borWAA: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661310400.690408,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/ku1MLm_lSmOoyXtn4Hb7ByT1hasW_KNJAScl2borWAA: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3775015814","attempt":1,"max_attempts":3}
{"level":"error","ts":1661310400.6905377,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - 2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/ku1MLm_lSmOoyXtn4Hb7ByT1hasW_KNJAScl2borWAA: 403"}
{"level":"error","ts":1661310400.6905823,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenge: naff.casa: [naff.casa] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - 2606:4700:3033::6815:2227: Invalid response from http://naff.casa/.well-known/acme-challenge/ku1MLm_lSmOoyXtn4Hb7ByT1hasW_KNJAScl2borWAA: 403 (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":1.16832076,"max_duration":2592000}
{"level":"info","ts":1661310435.0639117,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.1.1","remote_port":"11300","proto":"HTTP/1.1","method":"GET","host":"wpad","uri":"/wpad.dat","headers":{"Accept-Encoding":["gzip, deflate"],"Connection":["keep-alive"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"]}},"user_id":"","duration":0.000136977,"size":0,"status":308,"resp_headers":{"Connection":["close"],"Location":["https://wpad/wpad.dat"],"Content-Type":[],"Server":["Caddy"]}}
{"level":"error","ts":1661310441.0746381,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","error":"context canceled"}
{"level":"info","ts":1661310461.1436753,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661310461.5021198,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/EVQilILmzCJhjEVrnZAInjptIUoFqD2BWaqJbQQuIck: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661310461.5022113,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/EVQilILmzCJhjEVrnZAInjptIUoFqD2BWaqJbQQuIck: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3775024144","attempt":1,"max_attempts":3}
{"level":"error","ts":1661310461.502274,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - 2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/EVQilILmzCJhjEVrnZAInjptIUoFqD2BWaqJbQQuIck: 403"}
{"level":"error","ts":1661310461.5023015,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenge: naff.casa: [naff.casa] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - 2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/EVQilILmzCJhjEVrnZAInjptIUoFqD2BWaqJbQQuIck: 403 (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":61.980040067,"max_duration":2592000}
{"level":"info","ts":1661310504.4093268,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.1.1","remote_port":"31512","proto":"HTTP/1.1","method":"GET","host":"wpad.naff.casa","uri":"/wpad.dat","headers":{"Connection":["Keep-Alive"],"Accept":["*/*"],"User-Agent":["WinHttp-Autoproxy-Service/5.1"]}},"user_id":"","duration":0.000126552,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://wpad.naff.casa/wpad.dat"],"Content-Type":[]}}
{"level":"info","ts":1661310581.68057,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"naff.casa","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1661310582.0357273,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"naff.casa","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/DszY5B3Daob9gZOS1y1XNLFLcjM1uZgrIXlDPn77UTI: 403","instance":"","subproblems":[]}}
{"level":"error","ts":1661310582.035936,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"naff.casa","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/DszY5B3Daob9gZOS1y1XNLFLcjM1uZgrIXlDPn77UTI: 403","instance":"","subproblems":[]},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/19892834/3775040304","attempt":1,"max_attempts":3}
{"level":"error","ts":1661310582.0360587,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"naff.casa","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - 2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/DszY5B3Daob9gZOS1y1XNLFLcjM1uZgrIXlDPn77UTI: 403"}
{"level":"error","ts":1661310582.0361319,"logger":"tls.obtain","msg":"will retry","error":"[naff.casa] Obtain: [naff.casa] solving challenge: naff.casa: [naff.casa] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - 2606:4700:3037::ac43:c4f7: Invalid response from http://naff.casa/.well-known/acme-challenge/DszY5B3Daob9gZOS1y1XNLFLcjM1uZgrIXlDPn77UTI: 403 (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":182.513870163,"max_duration":2592000}
{"level":"info","ts":1661310582.142883,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.1.1","remote_port":"31708","proto":"HTTP/1.1","method":"GET","host":"wpad.naff.casa","uri":"/wpad.dat","headers":{"Connection":["Keep-Alive"],"Accept":["*/*"],"User-Agent":["WinHttp-Autoproxy-Service/5.1"]}},"user_id":"","duration":0.000090952,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://wpad.naff.casa/wpad.dat"],"Content-Type":[]}}
{"level":"info","ts":1661310603.8287406,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.1.1","remote_port":"38099","proto":"HTTP/1.1","method":"GET","host":"wpad.naff.casa","uri":"/wpad.dat","headers":{"Connection":["Keep-Alive"],"Accept":["*/*"],"User-Agent":["WinHttp-Autoproxy-Service/5.1"]}},"user_id":"","duration":0.000094505,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://wpad.naff.casa/wpad.dat"],"Content-Type":[]}}

For me, I’m just a long time user (and way back in Caddy v1 a code contributor, although I haven’t written anything for v2 :sweat_smile:). No skin in the game, I just like to help.

Got one more place for you to check:

On the Cloudflare dashboard, on naff.casa, find SSL/TLS in the left navigation and browse to Edge Certificates.

Then, ensure that “Always Use HTTPS” on that page is disabled.

2 Likes

i didn’t get an email notification with your last response.

Always use HTTPS was enabled but I disabled it.

I just tried going to naff.casa and it is giving me the same error.

Should i just give up? =O

maybe there is another way to do this?

At one point I had an apache container working correctly behind caddy.

With Always Use HTTPS off across your site, Cloudflare should now be sending HTTP requests through to Caddy to handle. Everything should now be fully configured on Cloudflare’s end for HTTP-01 validation.

However, I note that there is no response from port 80 at your IP address.

whitestrake in ~ at merlin
➜ curl -IL --resolve naff.casa:443:98.167.142.137 https://naff.casa
curl: (35) error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error

whitestrake in ~ at merlin
➜ curl -IL --resolve naff.casa:80:98.167.142.137 http://naff.casa
curl: (28) Failed to connect to naff.casa port 80 after 74999 ms: Operation timed out

Please investigate your firewall to ensure port 80 is externally accessible and that packets are properly forwarded to Caddy.

Hi Matthew,

I ran this:

rnaff@linuxbox:/docker/cloudflare$ sudo ufw status
Status: inactive

firewall isn’t active, maybe I need to open the port in docker?

Also, if I try https://naff.casa – it still doesn’t connect

Hey Matt,

Also, I believe caddy automatically forwards all port 80 requests to port 443? Or maybe that was traefik 2.

Is it a better idea to try to run apache as a container instead of using Caddy as the static file host?