ERROR 525 cloudflare subdomain ipv6

1. Output of caddy version:

v2.6.1 h1:EDqo59TyYWhXQnfde93Mmv4FJfYe00dO60zMiEt+pzo=

2. How I run Caddy:

a. System environment:

Virtualization: lxc
Operating System: Ubuntu 20.04.5 LTS
Kernel: Linux 5.4.162-1-pve
Architecture: x86-64

b. Command:

I’ve downloaded caddy using

curl -1sLf '' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf '' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

and then added cloudflare package using
caddy add-package

I’m starting caddy by:

caddy start

keycloak docker container

docker run -d -p 2709:8080 --name keycloak-dev -e KEYCLOAK_ADMIN=example -e KEYCLOAK_ADMIN_PASSWORD=example -e KC_PROXY=edge -e PROXY_ADDRESS_FORWARDING=true start-dev

c. Service/unit/compose file:


ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force


d. My complete Caddy config:

(cloudflare) {
        tls {
                dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
} {
        import cloudflare
        respond "Hello! I am finally working!"
} {
        import cloudflare
        reverse_proxy :2709

3. The problem I’m having:

I intend to run a docker keycloak container under separate subdomain, but I’m getting SSL handshake failed Error code 525 on both domains. Keycloak ran successfully on main domain ( but after sudo systemctl restart caddy it doesn’t work on both main and subdomain.
My VPS provider isn’t handing out IPv4 addresses so I have to proxy my IPv6 through cloudflare which gives me some trouble.

4. Error messages and/or full log output:

curl -kIL --resolve[IPv6] --resolve[IPv6]

HTTP/1.1 308 Permanent Redirect
Connection: close
Server: Caddy
Date: Wed, 28 Sep 2022 12:51:56 GMT

curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

sudo journalctl -u caddy

wrz 28 12:52:05 j242 caddy[954]: {"level":"error","ts":1664369525.2136521,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":>
wrz 28 12:52:05 j242 caddy[954]: {"level":"error","ts":1664369525.2139134,"logger":"tls.obtain","msg":"will retry","error":"[] Obtain: [iliadri>
wrz 28 12:52:05 j242 caddy[954]: {"level":"error","ts":1664369525.7783217,"logger":"http.acme_client","msg":"cleaning up solver","identifier":"iliadril.del>
wrz 28 12:52:07 j242 caddy[954]: {"level":"error","ts":1664369527.8812165,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":>
wrz 28 12:52:07 j242 caddy[954]: {"level":"error","ts":1664369527.8817258,"logger":"tls.obtain","msg":"will retry","error":"[] Obtain:>
wrz 28 12:52:09 j242 caddy[954]: {"level":"error","ts":1664369529.0813124,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":>
wrz 28 12:52:09 j242 caddy[954]: {"level":"error","ts":1664369529.0818322,"logger":"tls.obtain","msg":"will retry","error":"[] Obtain>

5. What I already tried:

  • I tried to follow Error 525 ssl handshake failed - #14 by francislavoie
  • made sure I use correct cloudflare API token
  • tried several Caddyfiles that I’ve found on this forum
  • set SSL/TLS full (strict) on cloudflare
  • tried to disable proxy status (unchecked the cloudflare cloud)

6. Links to relevant resources:

The right way to use a custom build with plugins is by following these steps, to make sure that upgrading the apt package doesn’t clobber your custom build:

Don’t use caddy start. That should only be used for temporary/development usecases.

When you install Caddy with the apt repo, Caddy is set up to run as a systemd service. Follow this guide to understand how to use it that way:

Your logs are all truncated. Notice the > at the end of the line. So we can’t actually see the real error message. Please use the command we recommend in the docs to see your systemd logs: Keep Caddy Running — Caddy Documentation


Hi! Thank You so much for your reply and sorry for the late response.

I’ve scraped the old caddy instance and installed new one using xcaddy, after that I’ve followed the Keep Caddy Running — Caddy Documentation

It seems that on the previous install I had missed to properly define environmental variable env.CLOUDFLARE_AUTH_TOKEN inside the [Service] when using sudo systemctl edit caddy.
After setting it up and reloading the service, everything seems to be working properly :slight_smile:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.