Freeipa Certs for reverse proxy

Help
1

1. The problem I’m having:

I am having issues getting SSL to work for homeassistant using caddy. I have no way of forwarding lets encrypt traffic and have freeipa CA handling all internal certs. i have generated the cert/key. I attempt to use the same setup that works for an old apc pdu and get strange errors for the homeassistant setup. the apc uses https://apc240... with no issues going to a non ssl connection. the homeassistant one works just fine if you dont use ssl. when adding ssl i either get various ssl related errors or 403/50x errors when ssl properly loads but the site never shows.

2. Error messages and/or full log output:








$ curl -vL https://homeassistant.linux2themax.com:8023/

* Host homeassistant.linux2themax.com:8023 was resolved.

* IPv6: (none)

* IPv4: 10.1.2.42

*   Trying 10.1.2.42:8023...

* ALPN: curl offers h2,http/1.1

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

*  CAfile: /etc/ssl/certs/ca-certificates.crt

*  CApath: /etc/ssl/certs

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):

* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

* TLSv1.3 (IN), TLS handshake, Certificate (11):

* TLSv1.3 (IN), TLS handshake, CERT verify (15):

* TLSv1.3 (IN), TLS handshake, Finished (20):

* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.3 (OUT), TLS handshake, Finished (20):

* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519MLKEM768 / RSASSA-PSS

* ALPN: server accepted h2

* Server certificate:

*  subject: O=LINUX2THEMAX.COM; CN=homeassistant.linux2themax.com

*  start date: Nov 27 18:45:56 2025 GMT

*  expire date: Nov 28 18:45:56 2027 GMT

*  subjectAltName: host "homeassistant.linux2themax.com" matched cert's "homeassistant.linux2themax.com"

*  issuer: O=LINUX2THEMAX.COM; CN=Certificate Authority

*  SSL certificate verify ok.

*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption

*   Certificate level 1: Public key type RSA (3072/128 Bits/secBits), signed using sha256WithRSAEncryption

* Connected to homeassistant.linux2themax.com (10.1.2.42) port 8023

* using HTTP/2

* [HTTP/2] [1] OPENED stream for https://homeassistant.linux2themax.com:8023/

* [HTTP/2] [1] [:method: GET]

* [HTTP/2] [1] [:scheme: https]

* [HTTP/2] [1] [:authority: homeassistant.linux2themax.com:8023]

* [HTTP/2] [1] [:path: /]

* [HTTP/2] [1] [user-agent: curl/8.14.1]

* [HTTP/2] [1] [accept: */*]

> GET / HTTP/2

> Host: homeassistant.linux2themax.com:8023

> User-Agent: curl/8.14.1

> Accept: */*

>  
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

* Request completely sent off

< HTTP/2 502  
< alt-svc: h3=":8023"; ma=2592000

< server: Caddy

< content-length: 0

< date: Fri, 28 Nov 2025 01:55:55 GMT

<  
* Connection #0 to host homeassistant.linux2themax.com left intact

3. Caddy version:

v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=

4. How I installed and ran Caddy:

a. System environment:

debian 13 lxc from proxmox helper scripts.

b. Command:

caddy start

c. Service/unit/compose file:

d. My complete Caddy config:








apc240.linux2themax.com:8080 {

        tls /etc/caddy/apc240.crt /etc/caddy/apc240.key

        reverse_proxy http://10.1.1.240 {

        }

}



homeassistant.linux2themax.com:8023 {

        tls /etc/caddy/homeassistant.crt /etc/caddy/homeassistant.key

        reverse_proxy http://10.1.2.136:8123 {

        }

}

5. Links to relevant resources:

2

You could use the DNS challenge instead then, would let you get publicly trusted certs without traffic reaching your server (as long as Caddy can connect to your DNS provider’s API).

I strongly recommend not using caddy start, it doesn’t provide any reliability. Use caddy run instead and run it as a systemd service (since you’re on debian).

This just means Caddy couldn’t connect to your upstream app (reverse_proxy isn’t working), not a problem with TLS at all. You had a successful TLS connection.

Are you sure this is the correct address?

If you run Caddy properly then you’d be able to see Caddy logs and see what kind of connection problem Caddy is reporting.

3

yes that is the address i can also do by dns which points to the same place. neither work for that server. if i use http i can access the site through the proxy with no issues but that makes caddy useless as features on that site were programmatically disabled if ssl is not valid. the site works and can work through caddy when using http connections but when turning on the ssl part of it things stop working. the apc pdu with the same configuration works flawless so it makes no sense to me.

caddy start was just to figure out whats going on when testing issues as it occasionally put up information on the console when the systemctl logs did not.

4

When you run it with caddy start it runs as a different user and therefore has different behaviour and stores certs in a different location. It’s not equivalent.

I don’t understand what you’re saying. Show what you mean. I don’t see any evidence of a problem with TLS here (btw SSL has been gone since 1999). All I see from your logs is that reverse_proxy can’t connect to your upstream app, nothing to do with Caddy serving TLS.