Having issues with reverse proxies and cloudflare htps

Help
1

1. Caddy version (caddy version):

V2.0.0

2. How I run Caddy:

a. System environment:

I use Ubuntu 18.04 with systemd

b. Command:

sudo systemctl start caddy.service

c. Service/unit/compose file:

# caddy.service
# 
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

tarek.wtf {
        reverse_proxy 127.0.0.1:9500
}

voidbot.ai {
        reverse_proxy 127.0.0.1:33349
}

gateway.voidbot.ai {
        reverse_proxy 127.0.0.1:9003
}

api.voidbot.ai {
        reverse_proxy 127.0.0.1:5000
}

3. The problem I’m having:

I am trying to use reverse proxy with Caddy, with Cloudflare in the front, for whatever reason, only api.voidbot.ai fails, but others seem to be fine.

4. Error messages and/or full log output:

2020/05/18 15:39:09 http: TLS handshake error from 172.68.x.x:33322: no certificate available for ‘api.voidbot.ai’ from syslog.

5. What I already tried:

Not much… I’ve tried to check my HTTPS settings on the Cloudflare dashboard, disabled stuff, restarted Caddy, rewritten my config file.

6. Links to relevant resources:

2

You must have more logs than that. It’s impossible to tell what’s going on without the full logs.

3

Where else can I look for logs? That’s all I can find, and it’s from syslogs.

4

Run journalctl -u caddy. You should have logs from when Caddy starts up, etc. I don’t believe that that’s the only log line you have in your logs.

5

It’d be the same place you got this log entry:

(probably)

There should be many more lines.

6

Hm. I found this:

caddy[15003]: 2020/05/18 16:09:48 [ERROR] attempt 1: [api.voidbot.ai] Obtain: [api.voidbot.ai] error: one or more domains had a problem:
caddy[15003]: [api.voidbot.ai] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
caddy[15003]:  - retrying in 1m0s (11.34547339s/720h0m0s elapsed)...

Hopefully that’s helpful

7

Looking at this thread from last year, this seems to be the same issue:

8

Unless I am misreading, this is related to Let’s Encrypt. Is it possible to disable it entirely and only rely on Cloudflare certified certificates?

9

Hmmm. I just added a new sub-domain under /etc/caddy/Caddyfile, restarted… And now api.voidbot.ai gets a SSL cert just fine, but the new sub-domain fails instead. :thinking:

All domains works fine now, I didn’t even change anything, interesting.

1 Like
10

Just to answer this question in case anyone else is interested:-

I hope it all does work now, because you can use only Cloudflare certs, but that involves grabbing their origin certificate and specifying it for all your sites with tls cert key, which will disable all Automatic HTTPS features. It will be much smoother without that, when Caddy manage your certificates itself.

tls (Caddyfile directive) — Caddy Documentation

11

This topic was automatically closed after 30 days. New replies are no longer allowed.