HTTPS is not working, getting challenge failed error

1. The problem I’m having:

I was having a working caddy reserve proxy server few days ago, No updates no changes.

this was my setup

Cloudflare DNS as *.blazingbane.com → pulicIP , which has port forwarding for 80 and 443.

  • I have tried fresh install of caddy Does’t seem to work
  • only http proxy is working, HTTPS is not working

2. Error messages and/or full log output:

Error without debug mode

PS C:\Users\Streaming\Documents\caddy> caddy start
2024/11/23 02:56:17.186 INFO    using adjacent Caddyfile
2024/11/23 02:56:17.187 INFO    adapted config to JSON  {"adapter": "caddyfile"}
2024/11/23 02:56:17.197 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/11/23 02:56:17.197 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000648580"}
2024/11/23 02:56:17.197 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/11/23 02:56:17.197 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2024/11/23 02:56:17.197 WARN    http.auto_https server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv1", "http_port": 80}
2024/11/23 02:56:17.199 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2024/11/23 02:56:17.199 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/11/23 02:56:17.199 INFO    http.log        server running  {"name": "srv1", "protocols": ["h1", "h2", "h3"]}
2024/11/23 02:56:17.199 INFO    http    enabling automatic TLS certificate management   {"domains": ["movies.blazingbane.com", "files.blazingbane.com", "immich.blazingbane.com", "server.blazingbane.com"]}
2024/11/23 02:56:17.214 INFO    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:C:\\Users\\Streaming\\AppData\\Roaming\\Caddy", "instance": "842c23ed-9e05-4683-9c20-ca381031e91d", "try_again": "2024/11/24 02:56:17.214", "try_again_in": 86400}
2024/11/23 02:56:17.214 INFO    tls     finished cleaning storage units
2024/11/23 02:56:17.227 INFO    tls.obtain      acquiring lock  {"identifier": "files.blazingbane.com"}
2024/11/23 02:56:17.233 INFO    tls.obtain      lock acquired   {"identifier": "files.blazingbane.com"}
2024/11/23 02:56:17.233 INFO    tls.obtain      obtaining certificate   {"identifier": "files.blazingbane.com"}
2024/11/23 02:56:17.244 INFO    http    waiting on internal rate limiter        {"identifiers": ["files.blazingbane.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/11/23 02:56:17.244 INFO    http    done waiting on internal rate limiter   {"identifiers": ["files.blazingbane.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": ""}
2024/11/23 02:56:17.244 INFO    http    using ACME account      {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/2072581187", "account_contact": []}
2024/11/23 02:56:17.265 INFO    autosaved config (load with --resume flag)      {"file": "C:\\Users\\Streaming\\AppData\\Roaming\\Caddy\\autosave.json"}
2024/11/23 02:56:17.265 INFO    serving initial configuration
Successfully started Caddy (pid=12992) - Caddy is running in the background
PS C:\Users\Streaming\Documents\caddy> 2024/11/23 02:56:17.773  INFO    http.acme_client        trying to solve challenge       {"identifier": "files.blazingbane.com", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/11/23 02:56:28.009 ERROR   http.acme_client        challenge failed        {"identifier": "files.blazingbane.com", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "*.*.*.*: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}}
2024/11/23 02:56:28.009 ERROR   http.acme_client        validating authorization        {"identifier": "files.blazingbane.com", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "*.*.*.*: Timeout during connect (likely firewall problem)", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/2072581187/325864897057", "attempt": 1, "max_attempts": 3}
2024/11/23 02:56:29.287 INFO    http.acme_client        trying to solve challenge       {"identifier": "files.blazingbane.com", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024/11/23 02:56:29.487 INFO    http    served key authentication       {"identifier": "files.blazingbane.com", "challenge": "http-01", "remote": "23.178.112.219:44187", "distributed": false}
2024/11/23 02:56:29.780 INFO    http    served key authentication       {"identifier": "files.blazingbane.com", "challenge": "http-01", "remote": "35.89.167.64:24694", "distributed": false}
2024/11/23 02:56:29.900 INFO    http    served key authentication       {"identifier": "files.blazingbane.com", "challenge": "http-01", "remote": "13.60.91.25:31496", "distributed": false}
2024/11/23 02:56:30.129 INFO    http    served key authentication       {"identifier": "files.blazingbane.com", "challenge": "http-01", "remote": "13.250.100.175:59614", "distributed": false}
2024/11/23 02:56:30.650 INFO    http.acme_client        authorization finalized {"identifier": "files.blazingbane.com", "authz_status": "valid"}
2024/11/23 02:56:30.650 INFO    http.acme_client        validations succeeded; finalizing order {"order": "https://acme-v02.api.letsencrypt.org/acme/order/2072581187/325864936307"}
2024/11/23 02:56:34.039 INFO    http.acme_client        got renewal info        {"names": ["files.blazingbane.com"], "window_start": "2025/01/21 02:17:29.000", "window_end": "2025/01/23 02:17:29.000", "selected_time": "2025/01/22 11:02:41.000", "recheck_after": "2024/11/23 08:56:34.039", "explanation_url": ""}
2024/11/23 02:56:34.187 INFO    http.acme_client        got renewal info        {"names": ["files.blazingbane.com"], "window_start": "2025/01/21 02:17:29.000", "window_end": "2025/01/23 02:17:29.000", "selected_time": "2025/01/21 06:06:13.000", "recheck_after": "2024/11/23 08:56:34.187", "explanation_url": ""}
2024/11/23 02:56:34.187 INFO    http.acme_client        successfully downloaded available certificate chains    {"count": 2, "first_url": "https://acme-v02.api.letsencrypt.org/acme/cert/044d68bd0f2c06720894c6cdbcb55f90146c"}
2024/11/23 02:56:34.189 INFO    tls.obtain      certificate obtained successfully       {"identifier": "files.blazingbane.com", "issuer": "acme-v02.api.letsencrypt.org-directory"}
2024/11/23 02:56:34.190 INFO    tls.obtain      releasing lock  {"identifier": "files.blazingbane.com"}
PS C:\Users\Streaming\Documents\caddy> caddy start
2024/11/23 03:12:33.528 INFO    using adjacent Caddyfile
2024/11/23 03:12:33.530 INFO    adapted config to JSON  {"adapter": "caddyfile"}
2024/11/23 03:12:33.539 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/11/23 03:12:33.540 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000606d00"}
2024/11/23 03:12:33.540 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2024/11/23 03:12:33.540 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2024/11/23 03:12:33.540 WARN    http.auto_https server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv1", "http_port": 80}
2024/11/23 03:12:33.540 DEBUG   http.auto_https adjusted config {"tls": {"automation":{"policies":[{}]}}, "http": {"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:2283"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"10.0.0.236:6767"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:8096"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:9393"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}},"srv1":{"listen":[":80"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:2283"}]}]}]}],"terminal":true},{},{}],"automatic_https":{"disable":true}}}}}
2024/11/23 03:12:33.541 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2024/11/23 03:12:33.541 DEBUG   http    starting server loop    {"address": "[::]:443", "tls": true, "http3": true}
2024/11/23 03:12:33.541 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/11/23 03:12:33.542 DEBUG   http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2024/11/23 03:12:33.542 INFO    http.log        server running  {"name": "srv1", "protocols": ["h1", "h2", "h3"]}
2024/11/23 03:12:33.542 INFO    http    enabling automatic TLS certificate management   {"domains": ["immich.blazingbane.com", "server.blazingbane.com", "movies.blazingbane.com", "files.blazingbane.com"]}
2024/11/23 03:12:33.542 DEBUG   tls.cache       added certificate to cache      {"subjects": ["immich.blazingbane.com"], "expiration": "2025/02/21 01:53:11.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "5c4b8a0c362d4d18aa3c2f8b0f947b9b4d0c6b6903a8fc43cd26e3f9aa1c62b3", "cache_size": 1, "cache_capacity": 10000}
2024/11/23 03:12:33.543 DEBUG   events  event   {"name": "cached_managed_cert", "id": "9501a50b-9b29-43a7-9b0a-9dbcb4350322", "origin": "tls", "data": {"sans":["immich.blazingbane.com"]}}
2024/11/23 03:12:33.544 DEBUG   tls.cache       added certificate to cache      {"subjects": ["server.blazingbane.com"], "expiration": "2025/02/21 01:53:21.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "a3da28cb490e1e861f23aec59942a99f0e82c4bb5d95cf950befd0b540bd8b74", "cache_size": 2, "cache_capacity": 10000}
2024/11/23 03:12:33.544 DEBUG   events  event   {"name": "cached_managed_cert", "id": "551c19d6-19ae-45e8-bc27-849b62a0a94d", "origin": "tls", "data": {"sans":["server.blazingbane.com"]}}
2024/11/23 03:12:33.544 DEBUG   tls.cache       added certificate to cache      {"subjects": ["movies.blazingbane.com"], "expiration": "2025/02/21 01:53:21.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "dcd256858a14c95e36811c17d3e673317f9b722737c1f942e047f477a03089f7", "cache_size": 3, "cache_capacity": 10000}
2024/11/23 03:12:33.544 DEBUG   events  event   {"name": "cached_managed_cert", "id": "1b145c5f-8be9-4269-b4e4-17c148a09311", "origin": "tls", "data": {"sans":["movies.blazingbane.com"]}}
2024/11/23 03:12:33.545 DEBUG   tls.cache       added certificate to cache      {"subjects": ["files.blazingbane.com"], "expiration": "2025/02/21 01:57:59.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "33a975800807c452fc9aeb4b407e2dbd3d3d5a39245c735528deba05b8d6620f", "cache_size": 4, "cache_capacity": 10000}
2024/11/23 03:12:33.545 DEBUG   events  event   {"name": "cached_managed_cert", "id": "708c3092-ce7a-45b1-81cc-84e69250b5eb", "origin": "tls", "data": {"sans":["files.blazingbane.com"]}}
2024/11/23 03:12:33.545 INFO    autosaved config (load with --resume flag)      {"file": "C:\\Users\\Streaming\\AppData\\Roaming\\Caddy\\autosave.json"}
2024/11/23 03:12:33.545 INFO    serving initial configuration
Successfully started Caddy (pid=6708) - Caddy is running in the background
2024/11/23 03:12:33.547 INFO    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:C:\\Users\\Streaming\\AppData\\Roaming\\Caddy", "instance": "842c23ed-9e05-4683-9c20-ca381031e91d", "try_again": "2024/11/24 03:12:33.547", "try_again_in": 86400}
2024/11/23 03:12:33.547 INFO    tls     finished cleaning storage units
PS C:\Users\Streaming\Documents\caddy> 2024/11/23 03:13:01.545  DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "127.0.0.1:2283", "total_upstreams": 1}
2024/11/23 03:13:01.549 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "127.0.0.1:2283", "duration": 0.0030658, "request": {"remote_ip": "*.*.*.*", "remote_port": "54534", "client_ip": "*.*.*.*", "proto": "HTTP/1.1", "method": "GET", "host": "immich.blazingbane.com", "uri": "/", "headers": {"Accept": ["*/*"], "Accept-Language": ["en-US,en;q=0.5"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"], "X-Forwarded-For": ["*.*.*.*"], "Priority": ["u=4"], "Pragma": ["no-cache"], "Cache-Control": ["no-cache"], "X-Forwarded-Proto": ["http"], "X-Forwarded-Host": ["immich.blazingbane.com"], "Accept-Encoding": ["gzip, deflate"]}}, "headers": {"Connection": ["keep-alive"], "Keep-Alive": ["timeout=5"], "X-Powered-By": ["Express"], "Content-Type": ["text/html; charset=utf-8"], "Cache-Control": ["no-store"], "Content-Length": ["6033"], "Etag": ["\"1791-mYZsXQnlnZvRokIH6Nbx+zvQQPc\""], "Date": ["Sat, 23 Nov 2024 03:13:01 GMT"]}, "status": 200}
2024/11/23 03:13:01.573 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "127.0.0.1:2283", "total_upstreams": 1}
2024/11/23 03:13:01.576 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "127.0.0.1:2283", "duration": 0.0032053, "request": {"remote_ip": "*.*.*.*", "remote_port": "54523", "client_ip": "*.*.*.*", "proto": "HTTP/1.1", "method": "GET", "host": "immich.blazingbane.com", "uri": "/", "headers": {"X-Forwarded-Host": ["immich.blazingbane.com"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"], "X-Forwarded-For": ["*.*.*.*"], "X-Forwarded-Proto": ["http"], "Accept-Encoding": ["gzip, deflate"], "Sec-Gpc": ["1"], "Upgrade-Insecure-Requests": ["1"], "Priority": ["u=0, i"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"], "Accept-Language": ["en-US,en;q=0.5"]}}, "headers": {"Keep-Alive": ["timeout=5"], "X-Powered-By": ["Express"], "Content-Type": ["text/html; charset=utf-8"], "Cache-Control": ["no-store"], "Content-Length": ["6033"], "Etag": ["\"1791-mYZsXQnlnZvRokIH6Nbx+zvQQPc\""], "Date": ["Sat, 23 Nov 2024 03:13:01 GMT"], "Connection": ["keep-alive"]}, "status": 200}
2024/11/23 03:13:01.686 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "127.0.0.1:2283", "total_upstreams": 1}
2024/11/23 03:13:01.707 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "127.0.0.1:2283", "duration": 0.0212143, "request": {"remote_ip": "*.*.*.*", "remote_port": "54523", "client_ip": "*.*.*.*", "proto": "HTTP/1.1", "method": "GET", "host": "immich.blazingbane.com", "uri": "/custom.css", "headers": {"X-Forwarded-Host": ["immich.blazingbane.com"], "X-Forwarded-For": ["*.*.*.*"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"], "Accept": ["text/css,*/*;q=0.1"], "Accept-Encoding": ["gzip, deflate"], "Sec-Gpc": ["1"], "Accept-Language": ["en-US,en;q=0.5"], "X-Forwarded-Proto": ["http"], "Priority": ["u=2"], "Referer": ["http://immich.blazingbane.com/"], "If-None-Match": ["\"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk\""]}}, "headers": {"Date": ["Sat, 23 Nov 2024 03:13:01 GMT"], "Connection": ["keep-alive"], "Keep-Alive": ["timeout=5"], "X-Powered-By": ["Express"], "X-Immich-Cid": ["dd1nilae"], "Etag": ["\"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk\""]}, "status": 304}
2024/11/23 03:13:01.865 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "127.0.0.1:2283", "total_upstreams": 1}
2024/11/23 03:13:01.873 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "127.0.0.1:2283", "total_upstreams": 1}
2024/11/23 03:13:01.876 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "127.0.0.1:2283", "duration": 0.0110407, "request": {"remote_ip": "*.*.*.*", "remote_port": "54523", "client_ip": "*.*.*.*", "proto": "HTTP/1.1", "method": "GET", "host": "immich.blazingbane.com", "uri": "/api/server/features", "headers": {"X-Forwarded-Host": ["immich.blazingbane.com"], "Priority": ["u=4"], "X-Forwarded-For": ["*.*.*.*"], "Sec-Gpc": ["1"], "Referer": ["http://immich.blazingbane.com/"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"], "If-None-Match": ["\"104-b8bikIJ9H8jpKuznfMRBL41PGlg\""], "X-Forwarded-Proto": ["http"], "Accept": ["application/json"], "Accept-Language": ["en-US,en;q=0.5"], "Accept-Encoding": ["gzip, deflate"]}}, "headers": {"X-Powered-By": ["Express"], "X-Immich-Cid": ["uuzq1ueg"], "Etag": ["\"104-b8bikIJ9H8jpKuznfMRBL41PGlg\""], "Date": ["Sat, 23 Nov 2024 03:13:01 GMT"], "Connection": ["keep-alive"], "Keep-Alive": ["timeout=5"]}, "status": 304}
2024/11/23 03:13:01.890 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "127.0.0.1:2283", "duration": 0.0169631, "request": {"remote_ip": "*.*.*.*", "remote_port": "54536", "client_ip": "*.*.*.*", "proto": "HTTP/1.1", "method": "GET", "host": "immich.blazingbane.com", "uri": "/api/server/config", "headers": {"Referer": ["http://immich.blazingbane.com/"], "Sec-Gpc": ["1"], "If-None-Match": ["\"9a-4FfCLxBDS3uHTh1nsn4AepoN3vY\""], "Accept-Language": ["en-US,en;q=0.5"], "X-Forwarded-For": ["*.*.*.*"], "X-Forwarded-Host": ["immich.blazingbane.com"], "Priority": ["u=4"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"], "Accept-Encoding": ["gzip, deflate"], "Accept": ["application/json"], "X-Forwarded-Proto": ["http"]}}, "headers": {"Date": ["Sat, 23 Nov 2024 03:13:01 GMT"], "Connection": ["keep-alive"], "Keep-Alive": ["timeout=5"], "X-Powered-By": ["Express"], "X-Immich-Cid": ["fzt00zlf"], "Etag": ["\"9a-4FfCLxBDS3uHTh1nsn4AepoN3vY\""]}, "status": 304}

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

using chocolatey

a. System environment:

Windows 11, 64bit

b. Command:

caddy start

d. My complete Caddy config:


immich.blazingbane.com {
	reverse_proxy 127.0.0.1:2283
}

files.blazingbane.com {
	reverse_proxy 127.0.0.1:9393
}

server.blazingbane.com {
	reverse_proxy 10.0.0.236:6767
}

movies.blazingbane.com {
	reverse_proxy 127.0.0.1:8096
}

5. Links to relevant resources:

Hi @shivaradhan_konda,

Troubles with HTTPS which is what the TLS-ALPN-01 uses are shown here
Hardenize Report: files.blazingbane.com
and here as well
SSL Server Test: files.blazingbane.com (Powered by Qualys SSL Labs)

Edit

I believe on Port 443 only HTTP is being served, HTTPS is failing on Port 443.

HTTP request on Port 443 gets a response.

$ curl -k -Ii http://files.blazingbane.com:443/.well-known/acme-challenge/sometestfile
HTTP/1.0 400 Bad Request

HTTPS request on Port 443 does not get a response.

$ curl -k -Ii https://files.blazingbane.com:443/.well-known/acme-challenge/sometestfile
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

Thanks for the help, i have decided to move my caddy to Raspberry pi, haven’t changed anything in the caddy file. but its working

Really? I still am seeing this

HTTP on Port 443

$ date ; curl -k -Ii http://files.blazingbane.com:443/.well-known/acme-challenge/sometestfile
Fri Nov 29 03:59:35 AM UTC 2024
HTTP/1.0 400 Bad Request

HTTPS on Port 443

$ date ; curl -k -Ii https://files.blazingbane.com:443/.well-known/acme-challenge/sometestfile
Fri Nov 29 03:59:41 AM UTC 2024
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error