Main domain cert not working in Chrome/Brave, but certs otherwise work

eddified · October 21, 2025, 12:52am

1. The problem I’m having:

The problem: Chrome and Brave give error:

This site can’t provide a secure connection
mydomain.org sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

But Firefox and Safari work. And subdomains always work in Chrome/Brave – only the main domain is broken!

Curl works! Curl output (run on LAN): curl -vL https://eddified.org - Pastebin.com

Unfortunately, it is not possible to use online ssl checker tools because my domain is proxied behind cloudflare DNS proxy. Cloudflare does not have an issue with my cert, so it always works when you try it on the internet – it is only broken for my internal LAN. When you request the site on the internet, you get cloudflare’s certs.

In Chrome, Secure DNS is disabled.

Chrome DNS lookup tool at: chrome://net-internals/#dns

gives:

Resolved IP addresses of "eddified.org": ["192.168.1.205"].
Alternative endpoint: {"alpns":["h3","h2","http/1.1"],"ech_config_list":"AEX+DQBBHgAgACCTPIO4A+vFRYd6tuIrfyDVjhaQ9tYpnFxO1ABnPoyHDQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=","ip_endpoints":["192.168.1.205"]}.

Note: i have internal dns configured to route eddified.org to 192.168.1.205, so above looks correct.

Externally, well, you can do a dnslookup from your own machine to get the public ip. Subdomains are also using local DNS in my LAN:

$ dnslookup plex.eddified.org
dnslookup 1.11.1-11969
Server: 100.100.100.100:53

dnslookup result (elapsed 814.289µs):
;; opcode: QUERY, status: NOERROR, id: 48614
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;plex.eddified.org.	IN	 A

;; ANSWER SECTION:
plex.eddified.org.	0	IN	CNAME	eddified.org.
eddified.org.	0	IN	A	192.168.1.205

I also had this same problem using the ‘main’ caddy docker image (the one without special cloudflare functionality) – at the time, I was using a different dns challenge, but now I’m using dns-01.

I did NOT copy any cert from cloudflare, instead, I am ONLY using ACME challenge as seen in the Caddyfile.

2. Error messages and/or full log output:

The error only happens in Chrome/Brave – it does NOT happen on the commandline

Full error message displayed:

This site can’t provide a secure connection
mydomain.org sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Logs (nothing appears in the logs when trying to use Chrome to view site – and debug is on):

3. Caddy version:

$ sudo docker compose exec caddy caddy version
v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=

NOTE: this is the cloudflare version, see compose file below

4. How I installed and ran Caddy:

a. System environment:

ubuntu 24.04 LTS (docker host)

$ sudo docker --version
Docker version 28.5.1, build e180ab8

b. Command:

sudo docker compose up -d

c. Service/unit/compose file:

name: caddy
services:
    caddy:
      image: ghcr.io/caddybuilds/caddy-cloudflare:latest
      restart: unless-stopped
      ports:
        - 80:80
        - 443:443
        - "443:443/udp"
      volumes:
        - ./Caddyfile:/etc/caddy/Caddyfile
        - ./certs:/certs
        - ./config:/config
        - ./data:/data
        - ./sites:/srv
      environment:
        - CLOUDFLARE_API_TOKEN=<REDACTED>

d. My complete Caddy config:

5. Links to relevant resources:

francislavoie · October 21, 2025, 5:26am

Weird. Try closing (and killing completely so it’s not running in the background) your browsers, try clearing cache etc, it may have cached a bad certificate for some reason.

eddified · October 22, 2025, 8:05pm

I don’t think it’s cache. I’ve had this problem for months. I can reproduce on any desktop machine in my network.

hmoffatt · October 23, 2025, 12:18am

This suggests you may have ECH enabled? But then you’re overwriting the IP address for the domain in the local DNS?

I think there have been other threads about problems with this configuration. Can you disable ECH in Chrome and see if the problem goes away?

eddified · October 23, 2025, 9:18pm

Thank you! This is the first I’ve heard of ECH.

I am sure you are right that my issue is related to ECH. The issue does not always occur… but when it is occurring, the Chrome DNS tool always mentions “ech_config_list”. And when the issue is not occurring, “ech_config_list” is not mentioned!

I will now learn more about ECH and figure out what the recommended solution(s) are for managing internal DNS – I must be doing something wrong.

hmoffatt · October 23, 2025, 10:49pm

It looks like you have that domain on Cloudflare, which is doing the ECH for you. You can turn it off there. The problem is that when you overwrite the A record locally, Chrome still sees the ECH record from Cloudflare.

eddified · October 27, 2025, 3:36am

Good to know, thanks! I am learning much more about DNS now. I have asked for more info on another forum, where I have learned more about handling DNS configuration.

Thanks for the great info!

My feedback for this community site: this site makes me wait hours and hours between comments (most recently, it said I had to wait 21 hours), and it’s quite frustrating. I hope it will get better the more I post, when I’m not such a new user of this site.

Mohammed90 · October 27, 2025, 8:14am

Sorry you had that frustrating experience. However, we are constantly hit by Indian spammers, and this was one of the most effective controls to slow them down.