On Demand TLS with config from v2.6.4 error on v2.7.4

1. The problem I’m having:

I tried to use the on demand tls from my old config which works for Caddy 2.6.4 into Caddy 2.7.4
Docker version.

2. Error messages and/or full log output:

INFO	tls.cache.maintenance	started background certificate maintenance	{"cache": "0xc000432e00"}
INFO	http.auto_https	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
WARN	pki.ca.local	installing root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
INFO	warning: "certutil" is not available, install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and try again
INFO	define JAVA_HOME environment variable to use the Java trust
INFO	certificate installed properly in linux trusts
INFO	http	enabling HTTP/3 listener	{"addr": ":8282"}
INFO	failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
INFO	http.log	server running	{"name": "srv0", "protocols": ["h1", "h2", "h3"]}
INFO	http.log	server running	{"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
INFO	autosaved config (load with --resume flag)	{"file": "/config/caddy/autosave.json"}
INFO	serving initial configuration
INFO	tls	cleaning storage unit	{"description": "FileStorage:/data/caddy"}
INFO	tls	finished cleaning storage units

3. Caddy version:

Version 2.7.4 Docker with:

4. How I installed and ran Caddy:

Build using xcaddy builder

a. System environment:

OS: Debian 11

b. Command:

use UI Portainer to change the Docker image from old caddy 2.6.4 to 2.7.4

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
    on_demand_tls {
        interval 2m
   burst    5
    }
}

https://:8282 {
@get method GET

route {
    basicauth {
        user passhere
    }
    file_server @get browse {
        root /
   }
}
tls {
        issuer internal
        on_demand
    }
}

5. Links to relevant resources:

I don’t see any errors in your logs. Are you sure there’s a problem?

Hello,

This is the error (miss-pasted):

ERROR	tls	request to 'ask' endpoint failed	{"ask_endpoint": "", "domain": "localhost", "error": "error checking  to determine if certificate for hostname 'localhost' should be allowed: Get \"?domain=localhost\": unsupported protocol scheme \"\""}

I tried to access the site using Cloudflared Tunnel.

and about the warning, should I be worried?

INFO	failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.

You need to specify an ‘ask’ endpoint, this is required for on-demand TLS to work. (see the on-demand TLS docs – am mobile otherwise I’d link you).

And no, the buffer size thing is nothing to worry about.

ask is not required if you’re using tls internal though. But that error doesn’t make sense because you didn’t configure ask at all, so it shouldn’t be trying to use it.

Your config is messy though (inconsistent indentation) so it’s hard to read. Please run caddy fmt --overwrite to clean up your Caddyfile.

Oh… that’s true. Hmm.

Hello,

I’m afraid that is not the case.

The same configuration is being used in Caddy 2.6.4 and works up until now!
Why in the new version, the exact same configuration is giving errors.

Is there any big modification in version 2.7.4?

Here is my current scheme:
[Users] >> [Cloudflare Proxy] >> [Zero Trust Cloudflared Tunnel] >> [My Server] >> [Docker] >> [Caddy Container]