Please explain auto tls failure

1. The problem I’m having:

caddy auto tls fails
Can I do tls with a domain that points to a LAN address?

2. Error messages and/or full log output:

2023/11/02 16:16:20.875	debug	http.stdlib	http: TLS handshake error from EOF
2023/11/02 16:16:20.876	debug	tls.issuance.acme.acme_client	done waiting for solver	{"identifier": "", "challenge_type": "tls-alpn-01"}
2023/11/02 16:16:20.925	debug	tls.issuance.acme.acme_client	http request	{"method": "POST", "url": "", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.5 CertMagic acmez (windows; amd64)"]}, "response_headers": {"Boulder-Requester":["1392420186"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["801"],"Content-Type":["application/json"],"Date":["Thu, 02 Nov 2023 16:16:21 GMT"],"Link":["<>;rel=\"index\""],"Replay-Nonce":["x2pLemUfA_76BmMjZuOiSrYKCh7YFFQK1tAOki2VPI8d0P2lIiE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2023/11/02 16:16:20.926	info	tls.issuance.acme.acme_client	trying to solve challenge	{"identifier": "", "challenge_type": "tls-alpn-01", "ca": ""}
2023/11/02 16:16:20.928	debug	tls.issuance.acme.acme_client	waiting for solver before continuing	{"identifier": "", "challenge_type": "tls-alpn-01"}
2023/11/02 16:16:20.928	debug	http.stdlib	http: TLS handshake error from EOF


2023/11/02 16:16:23.060	error	tls.issuance.acme.acme_client	challenge failed	{"identifier": "", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "123:777:666:bad:dad:dead:beef:cafe: Network unreachable", "instance": "", "subproblems": []}}
2023/11/02 16:16:23.060	error	tls.issuance.acme.acme_client	validating authorization	{"identifier": "", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "123:456:789:12:345:dead:beef:cafe: Network unreachable", "instance": "", "subproblems": []}, "order": "", "attempt": 1, "max_attempts": 3}

github gist (full log)

3. Caddy version:

v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=

4. How I installed and ran Caddy:

~/.go/bin/xcaddy.exe build v2.7.5 --with --with --with --with --with

Also I’m using msys2-mingw64 and have verified that %APPDATA%\caddy folder exists

a. System environment:

b. Command:

./caddy.exe run -c caddyfile -a caddyfile

c. Service/unit/compose file:


d. My complete Caddy config:

	email <$MY_EMAIL>
	log default {
		output file ./access.log {
			roll_size 8MB
			roll_keep 5
			roll_keep_for 720h
	log other {
		output stdout
	order cgi before respond
} {
	encode zstd gzip
	reverse_proxy /* {
	@gaiastatic {
		path /static /static/*
	handle @gaiastatic {
		encode zstd gzip
		file_server browse {
			root ...\\folder\\etc
} {
	encode zstd gzip
	reverse_proxy /* {

5. Links to relevant resources:


; A BIND file is a .TXT file that's used to export
; DNS records from one domain to another. BIND
; files are commonly used by lots of domain
; registrars, so they're a good choice if
; you're exporting resource records to a domain
; that's managed by a different registrar. 3600 IN A 3600 IN AAAA 123:456:789:012:345:dead:beef:cafe 3600 IN MX 10 3600 IN CNAME 3600 IN CNAME 3600 IN CNAME 3600 IN CNAME 3600 IN CNAME 3600 IN CNAME 3600 IN CNAME 3600 IN CNAME 3600 IN CNAME 3600 IN CNAME

Not with the ACME HTTP or ACME TLS-ALPN challenges – those require that ports 80 and 443 are publicly accessible from the internet.

You can use the ACME DNS challenge though. See this article:

Thankyou. I will just generate my own certs for the LAN. And I will read that information because there is probably a provider for google domains.

FYI Google Domains is shutting down (being transferred to SquareSpace). I recommend moving to a different domain registrar tbh.

Also the Google Domains API is extremely limited. We’ve archived the plugin GitHub - caddy-dns/google-domains: Support for ACME DNS challenge through Google Domains because they’re shutting down.

1 Like