Reverse Proxy and https setup

I have an internal Bind9 DNS server as well as Cloudfare for DNS challenges. I’m trying to setup Caddy as a reverse proxy to handle TLS certificates for all our internal servers.
I have the DNS entries for a few of our servers changed to the ip of our Caddy instance (10.0.0.13) and have our Caddyfile setup, but I clearly don’t have it set correctly as curl returns nothing for our subdomains. What am I missing/doing wrong?

2. Error messages and/or full log output:

curl 10.0.0.10: Welcome to nginx!
curl nginx:  
curl smx:
curl -vL smx: 
   Trying 10.0.0.13:80...
* Connected to smx (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: smx
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://smx/
< Server: Caddy
< Date: Tue, 30 Apr 2024 20:03:05 GMT
< Content-Length: 0
< 
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://smx/'
*   Trying 10.0.0.13:443...
* Connected to smx (10.0.0.13) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 1
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

3. Caddy version: 2.7.6

4. How I installed and ran Caddy: systemd service from apt repository

a. System environment: Ubuntu 22.04, systemd

b. Command: Systemctl start caddy

d. My complete Caddy config:

{       debug  
        acme_dns cloudflare api-token
        email ******
)
smx.ecfinternal.net {
	reverse_proxy 10.0.0.7:3443 {
	}
}
nginx.ecfinternal.net {
	reverse_proxy 10.0.0.10:80 {
	}
}

Logs:

: Apr 30 19:51:43 auth systemd[1]: Started Caddy.
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7118087,"msg":"serving initial configuration"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7135735,"logger":"tls.obtain","msg":"acquiring lock","identifier":"nginx.ecfinternal.net"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"warn","ts":1714506703.7145426,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"531e7759-e154-46fd-a653-18750e0d82ee","try_again":1714593103.7145417,"try_again_in":86399.99999977}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.71458,"logger":"tls","msg":"finished cleaning storage units"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7157898,"logger":"tls.obtain","msg":"acquiring lock","identifier":"smx.ecfinternal.net"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7165918,"logger":"tls.obtain","msg":"lock acquired","identifier":"nginx.ecfinternal.net"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7167416,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"nginx.ecfinternal.net"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"debug","ts":1714506703.7168398,"logger":"events","msg":"event","name":"cert_obtaining","id":"38f29ce1-371a-4c47-8637-c70436825be8","origin":"tls","data":{"identifier":"nginx.ecfinternal.net"}}
Apr 30 19:51:43 auth caddy[1858]: {"level":"debug","ts":1714506703.7171643,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7175317,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"myemail@example.com"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7176096,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"myemail@example.com"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7190003,"logger":"tls.obtain","msg":"lock acquired","identifier":"smx.ecfinternal.net"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7191534,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"smx.ecfinternal.net"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"debug","ts":1714506703.719242,"logger":"events","msg":"event","name":"cert_obtaining","id":"0050e9d2-6070-4d35-ad3a-e24cf949d294","origin":"tls","data":{"identifier":"smx.ecfinternal.net"}}
Apr 30 19:51:43 auth caddy[1858]: {"level":"debug","ts":1714506703.719447,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.719613,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"myemail@example.com"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"info","ts":1714506703.7197278,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"myemail@example.com"}
Apr 30 19:51:43 auth caddy[1858]: {"level":"debug","ts":1714506703.9026036,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["747"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 19:51:43 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 19:51:43 auth caddy[1858]: {"level":"debug","ts":1714506703.9491193,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Tue, 30 Apr 2024 19:51:43 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["O0afatDIw8HAhqcwsdD6zsdvtNBxg67T5tlbWZ0v7-QQ9IpY3EU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 19:51:43 auth caddy[1858]: {"level":"debug","ts":1714506703.9499054,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Tue, 30 Apr 2024 19:51:43 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Y_7AIQuU7LXlha7ggUNqlPklCno0nKn6KIkUqvE8IZ7tv50kpiE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 19:51:44 auth caddy[1858]: {"level":"debug","ts":1714506704.1833467,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["345"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 19:51:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1663302997/265477647987"],"Replay-Nonce":["O0afatDIMLN3LPMu4KHxE3M1HVoXfVMnWsBgc-iJH4a9_pXUAJk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
Apr 30 19:51:44 auth caddy[1858]: {"level":"debug","ts":1714506704.235609,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345060138147","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["803"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 19:51:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["O0afatDI7z2a_msMg3p6tXgF8a11Q00bOnH_J2zk0sFZYf2uJQY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 19:51:44 auth caddy[1858]: {"level":"info","ts":1714506704.2357879,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Apr 30 19:51:44 auth caddy[1858]: {"level":"debug","ts":1714506704.2626612,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 19:51:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1663302997/265477648047"],"Replay-Nonce":["O0afatDI0kcDzfz9px5OQ924FdBuxJI9eEPDKVJ8ycoSb-uFBws"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
Apr 30 19:51:44 auth caddy[1858]: {"level":"debug","ts":1714506704.3129365,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345060138247","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 19:51:44 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["O0afatDIjOoUBvaHrm_dnyzEJ6KMZRmz8Uoz4i5wTIEJS7jSM4U"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 19:51:44 auth caddy[1858]: {"level":"info","ts":1714506704.312996,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"nginx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Apr 30 19:51:44 auth caddy[1858]: {"level":"debug","ts":1714506704.7217104,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
Apr 30 19:51:44 auth caddy[1858]: {"level":"debug","ts":1714506704.84069,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"nginx.ecfinternal.net","challenge_type":"dns-01"}
Apr 30 19:53:44 auth caddy[1858]: {"level":"debug","ts":1714506824.9076054,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
Apr 30 19:53:44 auth caddy[1858]: {"level":"debug","ts":1714506824.9812305,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"nginx.ecfinternal.net","challenge_type":"dns-01"}
Apr 30 19:53:45 auth caddy[1858]: {"level":"debug","ts":1714506825.437513,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345060138247","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["809"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 19:53:45 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["O0afatDIhtne-vwY3i04s4D8geuQn1bioslSEVw6I-WZ75Dgan4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 19:53:45 auth caddy[1858]: {"level":"error","ts":1714506825.4376564,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nginx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[nginx.ecfinternal.net] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1663302997/265477648047) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
Apr 30 19:53:45 auth caddy[1858]: {"level":"debug","ts":1714506825.4376724,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
Apr 30 19:53:45 auth caddy[1858]: {"level":"info","ts":1714506825.4378846,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"amendenhall@staff.gwi.net"}
Apr 30 19:53:45 auth caddy[1858]: {"level":"info","ts":1714506825.4378927,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"amendenhall@staff.gwi.net"}
Apr 30 19:53:45 auth caddy[1858]: {"level":"debug","ts":1714506825.5379317,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 19:53:45 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
Apr 30 19:53:45 auth caddy[1858]: {"level":"debug","ts":1714506825.563805,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345060138147","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["807"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 19:53:45 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["O0afatDIymCFYruCCD6FWHktT4KqTO5HmPTD1rjib9BMQHS2buc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 19:53:45 auth caddy[1858]: {"level":"error","ts":1714506825.5638955,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[smx.ecfinternal.net] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1663302997/265477647987) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
Apr 30 19:53:45 auth caddy[1858]: {"level":"debug","ts":1714506825.5639098,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}

You’re using the DNS challenge. As a sanity measure, Caddy checks if the TXT record is visible by doing the DNS query first before telling the CA, i.e. Let’s Encrypt and ZeroSSL, to go ahead and validate the DNS-01 challenge record. You can see the error message here says that Caddy couldn’t verify the DNS record has fully propagated.

I believe your internal DNS server is hijacking the resolution and preventing Caddy from checking. You can turn off Caddy sanity check by setting propagation_timeout to -1.

Ok, thank you. Seeing no valid A records in the log. Hmm. I can verify that the txt records are being created in Cloudlare.

Added this to my Caddyfile

(prop) {
        tls {
 propagation_timeout -1
}
}

smx.ecfinternal.net {
        reverse_proxy 10.0.0.7:3443
        import prop
}

nginx.ecfinternal.net {
        reverse_proxy 10.0.0.10:80
        import prop
}

new logs:

Apr 30 21:12:51 auth systemd[1]: Started Caddy.
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.3222373,"msg":"serving initial configuration"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.3256135,"logger":"tls.obtain","msg":"acquiring lock","identifier":"smx.ecfinternal.net"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"warn","ts":1714511571.3265698,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"531e7759-e154-46fd-a653-18750e0d82ee","try_again":1714597971.3265688,"try_again_in":86399.99999978}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.326606,"logger":"tls","msg":"finished cleaning storage units"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.3277743,"logger":"tls.obtain","msg":"acquiring lock","identifier":"nginx.ecfinternal.net"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.3286362,"logger":"tls.obtain","msg":"lock acquired","identifier":"smx.ecfinternal.net"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.3287923,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"smx.ecfinternal.net"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.3288872,"logger":"events","msg":"event","name":"cert_obtaining","id":"8d5b88f9-b025-4d89-b2b2-6f6029df074e","origin":"tls","data":{"identifier":"smx.ecfinternal.net"}}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.329187,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.329576,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"example@email.com"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.329658,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"example@email.com"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.3310215,"logger":"tls.obtain","msg":"lock acquired","identifier":"nginx.ecfinternal.net"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.331268,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"nginx.ecfinternal.net"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.3313763,"logger":"events","msg":"event","name":"cert_obtaining","id":"443b6ab6-a73e-4a63-9704-3be43d40d0fc","origin":"tls","data":{"identifier":"nginx.ecfinternal.net"}}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.331607,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.331845,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme-v02.api.lets
encrypt.org/directory","account":"example@email.com"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.5747275,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Tue, 30 Apr 2024 21:12:51 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Y_7AIQuUz7dYU7A0hd_d9pYYMa4aGRl28xOsJDTE6LWTKok4390"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.8175056,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["345"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 21:12:51 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1663302997/265492884387"],"Replay-Nonce":["Y_7AIQuUtmYbmXS8jiFxYf0yHhtcKY6TNGFR2NpmFLFzrUiSOkA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.8680286,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345082402507","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["803"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 21:12:51 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Y_7AIQuUPMGu8sEg31JLq3vP2mWoMfQ2-chPeU4ePezwPtfO0D4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.8681455,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.868413,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"http-01"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.868488,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"smx.ecfinternal.net","challenge_type":"http-01"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.9007714,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["347"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 21:12:51 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1663302997/265492884437"],"Replay-Nonce":["O0afatDIxARiGsob_exgpbvoKF8h9uwRj263V9i03zCRYCEZfv0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.9224193,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/345082402507/tygJIA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["187"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 21:12:51 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/345082402507>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/345082402507/tygJIA"],"Replay-Nonce":["O0afatDIGIDoEewtwNlWXy7DY1ALCqJc43BXRThFQqgMUr5EVhQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.9224548,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"smx.ecfinternal.net","challenge_type":"http-01"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.9514976,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345082402467","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["805"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 21:12:51 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["O0afatDIeLW3bR-i2KLRPhehH6rGekEG4ztazQsyYOohrVetkyg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 21:12:51 auth caddy[2161]: {"level":"info","ts":1714511571.9515555,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"nginx.ecfinternal.net","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.9517803,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"nginx.ecfinternal.net","challenge_type":"http-01"}
Apr 30 21:12:51 auth caddy[2161]: {"level":"debug","ts":1714511571.9518733,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"nginx.ecfinternal.net","challenge_type":"http-01"}
Apr 30 21:12:52 auth caddy[2161]: {"level":"debug","ts":1714511572.0072584,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/345082402467/0Vn0eQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["187"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 21:12:51 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/345082402467>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/345082402467/0Vn0eQ"],"Replay-Nonce":["O0afatDIt92kVlW7l20mO2P1lYbGRppcikf3tPse8lEUxPbaKbs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 21:12:52 auth caddy[2161]: {"level":"debug","ts":1714511572.0072997,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"nginx.ecfinternal.net","challenge_type":"http-01"}
Apr 30 21:12:52 auth caddy[2161]: {"level":"debug","ts":1714511572.229439,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345082402507","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["638"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 21:12:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["O0afatDI7PFkFXZv25V_ghJR8XD-yMdH0aJTwq_gAiGqtQowaB4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 21:12:52 auth caddy[2161]: {"level":"error","ts":1714511572.2296233,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"smx.ecfinternal.net","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for smx.ecfinternal.net; no valid AAAA records found for smx.ecfinternal.net","instance":"","subproblems":[]}}
Apr 30 21:12:52 auth caddy[2161]: {"level":"error","ts":1714511572.229639,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"smx.ecfinternal.net","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for smx.ecfinternal.net; no valid AAAA records found for smx.ecfinternal.net","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1663302997/265492884387","attempt":1,"max_attempts":3}
Apr 30 21:12:52 auth caddy[2161]: {"level":"debug","ts":1714511572.34668,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345082402467","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["644"],"Content-Type":["application/json"],"Date":["Tue, 30 Apr 2024 21:12:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["O0afatDIsfLkVl5agXz-ZGZIEq3FYH1U0Eq6k3eiHZYBOrq5kMg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Apr 30 21:12:52 auth caddy[2161]: {"level":"error","ts":1714511572.3468218,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"nginx.ecfinternal.net","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for nginx.ecfinternal.net; no valid AAAA records found for nginx.ecfinternal.net","instance":"","subproblems":[]}}
Apr 30 21:12:52 auth caddy[2161]: {"level":"error","ts":1714511572.3468342,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"nginx.ecfinternal.net","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"no valid A records found for nginx.ecfinternal.net; no valid AAAA records found for nginx.ecfinternal.net","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1663302997/265492884437","attempt":1,"max_attempts":3}

You removed the cloudflare part. Why? Your tls directive should be:

tls {
    propagation_timeout -1
    dns cloudflare <YOUR-API-TOKEN>
}

Sorry, I should have included the whole caddyfile again. The cloudflare part was in the global config section rather than a snippet, but I moved it to the snippet just now, so my tls directive now looks like what you posted.

Can see I’m hitting the rate limit of Let’sencrypt as can be expected. Can confirm new txt records were created in Cloudflare.
New Logs:

Apr 30 21:35:44 auth systemd[1]: Started Caddy.
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.8949072,"msg":"serving initial configuration"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.8992465,"logger":"tls.obtain","msg":"lock acquired","identifier":"nginx.ecfinternal.net"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.8993795,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"nginx.ecfinternal.net"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.8999712,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"example@email.com"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.9000444,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"example@email.com"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.9008684,"logger":"tls.obtain","msg":"acquiring lock","identifier":"smx.ecfinternal.net"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"warn","ts":1714512944.9011455,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"531e7759-e154-46fd-a653-18750e0d82ee","try_again":1714599344.9011424,"try_again_in":86399.99999877}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.901185,"logger":"tls","msg":"finished cleaning storage units"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.9038057,"logger":"tls.obtain","msg":"lock acquired","identifier":"smx.ecfinternal.net"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.9039843,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"smx.ecfinternal.net"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.9043274,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"example@email.com"}
Apr 30 21:35:44 auth caddy[2300]: {"level":"info","ts":1714512944.904434,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"example@email.com"}
Apr 30 21:35:45 auth caddy[2300]: {"level":"error","ts":1714512945.193236,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nginx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}
Apr 30 21:35:45 auth caddy[2300]: {"level":"info","ts":1714512945.1934514,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"example@email.com"}
Apr 30 21:35:45 auth caddy[2300]: {"level":"info","ts":1714512945.1934595,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"example@email.com"}
Apr 30 21:35:45 auth caddy[2300]: {"level":"error","ts":1714512945.2084873,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}
Apr 30 21:35:45 auth caddy[2300]: {"level":"info","ts":1714512945.2086003,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"example@email.com"}
Apr 30 21:35:45 auth caddy[2300]: {"level":"info","ts":1714512945.2086163,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"example@email.com"}
Apr 30 21:35:55 auth caddy[2300]: {"level":"info","ts":1714512955.7869313,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
Apr 30 21:35:55 auth caddy[2300]: {"level":"info","ts":1714512955.8502111,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"nginx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}

What’s after these lines? You’re rate-limited by Let’s Encrypt, but here’s an attempt with ZeroSSL.

Nothing as of yet, that’s the end of the log.

I did just try temporarily turning off automatic https just to see if ignoring the DNS challenge and certificate part of this would perhaps allow curl to work, but no dice. Obviously that’s not the end goal, but seemed worth trying to eliminate variables.

nslookup 10.0.0.13
13.0.0.10.in-addr.arpa	name = auth.ecfinternal.net.
13.0.0.10.in-addr.arpa	name = nginx.ecfinternal.net.
13.0.0.10.in-addr.arpa	name = smx.ecfinternal.net.

Caddyfile:

http://smx.ecfinternal.net {
        reverse_proxy 10.0.0.7:3443
#       import prop
}

http://nginx.ecfinternal.net {
        reverse_proxy 10.0.0.10:80
#       import prop
}

Logs:

Apr 30 22:02:02 auth systemd[1]: Starting Caddy...
Apr 30 22:02:02 auth caddy[2422]: caddy.HomeDir=/var/lib/caddy
Apr 30 22:02:02 auth caddy[2422]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Apr 30 22:02:02 auth caddy[2422]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Apr 30 22:02:02 auth caddy[2422]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Apr 30 22:02:02 auth caddy[2422]: caddy.Version=v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
Apr 30 22:02:02 auth caddy[2422]: runtime.GOOS=linux
Apr 30 22:02:02 auth caddy[2422]: runtime.GOARCH=amd64
Apr 30 22:02:02 auth caddy[2422]: runtime.Compiler=gc
Apr 30 22:02:02 auth caddy[2422]: runtime.NumCPU=2
Apr 30 22:02:02 auth caddy[2422]: runtime.GOMAXPROCS=2
Apr 30 22:02:02 auth caddy[2422]: runtime.Version=go1.22.2
Apr 30 22:02:02 auth caddy[2422]: os.Getwd=/
Apr 30 22:02:02 auth caddy[2422]: LANG=en_US.UTF-8
Apr 30 22:02:02 auth caddy[2422]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Apr 30 22:02:02 auth caddy[2422]: NOTIFY_SOCKET=/run/systemd/notify
Apr 30 22:02:02 auth caddy[2422]: HOME=/var/lib/caddy
Apr 30 22:02:02 auth caddy[2422]: LOGNAME=caddy
Apr 30 22:02:02 auth caddy[2422]: USER=caddy
Apr 30 22:02:02 auth caddy[2422]: INVOCATION_ID=4c1d4af906524e26af2b7fcf3f45656a
Apr 30 22:02:02 auth caddy[2422]: JOURNAL_STREAM=8:87058
Apr 30 22:02:02 auth caddy[2422]: SYSTEMD_EXEC_PID=2422
Apr 30 22:02:02 auth caddy[2422]: {"level":"info","ts":1714514522.1224456,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Apr 30 22:02:02 auth caddy[2422]: {"level":"warn","ts":1714514522.123341,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":27}
Apr 30 22:02:02 auth caddy[2422]: {"level":"info","ts":1714514522.1242106,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
Apr 30 22:02:02 auth caddy[2422]: {"level":"warn","ts":1714514522.1243331,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
Apr 30 22:02:02 auth caddy[2422]: {"level":"info","ts":1714514522.1247807,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Apr 30 22:02:02 auth caddy[2422]: {"level":"info","ts":1714514522.1248722,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Apr 30 22:02:02 auth caddy[2422]: {"level":"info","ts":1714514522.1249013,"msg":"serving initial configuration"}
Apr 30 22:02:02 auth systemd[1]: Started Caddy.
Apr 30 22:02:02 auth caddy[2422]: {"level":"info","ts":1714514522.1265411,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0000b9180"}
Apr 30 22:02:02 auth caddy[2422]: {"level":"warn","ts":1714514522.1300924,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"531e7759-e154-46fd-a653-18750e0d82ee","try_again":1714600922.1300914,"try_again_in":86399.99999982}
Apr 30 22:02:02 auth caddy[2422]: {"level":"info","ts":1714514522.1301324,"logger":"tls","msg":"finished cleaning storage units"}

I tried just reverse proxying a service running on localhost. “auth.ecfinternal.net reverse_proxy localhost:666” did not work but “:80 reverse_proxy localhost:666” did. Hmm

Just to check, also tried “:80 reverse_proxy 10.0.0.7:3443” which also did not work.

Hmm, so http://auth.ecfinternal.net reverse_proxy localhost:666 does work. http://smx.auth.ecfinternal.net reverse_proxy 10.0.0.7:3443 does not.

You’ll need to say more than “does work” and “does not work”. Elaborate. That doesn’t mean anything for us. The problem space is infinite. Enable the debug global option, then show your logs, show example requests with curl -v to show what happens.

Yes, gladly.
Caddyfile:

{        debug   }

http://auth.ecfinternal.net {
        reverse_proxy localhost:666
}

http://smx.ecfinternal.net {
        reverse_proxy https://10.0.0.7:3443
}

curl -v auth.ecfinternal.net

*   Trying 10.0.0.13:80...
* Connected to auth.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: auth.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://auth.ecfinternal.net/
< Server: Caddy
< Date: Tue, 07 May 2024 19:29:02 GMT
< Content-Length: 0
< 
* Closing connection 0

curl -v smx.ecfinternal.net

*   Trying 10.0.0.13:80...
* Connected to smx.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: smx.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 502 Bad Gateway
< Server: Caddy
< Date: Tue, 07 May 2024 19:33:02 GMT
< Content-Length: 0
< 
* Connection #0 to host smx.ecfinternal.net left intact

Logs

ay 07 19:35:45 auth systemd[1]: Starting Caddy...
May 07 19:35:45 auth caddy[37810]: caddy.HomeDir=/var/lib/caddy
May 07 19:35:45 auth caddy[37810]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
May 07 19:35:45 auth caddy[37810]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
May 07 19:35:45 auth caddy[37810]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
May 07 19:35:45 auth caddy[37810]: caddy.Version=v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
May 07 19:35:45 auth caddy[37810]: runtime.GOOS=linux
May 07 19:35:45 auth caddy[37810]: runtime.GOARCH=amd64
May 07 19:35:45 auth caddy[37810]: runtime.Compiler=gc
May 07 19:35:45 auth caddy[37810]: runtime.NumCPU=2
May 07 19:35:45 auth caddy[37810]: runtime.GOMAXPROCS=2
May 07 19:35:45 auth caddy[37810]: runtime.Version=go1.22.2
May 07 19:35:45 auth caddy[37810]: os.Getwd=/
May 07 19:35:45 auth caddy[37810]: LANG=en_US.UTF-8
May 07 19:35:45 auth caddy[37810]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
May 07 19:35:45 auth caddy[37810]: NOTIFY_SOCKET=/run/systemd/notify
May 07 19:35:45 auth caddy[37810]: HOME=/var/lib/caddy
May 07 19:35:45 auth caddy[37810]: LOGNAME=caddy
May 07 19:35:45 auth caddy[37810]: USER=caddy
May 07 19:35:45 auth caddy[37810]: INVOCATION_ID=df862df3bb6b4febba8754f0fe97fc88
May 07 19:35:45 auth caddy[37810]: JOURNAL_STREAM=8:1037400
May 07 19:35:45 auth caddy[37810]: SYSTEMD_EXEC_PID=37810
May 07 19:35:45 auth caddy[37810]: {"level":"info","ts":1715110545.43578,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
May 07 19:35:45 auth caddy[37810]: {"level":"warn","ts":1715110545.4366765,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":16}
May 07 19:35:45 auth caddy[37810]: {"level":"info","ts":1715110545.4379668,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
May 07 19:35:45 auth caddy[37810]: {"level":"warn","ts":1715110545.438124,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
May 07 19:35:45 auth caddy[37810]: {"level":"debug","ts":1715110545.4381528,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"srv0":{"listen":[":80"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"vcenter.ecfinternal.net:80"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"graylog.ecfinternal.net:9000"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"10.0.0.10:80"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"unifi.ecfinternal.net:8443"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","transport":{"protocol":"http","tls":{}},"upstreams":[{"dial":"10.0.0.7:3443"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"cms.ecfinternal.net:8080"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"zms.ecfinternal.net:8080"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:666"}]}]}]}],"terminal":true}],"automatic_https":{"disable":true}}}}}
May 07 19:35:45 auth caddy[37810]: {"level":"info","ts":1715110545.4387035,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0000dd600"}
May 07 19:35:45 auth caddy[37810]: {"level":"debug","ts":1715110545.4390612,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
May 07 19:35:45 auth caddy[37810]: {"level":"info","ts":1715110545.4390748,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
May 07 19:35:45 auth caddy[37810]: {"level":"info","ts":1715110545.4392014,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}

Updated Caddyfile

:80 {
        reverse_proxy localhost:666
}

http://smx.ecfinternal.net {
        reverse_proxy https://10.0.0.7:3443
}

curl -v auth.ecfinernal.net

*   Trying 10.0.0.13:80...
* Connected to auth.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: auth.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=us-ascii
< Date: Tue, 07 May 2024 19:35:51 GMT
< Server: Caddy
< Server: darkstat/3.0.719
< Vary: Accept-Encoding
< X-Robots-Tag: noindex, noarchive
< Transfer-Encoding: chunked
< 
<!DOCTYPE html>
<html>
<head>
<title>Graphs (darkstat ens33)</title>
<meta name="generator" content="darkstat 3.0.719">
<meta name="robots" content="noindex, noarchive">
<link rel="stylesheet" href="./style.css" type="text/css">
<script src="./graph.js" type="text/javascript"></script>
</head>
<body>
<div class="menu">
<ul class="menu"><li class="label">darkstat 3.0.719</li><li><a href="./">graphs</a></li><li><a href="./hosts/">hosts</a></li><li><a href="https://unix4lyfe.org/darkstat/">homepage</a></li></ul>
</div>
<div class="content">
<h2 class="pageheader">Graphs</h2>
<p>
<b>Measuring for</b> <span id="rf">4 days, 1 hr, 27 mins, 24 secs</span><b>, since</b> 2024-05-03 18:08:27 UTC+0000<b>.</b><br>
<b>Seen</b> <span id="tb">238,271,106</span> <b>bytes, in</b> <span id="tp">186,727</span> <b>packets.</b> (<span id="pc">675,738</span> <b>captured,</b> <span id="pd">61,536</span> <b>dropped)</b><br>
</p>
<div id="graphs">
Graphs require JavaScript.
<script type="text/javascript">
//<![CDATA[
var graph_width = 320;
var graph_height = 200;
var bar_gap = 1;
var graphs_uri = "graphs.xml";
var graphs = [
 { id:"g0", name:"seconds", title:"last 60 seconds", bar_secs:1 },
 { id:"g1", name:"minutes", title:"last 60 minutes", bar_secs:60 },
 { id:"g2", name:"hours", title:"last 24 hours", bar_secs:3600 },
 { id:"g3", name:"days", title:"last 31 days", bar_secs:86400 }
];
window.onload = graphs_init;
//]]>
</script>
</div>
</div>
</body>
</html>
* Connection #0 to host auth.ecfinternal.net left intact

logs

May 07 19:35:45 auth systemd[1]: Started Caddy.
May 07 19:35:45 auth caddy[37810]: {"level":"info","ts":1715110545.4399662,"msg":"serving initial configuration"}
May 07 19:35:45 auth caddy[37810]: {"level":"warn","ts":1715110545.4430864,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"531e7759-e154-46fd-a653-18750e0d82ee","try_again":1715196945.4430828,"try_again_in":86399.99999979}
May 07 19:35:45 auth caddy[37810]: {"level":"info","ts":1715110545.4432156,"logger":"tls","msg":"finished cleaning storage units"}
May 07 19:35:51 auth caddy[37810]: {"level":"debug","ts":1715110551.9316258,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"localhost:666","total_upstreams":1}
May 07 19:35:51 auth caddy[37810]: {"level":"debug","ts":1715110551.9323273,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"localhost:666","duration":0.000654944,"request":{"remote_ip":"10.0.0.13","remote_port":"53536","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"auth.ecfinternal.net","uri":"/","headers":{"X-Forwarded-Host":["auth.ecfinternal.net"],"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["10.0.0.13"],"X-Forwarded-Proto":["http"]}},"headers":{"X-Robots-Tag":["noindex, noarchive"],"Date":["Tue, 07 May 2024 19:35:51 GMT"],"Server":["darkstat/3.0.719"],"Vary":["Accept-Encoding"],"Content-Type":["text/html; charset=us-ascii"]},"status":200}

That doesn’t make sense considering your Caddyfile, Caddy should not be responding with an HTTP->HTTPS redirect if you have http:// in your site address.

Are you sure you’re actually running the Caddy config you think you are? Are you sure you reloaded Caddy after changing the config?

Looking at your logs, I see references to a whole bunch of other domains that you didn’t have in the Caddyfile you posted.

This means that Caddy wasn’t able to connect to the proxy upstream. But your logs show no evidence of that.

I don’t understand the information you’re giving us, things just don’t match.

Rather sure I’m running the Caddy config I think I am and I definitely reloaded after changing. I’m confused too, but let’s try this again.
Added back in nginx so we have an external service served on port 80 and that worked! At least with https turned off.
Caddyfile

{ debug }

http://auth.ecfinternal.net {
                   reverse_proxy localhost:666
}
http://smx.ecfinternal.net {
                  reverse_proxy 10.0.0.7:3443
}
http://nginx.ecfinternal.net {
                  reverse_proxy 10.0.0.10
}

systemctl restart caddy
journalctl -u caddy –no-pager

May 08 19:28:39 auth systemd[1]: Started Caddy.
May 08 19:28:39 auth caddy[39686]: {"level":"warn","ts":1715196519.439102,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"531e7759-e154-46fd-a653-18750e0d82ee","try_again":1715282919.439101,"try_again_in":86399.99999974}
May 08 19:28:39 auth caddy[39686]: {"level":"info","ts":1715196519.4391801,"logger":"tls","msg":"finished cleaning storage units"}
May 08 19:28:57 auth caddy[39686]: {"level":"debug","ts":1715196537.468017,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"localhost:666","total_upstreams":1}
May 08 19:28:57 auth caddy[39686]: {"level":"debug","ts":1715196537.468789,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"localhost:666","duration":0.000732502,"request":{"remote_ip":"10.0.0.13","remote_port":"41220","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"auth.ecfinternal.net","uri":"/","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["10.0.0.13"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["auth.ecfinternal.net"]}},"headers":{"Date":["Wed, 08 May 2024 19:28:57 GMT"],"Server":["darkstat/3.0.719"],"Vary":["Accept-Encoding"],"Content-Type":["text/html; charset=us-ascii"],"X-Robots-Tag":["noindex, noarchive"]},"status":200}
May 08 19:29:07 auth caddy[39686]: {"level":"debug","ts":1715196547.9728422,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"10.0.0.10:80","total_upstreams":1}
May 08 19:29:07 auth caddy[39686]: {"level":"debug","ts":1715196547.9770749,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.0.0.10:80","duration":0.004202665,"request":{"remote_ip":"10.0.0.13","remote_port":"60452","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"nginx.ecfinternal.net","uri":"/","headers":{"Accept":["*/*"],"X-Forwarded-For":["10.0.0.13"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["nginx.ecfinternal.net"],"User-Agent":["curl/7.81.0"]}},"headers":{"Content-Type":["text/html"],"Content-Length":["162"],"Connection":["keep-alive"],"Server":["nginx/1.18.0 (Ubuntu)"],"Date":["Wed, 08 May 2024 19:29:07 GMT"]},"status":403}
May 08 19:29:33 auth caddy[39686]: {"level":"debug","ts":1715196573.6916528,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"10.0.0.7:3443","total_upstreams":1}
May 08 19:29:33 auth caddy[39686]: {"level":"debug","ts":1715196573.692787,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.0.0.7:3443","duration":0.001060654,"request":{"remote_ip":"10.0.0.13","remote_port":"50864","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["10.0.0.13"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["smx.ecfinternal.net"]}},"error":"EOF"}
May 08 19:29:33 auth caddy[39686]: {"level":"error","ts":1715196573.6928701,"logger":"http.log.error","msg":"EOF","request":{"remote_ip":"10.0.0.13","remote_port":"50864","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"]}},"duration":0.001253548,"status":502,"err_id":"1cmhim88s","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
May 08 19:30:39 auth caddy[39686]: {"level":"debug","ts":1715196639.6684422,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"localhost:666","total_upstreams":1}
May 08 19:30:39 auth caddy[39686]: {"level":"debug","ts":1715196639.6701946,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"localhost:666","duration":0.001702797,"request":{"remote_ip":"10.0.0.13","remote_port":"60868","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"auth.ecfinternal.net","uri":"/","headers":{"X-Forwarded-For":["10.0.0.13"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["auth.ecfinternal.net"],"User-Agent":["curl/7.81.0"],"Accept":["*/*"]}},"headers":{"Server":["darkstat/3.0.719"],"Vary":["Accept-Encoding"],"Content-Type":["text/html; charset=us-ascii"],"X-Robots-Tag":["noindex, noarchive"],"Date":["Wed, 08 May 2024 19:30:39 GMT"]},"status":200}
May 08 19:30:42 auth caddy[39686]: {"level":"debug","ts":1715196642.3727484,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"10.0.0.7:3443","total_upstreams":1}
May 08 19:30:42 auth caddy[39686]: {"level":"debug","ts":1715196642.3735855,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.0.0.7:3443","duration":0.000793951,"request":{"remote_ip":"10.0.0.13","remote_port":"60876","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"X-Forwarded-For":["10.0.0.13"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["smx.ecfinternal.net"],"Accept":["*/*"],"User-Agent":["curl/7.81.0"]}},"error":"EOF"}
May 08 19:30:42 auth caddy[39686]: {"level":"error","ts":1715196642.3736358,"logger":"http.log.error","msg":"EOF","request":{"remote_ip":"10.0.0.13","remote_port":"60876","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"]}},"duration":0.000921637,"status":502,"err_id":"qc5sjxq4j","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
May 08 19:30:48 auth caddy[39686]: {"level":"debug","ts":1715196648.6194453,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"10.0.0.10:80","total_upstreams":1}
May 08 19:30:48 auth caddy[39686]: {"level":"debug","ts":1715196648.61998,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.0.0.10:80","duration":0.000494217,"request":{"remote_ip":"10.0.0.13","remote_port":"33500","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"nginx.ecfinternal.net","uri":"/","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["10.0.0.13"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["nginx.ecfinternal.net"]}},"headers":{"Connection":["keep-alive"],"Server":["nginx/1.18.0 (Ubuntu)"],"Date":["Wed, 08 May 2024 19:30:48 GMT"],"Content-Type":["text/html"],"Content-Length":["162"]},"status":403}
May 08 19:31:02 auth caddy[39686]: {"level":"debug","ts":1715196662.530931,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"10.0.0.10:80","total_upstreams":1}
May 08 19:31:02 auth caddy[39686]: {"level":"debug","ts":1715196662.5314226,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.0.0.10:80","duration":0.000450419,"request":{"remote_ip":"10.0.0.13","remote_port":"49710","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"nginx.ecfinternal.net","uri":"/","headers":{"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["nginx.ecfinternal.net"],"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["10.0.0.13"]}},"headers":{"Date":["Wed, 08 May 2024 19:31:02 GMT"],"Content-Type":["text/html"],"Content-Length":["162"],"Connection":["keep-alive"],"Server":["nginx/1.18.0 (Ubuntu)"]},"status":403}
May 08 19:31:24 auth caddy[39686]: {"level":"debug","ts":1715196684.698757,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"10.0.0.7:3443","total_upstreams":1}
May 08 19:31:24 auth caddy[39686]: {"level":"debug","ts":1715196684.6996496,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.0.0.7:3443","duration":0.000862089,"request":{"remote_ip":"10.0.0.13","remote_port":"39420","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["smx.ecfinternal.net"],"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["10.0.0.13"]}},"error":"EOF"}
May 08 19:31:24 auth caddy[39686]: {"level":"error","ts":1715196684.699722,"logger":"http.log.error","msg":"EOF","request":{"remote_ip":"10.0.0.13","remote_port":"39420","client_ip":"10.0.0.13","proto":"HTTP/1.1","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"]}},"duration":0.001014045,"status":502,"err_id":"iqi3he1vv","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}

curl -v auth.ecfinternal.net

*   Trying 10.0.0.13:80...
* Connected to auth.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: auth.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=us-ascii
< Date: Wed, 08 May 2024 19:37:08 GMT
< Server: Caddy
< Server: darkstat/3.0.719
< Vary: Accept-Encoding
< X-Robots-Tag: noindex, noarchive
< Transfer-Encoding: chunked
< 
<!DOCTYPE html>
<html>
<head>
<title>Graphs (darkstat ens33)</title>
<meta name="generator" content="darkstat 3.0.719">
<meta name="robots" content="noindex, noarchive">
<link rel="stylesheet" href="./style.css" type="text/css">
<script src="./graph.js" type="text/javascript"></script>
</head>
<body>
<div class="menu">
<ul class="menu"><li class="label">darkstat 3.0.719</li><li><a href="./">graphs</a></li><li><a href="./hosts/">hosts</a></li><li><a href="https://unix4lyfe.org/darkstat/">homepage</a></li></ul>
</div>
<div class="content">
<h2 class="pageheader">Graphs</h2>
<p>
<b>Measuring for</b> <span id="rf">5 days, 1 hr, 28 mins, 41 secs</span><b>, since</b> 2024-05-03 18:08:27 UTC+0000<b>.</b><br>
<b>Seen</b> <span id="tb">318,638,985</span> <b>bytes, in</b> <span id="tp">296,506</span> <b>packets.</b> (<span id="pc">975,607</span> <b>captured,</b> <span id="pd">129,388</span> <b>dropped)</b><br>
</p>
<div id="graphs">
Graphs require JavaScript.
<script type="text/javascript">
//<![CDATA[
var graph_width = 320;
var graph_height = 200;
var bar_gap = 1;
var graphs_uri = "graphs.xml";
var graphs = [
 { id:"g0", name:"seconds", title:"last 60 seconds", bar_secs:1 },
 { id:"g1", name:"minutes", title:"last 60 minutes", bar_secs:60 },
 { id:"g2", name:"hours", title:"last 24 hours", bar_secs:3600 },
 { id:"g3", name:"days", title:"last 31 days", bar_secs:86400 }
];
window.onload = graphs_init;
//]]>
</script>
</div>
</div>
</body>
</html>
* Connection #0 to host auth.ecfinternal.net left intact

curl -v smx.ecfinternal.net

*   Trying 10.0.0.13:80...
* Connected to smx.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: smx.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 502 Bad Gateway
< Server: Caddy
< Date: Wed, 08 May 2024 19:37:47 GMT
< Content-Length: 0
< 
* Connection #0 to host smx.ecfinternal.net left intact

curl -v nginx.ecfinternal.net

*   Trying 10.0.0.13:80...
* Connected to nginx.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: nginx.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 222
< Content-Type: text/html
< Date: Wed, 08 May 2024 19:57:25 GMT
< Etag: "663bd66d-de"
< Last-Modified: Wed, 08 May 2024 19:45:49 GMT
< Server: Caddy
< Server: nginx/1.18.0 (Ubuntu)
< 
<!doctype html>
<html>
<head>
    <meta charset="utf-8">
    <title>Hello, Nginx!</title>
</head>
<body>
    <h1>Hello, Nginx!</h1>
    <p>We have just configured our Nginx web server on Ubuntu Server!</p>
</body>
</html>
* Connection #0 to host nginx.ecfinternal.net left intact

This port number has 443 in it, usually implying it’s an HTTPS endpoint, not HTTP. Caddy’s proxy makes HTTP requests by default. Does that app have an HTTP port? Use that instead.

The real end goal is https for everything, I was trying to eliminate a variable to make sure at least the reverse proxy was working before adding certificates back in.

This is more like what imagine the final Caddyfile to look like

{
        debug
     
}

(prop) {
        tls my@email.net {
                propagation_timeout -1
                dns cloudflare api-token
        }
}

http://auth.ecfinternal.net {
        reverse_proxy localhost:666
        #        import prop
}

smx.ecfinternal.net {
        reverse_proxy 10.0.0.7:3443
                import prop
}

nginx.ecfinternal.net {
        reverse_proxy 10.0.0.10
                import prop
}

And my current log with that Caddyfile:

May 08 20:27:46 auth systemd[1]: Started Caddy.
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.4129763,"logger":"tls.obtain","msg":"acquiring lock","identifier":"nginx.ecfinternal.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"warn","ts":1715200066.415817,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"531e7759-e154-46fd-a653-18750e0d82ee","try_again":1715286466.4158163,"try_again_in":86399.99999978}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.4158556,"logger":"tls","msg":"finished cleaning storage units"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.4160678,"logger":"tls.obtain","msg":"acquiring lock","identifier":"smx.ecfinternal.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.417522,"logger":"tls.obtain","msg":"lock acquired","identifier":"nginx.ecfinternal.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.4176736,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"nginx.ecfinternal.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.417756,"logger":"events","msg":"event","name":"cert_obtaining","id":"6bfddefa-da03-43d8-b925-d94c8064a3ea","origin":"tls","data":{"identifier":"nginx.ecfinternal.net"}}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.4180977,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.4183273,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.4184256,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.419263,"logger":"tls.obtain","msg":"lock acquired","identifier":"smx.ecfinternal.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.419363,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"smx.ecfinternal.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.419374,"logger":"events","msg":"event","name":"cert_obtaining","id":"4e386454-8d3e-456b-9ec7-4d40ff2d3027","origin":"tls","data":{"identifier":"smx.ecfinternal.net"}}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.4194937,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.419584,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.4196022,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.625714,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["747"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.683565,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Gy4YNW4q9_xUxQ_eqzEIS2lO4nEFWCP-5n2mQvHHCYqwz4pmetI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.6835673,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["R8tUGx_Z5pQdi1z0x5bz-9PeCXAT3XNCf-46NRpiSC8u32yjBgU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.7636125,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["213"],"Content-Type":["application/problem+json"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Gy4YNW4qRyo8DjI3_Cld4mJKoFqxa7sIGDxS3xXATxohGSzL1kk"],"Server":["nginx"]},"status_code":429}
May 08 20:27:46 auth caddy[39953]: {"level":"error","ts":1715200066.7637758,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nginx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.7637928,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.7640364,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"my@email.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.76405,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["nginx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"my@email.net"}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.799883,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["345"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1663302997/267726166447"],"Replay-Nonce":["R8tUGx_ZeYrYIlpGmWyOGihlEhd-fhDK5aA1tWMksf-1-bAzSqA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.8504543,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.860508,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/348332828227","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["803"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Gy4YNW4qpbMtGQeC0hAzentCQe6prasjAFcY69p4aCnlqNv-2hQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.8606176,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
May 08 20:27:46 auth caddy[39953]: {"level":"info","ts":1715200066.8606243,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.8835783,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["UnUAhEoCTZBugW5PKB6xHa2_auNqinCiRhFWgay0ASw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:27:46 auth caddy[39953]: {"level":"debug","ts":1715200066.952162,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["283"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/pdfa5fpXd5xdY-BWvJ9k6w"],"Replay-Nonce":["jJMgwRFL6n4QHXd64VMm-1wE_tSSgXnpFEnnwOhaa2Q"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
May 08 20:27:47 auth caddy[39953]: {"level":"debug","ts":1715200067.00237,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/T_x8d6y91NisoXr0nhxNbw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["454"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:46 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["vvRYg0zA0qFDNiy2TDFUbN7Vc_ntobse0VgTSL7s0VU"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:27:47 auth caddy[39953]: {"level":"info","ts":1715200067.0024393,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"nginx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
May 08 20:27:47 auth caddy[39953]: {"level":"error","ts":1715200067.8111897,"logger":"tls.issuance.zerossl.acme_client","msg":"cleaning up solver","identifier":"nginx.ecfinternal.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.nginx.ecfinternal.net\" (usually OK if presenting also failed)"}
May 08 20:27:47 auth caddy[39953]: {"level":"debug","ts":1715200067.8617342,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/T_x8d6y91NisoXr0nhxNbw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["293"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:47 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["yc_c0iDU6rJGq8Y2YoQwt44eOfbLO2UyDTotPfLXgzY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:27:47 auth caddy[39953]: {"level":"error","ts":1715200067.8618095,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"nginx.ecfinternal.net","issuer":"acme.zerossl.com-v2-DV90","error":"[nginx.ecfinternal.net] solving challenges: presenting for challenge: adding temporary record for zone \"ecfinternal.net.\": got error status: HTTP 400: [{Code:81058 Message:A record with the same settings already exists. ErrorChain:[]}] (order=https://acme.zerossl.com/v2/DV90/order/pdfa5fpXd5xdY-BWvJ9k6w) (ca=https://acme.zerossl.com/v2/DV90)"}
May 08 20:27:47 auth caddy[39953]: {"level":"debug","ts":1715200067.8618283,"logger":"events","msg":"event","name":"cert_failed","id":"aa0829d2-5a1c-4036-8e15-0eb568571eeb","origin":"tls","data":{"error":{},"identifier":"nginx.ecfinternal.net","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
May 08 20:27:47 auth caddy[39953]: {"level":"error","ts":1715200067.8618484,"logger":"tls.obtain","msg":"will retry","error":"[nginx.ecfinternal.net] Obtain: [nginx.ecfinternal.net] solving challenges: presenting for challenge: adding temporary record for zone \"ecfinternal.net.\": got error status: HTTP 400: [{Code:81058 Message:A record with the same settings already exists. ErrorChain:[]}] (order=https://acme.zerossl.com/v2/DV90/order/pdfa5fpXd5xdY-BWvJ9k6w) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":1.444231514,"max_duration":2592000}
May 08 20:27:47 auth caddy[39953]: {"level":"debug","ts":1715200067.8719797,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 08 20:27:47 auth caddy[39953]: {"level":"debug","ts":1715200067.8719926,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 08 20:27:47 auth caddy[39953]: {"level":"debug","ts":1715200067.93291,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/348332828227/6aA1Sg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["186"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:47 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/348332828227>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/348332828227/6aA1Sg"],"Replay-Nonce":["R8tUGx_ZM6gobIXEQYSsFfT7kd7WPuJc-I8ntSABX9Wc2CPyffY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:27:47 auth caddy[39953]: {"level":"debug","ts":1715200067.932952,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 08 20:27:48 auth caddy[39953]: {"level":"debug","ts":1715200068.242957,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/348332828227","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["671"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:48 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["R8tUGx_ZXThh72_fQDZmnI-I_ZLcLiCkkcVfvezU7L5_Lp47YP8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:27:48 auth caddy[39953]: {"level":"error","ts":1715200068.4468367,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Incorrect TXT record \"cNy0mfcARv7zwExegV9ZffJSC5U2wluCDKVvJ_Jlf-o\" (and 1 more) found at _acme-challenge.smx.ecfinternal.net","instance":"","subproblems":[]}}
May 08 20:27:48 auth caddy[39953]: {"level":"error","ts":1715200068.4468844,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"smx.ecfinternal.net","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Incorrect TXT record \"cNy0mfcARv7zwExegV9ZffJSC5U2wluCDKVvJ_Jlf-o\" (and 1 more) found at _acme-challenge.smx.ecfinternal.net","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1663302997/267726166447","attempt":1,"max_attempts":3}
May 08 20:27:48 auth caddy[39953]: {"level":"error","ts":1715200068.4469187,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Incorrect TXT record \"cNy0mfcARv7zwExegV9ZffJSC5U2wluCDKVvJ_Jlf-o\" (and 1 more) found at _acme-challenge.smx.ecfinternal.net"}
May 08 20:27:48 auth caddy[39953]: {"level":"debug","ts":1715200068.4469304,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
May 08 20:27:48 auth caddy[39953]: {"level":"info","ts":1715200068.4471343,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"my@email.net"}
May 08 20:27:48 auth caddy[39953]: {"level":"info","ts":1715200068.4471498,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"my@email.net"}
May 08 20:27:48 auth caddy[39953]: {"level":"debug","ts":1715200068.4962642,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Wed, 08 May 2024 20:27:48 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["b_PY8q9KMO0nnu5imLwdVdF5U76AmrhsaTD7btdF8cY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:27:48 auth caddy[39953]: {"level":"debug","ts":1715200068.5562818,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["281"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:48 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/tlrxt6gmKEJBHW_NJ-yZgA"],"Replay-Nonce":["-mVvDQBq_BW6jcctwmxxvxG75wT8c_XHgPO15gR-Doc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
May 08 20:27:48 auth caddy[39953]: {"level":"debug","ts":1715200068.601902,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/1GVT23BbxyEn1pIY40e9tA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:48 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["0MY8WAL4TNVrKRX5U48T5cb1LQahL304Js79MGR0-SY"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:27:48 auth caddy[39953]: {"level":"debug","ts":1715200068.6019547,"logger":"tls.issuance.zerossl.acme_client","msg":"no solver configured","challenge_type":"http-01"}
May 08 20:27:48 auth caddy[39953]: {"level":"info","ts":1715200068.6019595,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
May 08 20:27:48 auth caddy[39953]: {"level":"error","ts":1715200068.7846665,"logger":"tls.issuance.zerossl.acme_client","msg":"cleaning up solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.smx.ecfinternal.net\" (usually OK if presenting also failed)"}
May 08 20:27:48 auth caddy[39953]: {"level":"debug","ts":1715200068.8421283,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/1GVT23BbxyEn1pIY40e9tA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["291"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:27:48 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["qynX27JOqklkw6L317_meAhzGtMDUxTYRcAX4vxkxWw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:27:48 auth caddy[39953]: {"level":"error","ts":1715200068.8422081,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"smx.ecfinternal.net","issuer":"acme.zerossl.com-v2-DV90","error":"[smx.ecfinternal.net] solving challenges: presenting for challenge: adding temporary record for zone \"ecfinternal.net.\": got error status: HTTP 400: [{Code:81058 Message:A record with the same settings already exists. ErrorChain:[]}] (order=https://acme.zerossl.com/v2/DV90/order/tlrxt6gmKEJBHW_NJ-yZgA) (ca=https://acme.zerossl.com/v2/DV90)"}
May 08 20:27:48 auth caddy[39953]: {"level":"debug","ts":1715200068.8422272,"logger":"events","msg":"event","name":"cert_failed","id":"3874746e-dc3e-4294-80cf-0b99c2fb0701","origin":"tls","data":{"error":{},"identifier":"smx.ecfinternal.net","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
May 08 20:27:48 auth caddy[39953]: {"level":"error","ts":1715200068.8422444,"logger":"tls.obtain","msg":"will retry","error":"[smx.ecfinternal.net] Obtain: [smx.ecfinternal.net] solving challenges: presenting for challenge: adding temporary record for zone \"ecfinternal.net.\": got error status: HTTP 400: [{Code:81058 Message:A record with the same settings already exists. ErrorChain:[]}] (order=https://acme.zerossl.com/v2/DV90/order/tlrxt6gmKEJBHW_NJ-yZgA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":2.422970809,"max_duration":2592000}

curl -v auth.ecfinternal.net (don’t care about certificates here)

* Connected to auth.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: auth.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=us-ascii
< Date: Wed, 08 May 2024 20:24:23 GMT
< Server: Caddy
< Server: darkstat/3.0.719
< Vary: Accept-Encoding
< X-Robots-Tag: noindex, noarchive
< Transfer-Encoding: chunked
< 
<!DOCTYPE html>
<html>
<head>
<title>Graphs (darkstat ens33)</title>
<meta name="generator" content="darkstat 3.0.719">
<meta name="robots" content="noindex, noarchive">
<link rel="stylesheet" href="./style.css" type="text/css">
<script src="./graph.js" type="text/javascript"></script>
</head>
<body>
<div class="menu">
<ul class="menu"><li class="label">darkstat 3.0.719</li><li><a href="./">graphs</a></li><li><a href="./hosts/">hosts</a></li><li><a href="https://unix4lyfe.org/darkstat/">homepage</a></li></ul>
</div>
<div class="content">
<h2 class="pageheader">Graphs</h2>
<p>
<b>Measuring for</b> <span id="rf">5 days, 2 hrs, 15 mins, 55 secs</span><b>, since</b> 2024-05-03 18:08:27 UTC+0000<b>.</b><br>
<b>Seen</b> <span id="tb">340,606,857</span> <b>bytes, in</b> <span id="tp">343,998</span> <b>packets.</b> (<span id="pc">1,034,119</span> <b>captured,</b> <span id="pd">134,494</span> <b>dropped)</b><br>
</p>
<div id="graphs">
Graphs require JavaScript.
<script type="text/javascript">
//<![CDATA[
var graph_width = 320;
var graph_height = 200;
var bar_gap = 1;
var graphs_uri = "graphs.xml";
var graphs = [
 { id:"g0", name:"seconds", title:"last 60 seconds", bar_secs:1 },
 { id:"g1", name:"minutes", title:"last 60 minutes", bar_secs:60 },
 { id:"g2", name:"hours", title:"last 24 hours", bar_secs:3600 },
 { id:"g3", name:"days", title:"last 31 days", bar_secs:86400 }
];
window.onload = graphs_init;
//]]>
</script>
</div>
</div>
</body>
</html>
* Connection #0 to host auth.ecfinternal.net left intact

curl -v nginx.ecfinternal.net

*   Trying 10.0.0.13:80...
* Connected to nginx.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: nginx.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://nginx.ecfinternal.net/
< Server: Caddy
< Date: Wed, 08 May 2024 20:25:46 GMT
< Content-Length: 0
< 
* Closing connection 0

curl -v smx.ecfinternal.net

   Trying 10.0.0.13:80...
* Connected to smx.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: smx.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://smx.ecfinternal.net/
< Server: Caddy
< Date: Wed, 08 May 2024 20:26:06 GMT
< Content-Length: 0
< 
* Closing connection 0

Again, you’re making HTTP requests to Caddy when you do this, make sure to specify https://. Notice how you get 308 status and the Location header, that’s a redirect.

Sure, but you only need HTTPS from the outside world into your server (i.e. incoming connections to Caddy). There’s no need to have HTTPS between your webserver and your apps (i.e. the proxy), because the traffic is happening within your private network. It only adds complication and overhead.

Ah good point, thank you, updated. This is entirely internal. And an alternative to making a private certificate authority and having to touch 80~ servers and computers. In theory at least this is less complication and overhead. Would really like our users to stop having to click through certificate warnings.
Certificate wise I did get this working with Certbot before Switching to Caddy. So api key should be correct at least and I can verify txt records are being created on our Cloudflare DNS.

Caddyfile (simplified with just smx)

{
        debug
}

(prop) {
        tls example@email.net {
                propagation_timeout -1
                dns cloudflare api-token
        }

smx.ecfinternal.net {
        reverse_proxy https://10.0.0.7:3443
                import prop
}

logs

May 08 20:49:51 auth systemd[1]: Started Caddy.
May 08 20:49:51 auth caddy[40034]: {"level":"warn","ts":1715201391.9421513,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/var/lib/caddy/.local/share/caddy","instance":"531e7759-e154-46fd-a653-18750e0d82ee","try_again":1715287791.9421504,"try_again_in":86399.999999749}
May 08 20:49:51 auth caddy[40034]: {"level":"info","ts":1715201391.9421885,"logger":"tls","msg":"finished cleaning storage units"}
May 08 20:49:51 auth caddy[40034]: {"level":"info","ts":1715201391.9422836,"logger":"tls.obtain","msg":"lock acquired","identifier":"smx.ecfinternal.net"}
May 08 20:49:51 auth caddy[40034]: {"level":"info","ts":1715201391.9423416,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"smx.ecfinternal.net"}
May 08 20:49:51 auth caddy[40034]: {"level":"debug","ts":1715201391.9423506,"logger":"events","msg":"event","name":"cert_obtaining","id":"bfa6b8ed-9022-4a80-8168-082139e0d058","origin":"tls","data":{"identifier":"smx.ecfinternal.net"}}
May 08 20:49:51 auth caddy[40034]: {"level":"debug","ts":1715201391.9425988,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
May 08 20:49:51 auth caddy[40034]: {"level":"info","ts":1715201391.94272,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"amendenhall@staff.gwi.net"}
May 08 20:49:51 auth caddy[40034]: {"level":"info","ts":1715201391.9427302,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"amendenhall@staff.gwi.net"}
May 08 20:49:52 auth caddy[40034]: {"level":"debug","ts":1715201392.1109767,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["747"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:49:52 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:49:52 auth caddy[40034]: {"level":"debug","ts":1715201392.1571786,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Wed, 08 May 2024 20:49:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["RHbEAk-J5oWNSJCNSplR-RzgB3crXqI2wA52oSKx5PFtv9mTqxk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:49:52 auth caddy[40034]: {"level":"debug","ts":1715201392.568499,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["345"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:49:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1663302997/267730003717"],"Replay-Nonce":["KBbvukTe9AdUjVub4VNAcknTOTX2ps2EICN_r6bQjSM6vtTkVcs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 08 20:49:52 auth caddy[40034]: {"level":"debug","ts":1715201392.632738,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/348338392877","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["803"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:49:52 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["KBbvukTe9LuzGjDNWc3N_MlmWy_8_8kIZNBbYPjuQ2VxIU0BkVE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:49:52 auth caddy[40034]: {"level":"info","ts":1715201392.632863,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
May 08 20:49:53 auth caddy[40034]: {"level":"debug","ts":1715201393.2939944,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 08 20:49:53 auth caddy[40034]: {"level":"debug","ts":1715201393.2940235,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 08 20:49:53 auth caddy[40034]: {"level":"debug","ts":1715201393.3601255,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/348338392877/VKlNcg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["186"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:49:53 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/348338392877>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/348338392877/VKlNcg"],"Replay-Nonce":["RHbEAk-JC5Plbf0-IUGxeBWOVoSBs3svLjAXPA0qlIXOe1gHZMw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:49:53 auth caddy[40034]: {"level":"debug","ts":1715201393.3601782,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 08 20:49:53 auth caddy[40034]: {"level":"debug","ts":1715201393.6973805,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/348338392877","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1663302997"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["671"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:49:53 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["RHbEAk-JyDm3j3Nj5OA7ffnYG5cYbK-8O3razTnYgIJ9dIm52Xs"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 08 20:49:53 auth caddy[40034]: {"level":"error","ts":1715201393.9231532,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Incorrect TXT record \"4O-pHsJjrjDtVFLwMpJtQPb81m_-QLXOryRKiNc70gI\" (and 3 more) found at _acme-challenge.smx.ecfinternal.net","instance":"","subproblems":[]}}
May 08 20:49:53 auth caddy[40034]: {"level":"error","ts":1715201393.9231963,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"smx.ecfinternal.net","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Incorrect TXT record \"4O-pHsJjrjDtVFLwMpJtQPb81m_-QLXOryRKiNc70gI\" (and 3 more) found at _acme-challenge.smx.ecfinternal.net","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1663302997/267730003717","attempt":1,"max_attempts":3}
May 08 20:49:53 auth caddy[40034]: {"level":"error","ts":1715201393.923225,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Incorrect TXT record \"4O-pHsJjrjDtVFLwMpJtQPb81m_-QLXOryRKiNc70gI\" (and 3 more) found at _acme-challenge.smx.ecfinternal.net"}
May 08 20:49:53 auth caddy[40034]: {"level":"debug","ts":1715201393.923239,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
May 08 20:49:53 auth caddy[40034]: {"level":"info","ts":1715201393.9234574,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"amendenhall@staff.gwi.net"}
May 08 20:49:53 auth caddy[40034]: {"level":"info","ts":1715201393.9234657,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"amendenhall@staff.gwi.net"}
May 08 20:49:54 auth caddy[40034]: {"level":"debug","ts":1715201394.0113692,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:49:54 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:49:54 auth caddy[40034]: {"level":"debug","ts":1715201394.0677705,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Wed, 08 May 2024 20:49:54 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["3mVrFiWRpQHKutHEKq2IZzQBjmjRg3EN57HaBluOe2w"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:49:54 auth caddy[40034]: {"level":"debug","ts":1715201394.2113144,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["281"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:49:54 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/g1d25cWL45hOKzd7u03zTQ"],"Replay-Nonce":["6h2SOM0byAPCqf3zCmgI-DXhOrWB3ERehROY3Boj61U"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
May 08 20:49:54 auth caddy[40034]: {"level":"debug","ts":1715201394.3261604,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/BqdWNIVd1ChlTcEj5FK5NA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:49:54 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["bxH4QoH2ejl0m39chZs4oQJ56MJW9JBdGgS-GLXi6ng"],"Retry-After":["86400"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:49:54 auth caddy[40034]: {"level":"debug","ts":1715201394.3262196,"logger":"tls.issuance.zerossl.acme_client","msg":"no solver configured","challenge_type":"http-01"}
May 08 20:49:54 auth caddy[40034]: {"level":"info","ts":1715201394.3262246,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
May 08 20:49:54 auth caddy[40034]: {"level":"error","ts":1715201394.7109911,"logger":"tls.issuance.zerossl.acme_client","msg":"cleaning up solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.smx.ecfinternal.net\" (usually OK if presenting also failed)"}
May 08 20:49:54 auth caddy[40034]: {"level":"debug","ts":1715201394.833718,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/BqdWNIVd1ChlTcEj5FK5NA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["291"],"Content-Type":["application/json"],"Date":["Wed, 08 May 2024 20:49:54 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["GQF9xJYn30bf25U3dZXktkvPTyrvRXhzg4Ei4tVAtAU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 08 20:49:54 auth caddy[40034]: {"level":"error","ts":1715201394.8339927,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"smx.ecfinternal.net","issuer":"acme.zerossl.com-v2-DV90","error":"[smx.ecfinternal.net] solving challenges: presenting for challenge: adding temporary record for zone \"ecfinternal.net.\": got error status: HTTP 400: [{Code:81058 Message:A record with the same settings already exists. ErrorChain:[]}] (order=https://acme.zerossl.com/v2/DV90/order/g1d25cWL45hOKzd7u03zTQ) (ca=https://acme.zerossl.com/v2/DV90)"}
May 08 20:49:54 auth caddy[40034]: {"level":"debug","ts":1715201394.8340228,"logger":"events","msg":"event","name":"cert_failed","id":"e29e6429-a5ad-41d6-a66a-268f1735fc35","origin":"tls","data":{"error":{},"identifier":"smx.ecfinternal.net","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
May 08 20:49:54 auth caddy[40034]: {"level":"error","ts":1715201394.834046,"logger":"tls.obtain","msg":"will retry","error":"[smx.ecfinternal.net] Obtain: [smx.ecfinternal.net] solving challenges: presenting for challenge: adding temporary record for zone \"ecfinternal.net.\": got error status: HTTP 400: [{Code:81058 Message:A record with the same settings already exists. ErrorChain:[]}] (order=https://acme.zerossl.com/v2/DV90/order/g1d25cWL45hOKzd7u03zTQ) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":2.891755401,"max_duration":2592000}

curl -v smx.ecfinternal.net

*   Trying 10.0.0.13:80...
* Connected to smx.ecfinternal.net (10.0.0.13) port 80 (#0)
> GET / HTTP/1.1
> Host: smx.ecfinternal.net
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://smx.ecfinternal.net/
< Server: Caddy
< Date: Wed, 08 May 2024 20:50:43 GMT
< Content-Length: 0
< 

Once again, you’re only making an HTTP request here. That doesn’t show anything useful. Add https:// in front of your domain in this command.

Something’s messed up with your DNS. Try to clear out the TXT records on your domain from your Cloudflare dashboard, then wipe out Caddy’s storage (at /var/lib/caddy/.local/share/caddy) then restart Caddy.

Please mind your post’s formatting. Make sure to use code blocks when posting config/logs. Use triple backticks ``` on their own lines, before and after the content. Or click the </> button above the text box.

Ah ok I get you now. And sorry, I missed a set of backticks, fixed. Yes, Cloudflare wise the old txt records are not getting deleted. Manually deleted them and cleared the storage as you suggested.

curl -v https://smx.ecfinternal.net

*   Trying 10.0.0.13:443...
* Connected to smx.ecfinternal.net (10.0.0.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

May 09 13:26:27 auth systemd[1]: Started Caddy.
May 09 13:26:27 auth caddy[54269]: {"level":"info","ts":1715261187.3834622,"logger":"tls.obtain","msg":"acquiring lock","identifier":"smx.ecfinternal.net"}
May 09 13:26:27 auth caddy[54269]: {"level":"info","ts":1715261187.388557,"logger":"tls.obtain","msg":"lock acquired","identifier":"smx.ecfinternal.net"}
May 09 13:26:27 auth caddy[54269]: {"level":"info","ts":1715261187.3885663,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
May 09 13:26:27 auth caddy[54269]: {"level":"info","ts":1715261187.3888333,"logger":"tls","msg":"finished cleaning storage units"}
May 09 13:26:27 auth caddy[54269]: {"level":"info","ts":1715261187.3889484,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"smx.ecfinternal.net"}
May 09 13:26:27 auth caddy[54269]: {"level":"debug","ts":1715261187.3890374,"logger":"events","msg":"event","name":"cert_obtaining","id":"861171d9-aa65-414d-a568-12f421acab4f","origin":"tls","data":{"identifier":"smx.ecfinternal.net"}}
May 09 13:26:27 auth caddy[54269]: {"level":"debug","ts":1715261187.3894036,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
May 09 13:26:27 auth caddy[54269]: {"level":"debug","ts":1715261187.5930696,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["747"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:27 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 09 13:26:27 auth caddy[54269]: {"level":"debug","ts":1715261187.6492743,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Thu, 09 May 2024 13:26:27 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["R8tUGx_Z7FKeAtt3Dyh2XbGEUUpmVn1Wh2aorYWmTkGoOlMukRk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 09 13:26:27 auth caddy[54269]: {"level":"debug","ts":1715261187.715349,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1717460097"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["326"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:27 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/1717460097"],"Replay-Nonce":["Gy4YNW4qTtKb6x4JkR0naGK05OsqdK0ylAu3PkyYE9s_pLkpHZE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 09 13:26:27 auth caddy[54269]: {"level":"info","ts":1715261187.7157667,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 09 13:26:27 auth caddy[54269]: {"level":"info","ts":1715261187.7157803,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 09 13:26:27 auth caddy[54269]: {"level":"debug","ts":1715261187.7992387,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1717460097"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["345"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:27 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1717460097/267927401727"],"Replay-Nonce":["R8tUGx_ZZydNZIEpL8796YPjsXmL1bjGuZ3eaNkByBwbbF0Scbk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 09 13:26:27 auth caddy[54269]: {"level":"debug","ts":1715261187.8593888,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/348624014157","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1717460097"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["803"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:27 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Gy4YNW4qHspA_QnW7q_xt8MzI0gAT8vzQTGF0uDFaUAClyr0z5s"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 09 13:26:27 auth caddy[54269]: {"level":"info","ts":1715261187.8595624,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
May 09 13:26:28 auth caddy[54269]: {"level":"debug","ts":1715261188.423631,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 09 13:26:28 auth caddy[54269]: {"level":"debug","ts":1715261188.423657,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 09 13:26:28 auth caddy[54269]: {"level":"debug","ts":1715261188.483849,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/348624014157/AnLBaw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1717460097"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["186"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:28 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/348624014157>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/348624014157/AnLBaw"],"Replay-Nonce":["Gy4YNW4qquu2yRFtKSWzVDgCTrfejgRD0hCqWQ1UCPJuWfsz_sU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 09 13:26:28 auth caddy[54269]: {"level":"debug","ts":1715261188.4838946,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 09 13:26:28 auth caddy[54269]: {"level":"debug","ts":1715261188.7920723,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/348624014157","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1717460097"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["603"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:28 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["Gy4YNW4qNQn1ud9XNoVdZG72_u8VpT1kkSEheKNVCflKkTcm9vA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 09 13:26:28 auth caddy[54269]: {"level":"error","ts":1715261188.9730093,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"No TXT record found at _acme-challenge.smx.ecfinternal.net","instance":"","subproblems":[]}}
May 09 13:26:28 auth caddy[54269]: {"level":"error","ts":1715261188.9730399,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"smx.ecfinternal.net","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"No TXT record found at _acme-challenge.smx.ecfinternal.net","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/1717460097/267927401727","attempt":1,"max_attempts":3}
May 09 13:26:28 auth caddy[54269]: {"level":"error","ts":1715261188.9730625,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - No TXT record found at _acme-challenge.smx.ecfinternal.net"}
May 09 13:26:28 auth caddy[54269]: {"level":"debug","ts":1715261188.9730742,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
May 09 13:26:29 auth caddy[54269]: {"level":"info","ts":1715261189.3702962,"logger":"tls.issuance.zerossl","msg":"generated EAB credentials","key_id":"KviBkElROhQJlrK9zEE58Q"}
May 09 13:26:29 auth caddy[54269]: {"level":"debug","ts":1715261189.464716,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:29 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:26:29 auth caddy[54269]: {"level":"debug","ts":1715261189.5532274,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Thu, 09 May 2024 13:26:29 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["INZ_9Su4jZbzLIeo2kf68i61PkkbpMyQcdSp7MfCYJU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:26:29 auth caddy[54269]: {"level":"debug","ts":1715261189.7208185,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newAccount","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["587"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:29 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Location":["https://acme.zerossl.com/v2/DV90/account/KviBkElROhQJlrK9zEE58Q"],"Replay-Nonce":["OgyLsOSvTo0bAl0ez8B_3nFiF2VcF3hnUAusbpmtSPo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
May 09 13:26:29 auth caddy[54269]: {"level":"info","ts":1715261189.7211876,"logger":"tls.issuance.zerossl","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"my@email.net"}
May 09 13:26:29 auth caddy[54269]: {"level":"info","ts":1715261189.7212014,"logger":"tls.issuance.zerossl","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"my@email.net"}
May 09 13:26:30 auth caddy[54269]: {"level":"debug","ts":1715261190.1731105,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["281"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:30 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/vGJcoVw6LAF1v9kcMIwp9A"],"Replay-Nonce":["0EcFRIk9kA4oYC0nggVPOwDmHxdwuAdrpXB7f7VL7kA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
May 09 13:26:30 auth caddy[54269]: {"level":"debug","ts":1715261190.3727267,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["449"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:30 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["3yNv3e6rvqGfHOdRvkXaA3UOvozl4ny0iZ13QMuc6rI"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:26:30 auth caddy[54269]: {"level":"debug","ts":1715261190.372829,"logger":"tls.issuance.zerossl.acme_client","msg":"no solver configured","challenge_type":"http-01"}
May 09 13:26:30 auth caddy[54269]: {"level":"info","ts":1715261190.3728344,"logger":"tls.issuance.zerossl.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
May 09 13:26:30 auth caddy[54269]: {"level":"debug","ts":1715261190.7717764,"logger":"tls.issuance.zerossl.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 09 13:26:30 auth caddy[54269]: {"level":"debug","ts":1715261190.7718048,"logger":"tls.issuance.zerossl.acme_client","msg":"done waiting for solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 09 13:26:30 auth caddy[54269]: {"level":"debug","ts":1715261190.9434862,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/chall/KryMtP4xZJXlsmlfHoThSg","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["163"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:30 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA>;rel=\"up\""],"Replay-Nonce":["_O9qDrLuY016n9GJb9RtEyQW9Jm8rsUe82mILiKKGTY"],"Retry-After":["10"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:26:30 auth caddy[54269]: {"level":"debug","ts":1715261190.9435554,"logger":"tls.issuance.zerossl.acme_client","msg":"challenge accepted","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 09 13:26:31 auth caddy[54269]: {"level":"debug","ts":1715261191.5080657,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:31 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["5_lTbg02kp-2Gy6SQq9VZHLkdI1ZMbZqgFrJa_20blQ"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:26:36 auth caddy[54269]: {"level":"debug","ts":1715261196.7837248,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:36 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["q7wIwVzw5jLLLiXTIMI7PnVo7EfB2zYnJEKroezvm34"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:26:41 auth caddy[54269]: {"level":"debug","ts":1715261201.9103491,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:41 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["bXJApb2TrMls1ry8WbE99c115TgPYvULg8sji6cdJKA"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:26:47 auth caddy[54269]: {"level":"debug","ts":1715261207.0094209,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:47 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["gKSLzja7JUfUQjfSilWskHDNTu9PjCRJVpX4CQazLtY"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:26:52 auth caddy[54269]: {"level":"debug","ts":1715261212.239409,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:52 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["oIExL9HxCazuDg0IzZGnvXjwI5G4-jxKWZAO8GDs8VM"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:26:53 auth caddy[54269]: {"level":"debug","ts":1715261213.8810697,"logger":"events","msg":"event","name":"tls_get_certificate","id":"56ca131d-2332-4cbc-bf67-c999163f00e2","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"smx.ecfinternal.net","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.0.0.13","Port":33024,"Zone":""},"LocalAddr":{"IP":"10.0.0.13","Port":443,"Zone":""}}}}
May 09 13:26:53 auth caddy[54269]: {"level":"debug","ts":1715261213.8812277,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"smx.ecfinternal.net"}
May 09 13:26:53 auth caddy[54269]: {"level":"debug","ts":1715261213.8812335,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.ecfinternal.net"}
May 09 13:26:53 auth caddy[54269]: {"level":"debug","ts":1715261213.8812375,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.net"}
May 09 13:26:53 auth caddy[54269]: {"level":"debug","ts":1715261213.8812404,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
May 09 13:26:53 auth caddy[54269]: {"level":"debug","ts":1715261213.881247,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.0.0.13","remote_port":"33024","server_name":"smx.ecfinternal.net","remote":"10.0.0.13:33024","identifier":"smx.ecfinternal.net","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0,"load_or_obtain_if_necessary":true,"on_demand":false}
May 09 13:26:53 auth caddy[54269]: {"level":"debug","ts":1715261213.8812902,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.0.13:33024: no certificate available for 'smx.ecfinternal.net'"}
May 09 13:26:57 auth caddy[54269]: {"level":"debug","ts":1715261217.3113687,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:26:57 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["Ulc7-_emwJi5FsjxFhBtxcsFzjIq4cfYeGzbYxX2wuw"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:27:02 auth caddy[54269]: {"level":"debug","ts":1715261222.4093711,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:27:02 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["pLgVDdM4eSOeFCDd0NwLuL_2WApYpn5mzE83ldtT6sc"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:27:07 auth caddy[54269]: {"level":"debug","ts":1715261227.5716114,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:27:07 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["Hd2yH_0YXmYeEdbx0Vlx8z04v3mKUr1O3PDvVSeTZfw"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:27:12 auth caddy[54269]: {"level":"debug","ts":1715261232.6678216,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:27:12 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["VJOeRUWl1s0BqSG2pIWBR-hvSHwZfmklg9Geoqo-hMc"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:27:17 auth caddy[54269]: {"level":"debug","ts":1715261237.787088,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:27:17 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["kLRlys8_C7wc_-KV33FPdxxINW_CmrNNRwqSmalZQVs"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:27:22 auth caddy[54269]: {"level":"debug","ts":1715261242.892794,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:27:22 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["IC70vf68junYirj4jSWreHRPoZp0vUjTfBGELx3RAVk"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:27:27 auth caddy[54269]: {"level":"debug","ts":1715261247.9495504,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:27:27 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["ZsCO9U2Cekb1BkBIiS0jWflNGN4Ile1qx507yW90tRw"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 09 13:27:33 auth caddy[54269]: {"level":"debug","ts":1715261253.066284,"logger":"tls.issuance.zerossl.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/OLvq24yrecdon1NtACPoKA","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.7.6 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["452"],"Content-Type":["application/json"],"Date":["Thu, 09 May 2024 13:27:33 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["U_Y5sc2Xjq1uKquZEcQc-9Rm2kEb4c3skHThlBuFHCE"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}

Hmm, looking at the name of my txt record it’s _acme-challenge.smx
rather than .smx.ecfinternal.net which may well hint at the issue. ““No TXT record found at _acme-challenge.smx.ecfinternal.net””