Reverse Proxy and https setup

Can you try building from Caddy v2.8.0-beta.2 (using xcaddy build v2.8.0-beta.2 and add any --with for any plugins you need)?

We’ve made fixes to propagation checks, so you should be able to remove propagation_timeout -1 with that version.

$ dig TXT @1.1.1.1 _acme-challenge.smx.ecfinternal.net                                          

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> TXT @1.1.1.1 _acme-challenge.smx.ecfinternal.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55992
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.smx.ecfinternal.net. IN	TXT

;; ANSWER SECTION:
_acme-challenge.smx.ecfinternal.net. 300 IN TXT	"1_hb3X58uwDK8RvLuDKFboAWRTxpRe5X8Pr2f4_PyPM"
_acme-challenge.smx.ecfinternal.net. 300 IN TXT	"UecsoT3lIgb0oCQWURF_lAqNR3cMrduYlnZGeCsZ5xU"

;; Query time: 64 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri May 10 01:20:16 EDT 2024
;; MSG SIZE  rcvd: 176

Making a DNS query, it seems like Caddy did write the ACME challenges correctly, I’m not sure why Let’s Encrypt rejected it. You might need to clear these out again, delete Caddy’s storage, and restart Caddy to trigger it one more time, once you’ve updated Caddy.

Sure, sounds good: caddy version : v2.8.0-beta.2 h1:VG+mnhxn5G2bCjYMU4Q2lbCMHxz7BSyh89l7M68ET20=

New Caddyfile:

  {            debug
                acme_dns cloudflare api-token
                email my@email.net
}
smx.ecfinternal.net {
        reverse_proxy https://10.0.0.7:3443
}

curl -v https://smx.ecfinternal.net

*   Trying 10.0.0.13:443...
* Connected to smx.ecfinternal.net (10.0.0.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

logs:

May 10 14:15:00 auth systemd[1]: Started Caddy.
May 10 14:15:00 auth caddy[59928]: {"level":"info","ts":1715350500.322566,"logger":"tls.obtain","msg":"acquiring lock","identifier":"smx.ecfinternal.net"}
May 10 14:15:00 auth caddy[59928]: {"level":"info","ts":1715350500.3264523,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
May 10 14:15:00 auth caddy[59928]: {"level":"info","ts":1715350500.326611,"logger":"tls","msg":"finished cleaning storage units"}
May 10 14:15:00 auth caddy[59928]: {"level":"info","ts":1715350500.3267984,"logger":"tls.obtain","msg":"lock acquired","identifier":"smx.ecfinternal.net"}
May 10 14:15:00 auth caddy[59928]: {"level":"info","ts":1715350500.3269436,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"smx.ecfinternal.net"}
May 10 14:15:00 auth caddy[59928]: {"level":"debug","ts":1715350500.3270643,"logger":"events","msg":"event","name":"cert_obtaining","id":"34468108-521d-4c56-a9e3-6faffa4af06b","origin":"tls","data":{"identifier":"smx.ecfinternal.net"}}
May 10 14:15:00 auth caddy[59928]: {"level":"debug","ts":1715350500.3272955,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
May 10 14:15:00 auth caddy[59928]: {"level":"debug","ts":1715350500.507498,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["747"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 14:15:00 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 14:15:00 auth caddy[59928]: {"level":"debug","ts":1715350500.5558653,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 10 May 2024 14:15:00 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["9tl4X0FTAem374OxrV_EcysuB_gOXx39FZuK9xGduNhO57d_w4U"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 14:15:00 auth caddy[59928]: {"level":"debug","ts":1715350500.6536548,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719302167"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["326"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 14:15:00 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/1719302167"],"Replay-Nonce":["9tl4X0FT1Vr_-CMSq7WlRSgjE-iL93obMZt0KhG-Ex-TabggHx0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 10 14:15:00 auth caddy[59928]: {"level":"info","ts":1715350500.6540508,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 10 14:15:00 auth caddy[59928]: {"level":"info","ts":1715350500.6540613,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 10 14:15:00 auth caddy[59928]: {"level":"info","ts":1715350500.6540823,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1719302167","account_contact":["mailto:my@email.net"]}
May 10 14:15:00 auth caddy[59928]: {"level":"debug","ts":1715350500.6540902,"logger":"tls.issuance.acme.acme_client","msg":"creating order","account":"https://acme-v02.api.letsencrypt.org/acme/acct/1719302167","identifiers":["smx.ecfinternal.net"]}
May 10 14:15:00 auth caddy[59928]: {"level":"debug","ts":1715350500.9143672,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719302167"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["345"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 14:15:00 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1719302167/268217901837"],"Replay-Nonce":["9tl4X0FTDrNW0FsYCmyhAc8YdC9gQMQZcPg-IoyJwMA7Fs_-bes"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 10 14:15:00 auth caddy[59928]: {"level":"debug","ts":1715350500.9841583,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/349043644557","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719302167"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["803"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 14:15:00 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["-fkSYaIhpfh9eGG7gWwx-YfPla3TrlG9wJ8ajiAWOfvo0B0QrA8"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 14:15:00 auth caddy[59928]: {"level":"info","ts":1715350500.9843857,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
May 10 14:15:03 auth caddy[59928]: {"level":"debug","ts":1715350503.740883,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 10 14:16:46 auth caddy[59928]: {"level":"debug","ts":1715350606.7749665,"logger":"events","msg":"event","name":"tls_get_certificate","id":"0a612509-348e-4627-bce2-7f3d67d2a36e","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"smx.ecfinternal.net","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.0.0.13","Port":46544,"Zone":""},"LocalAddr":{"IP":"10.0.0.13","Port":443,"Zone":""}}}}
May 10 14:16:46 auth caddy[59928]: {"level":"debug","ts":1715350606.7750015,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"smx.ecfinternal.net"}
May 10 14:16:46 auth caddy[59928]: {"level":"debug","ts":1715350606.7750082,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.ecfinternal.net"}
May 10 14:16:46 auth caddy[59928]: {"level":"debug","ts":1715350606.775011,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.net"}
May 10 14:16:46 auth caddy[59928]: {"level":"debug","ts":1715350606.7750134,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
May 10 14:16:46 auth caddy[59928]: {"level":"debug","ts":1715350606.775021,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.0.0.13","remote_port":"46544","server_name":"smx.ecfinternal.net","remote":"10.0.0.13:46544","identifier":"smx.ecfinternal.net","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0,"load_or_obtain_if_necessary":true,"on_demand":false}
May 10 14:16:46 auth caddy[59928]: {"level":"debug","ts":1715350606.7759643,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.0.13:46544: no certificate available for 'smx.ecfinternal.net'"}
May 10 14:17:03 auth caddy[59928]: {"level":"debug","ts":1715350623.876996,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 10 14:17:04 auth caddy[59928]: {"level":"debug","ts":1715350624.341747,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/349043644557","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719302167"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["807"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 14:17:04 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["-fkSYaIhN8RDS1Fv98grpHH9xmy0XJaAbQF0KR5GqzCKXYxuUMk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 14:17:04 auth caddy[59928]: {"level":"error","ts":1715350624.342018,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[smx.ecfinternal.net] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-v02.api.letsencrypt.org/acme/order/1719302167/268217901837) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
May 10 14:17:04 auth caddy[59928]: {"level":"debug","ts":1715350624.3420331,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
May 10 14:17:04 auth caddy[59928]: {"level":"info","ts":1715350624.6813183,"logger":"http","msg":"generated EAB credentials","key_id":"z3lWNY4_DytqaxBWSB9wWw"}
May 10 14:17:04 auth caddy[59928]: {"level":"debug","ts":1715350624.761635,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme.zerossl.com/v2/DV90","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 14:17:04 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 10 14:17:04 auth caddy[59928]: {"level":"debug","ts":1715350624.8651564,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme.zerossl.com/v2/DV90/newNonce","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Type":["application/octet-stream"],"Date":["Fri, 10 May 2024 14:17:04 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["sd5PlSsKWzYpNn8BzSI_nlAgETbraLjqH-Nw0W7x4fw"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 10 14:17:05 auth caddy[59928]: {"level":"debug","ts":1715350625.077118,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newAccount","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["587"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 14:17:05 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Location":["https://acme.zerossl.com/v2/DV90/account/z3lWNY4_DytqaxBWSB9wWw"],"Replay-Nonce":["PzzQuFzWeWfrmgMlsY-ifEpDv-FvGRDqBrL1wcy6gZ0"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
May 10 14:17:05 auth caddy[59928]: {"level":"info","ts":1715350625.0774443,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"my@email.net"}
May 10 14:17:05 auth caddy[59928]: {"level":"info","ts":1715350625.0775352,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme.zerossl.com/v2/DV90","account":"my@email.net"}
May 10 14:17:05 auth caddy[59928]: {"level":"info","ts":1715350625.0775542,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme.zerossl.com/v2/DV90/account/z3lWNY4_DytqaxBWSB9wWw","account_contact":["mailto:my@email.net"]}
May 10 14:17:05 auth caddy[59928]: {"level":"debug","ts":1715350625.077561,"logger":"tls.issuance.acme.acme_client","msg":"creating order","account":"https://acme.zerossl.com/v2/DV90/account/z3lWNY4_DytqaxBWSB9wWw","identifiers":["smx.ecfinternal.net"]}
May 10 14:17:05 auth caddy[59928]: {"level":"debug","ts":1715350625.3693469,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/newOrder","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["281"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 14:17:05 GMT"],"Location":["https://acme.zerossl.com/v2/DV90/order/ydKhEimmmMJDy8L949B9yw"],"Replay-Nonce":["ySkuVcCsU04hvmB0ExFNtCEo4tbO7IM24VoU40l2gNM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":201}
May 10 14:17:05 auth caddy[59928]: {"level":"debug","ts":1715350625.4207695,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme.zerossl.com/v2/DV90/authz/X1hBsn-mFWS3UnRW5kL5BQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Access-Control-Allow-Origin":["*"],"Cache-Control":["max-age=0, no-cache, no-store"],"Content-Length":["449"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 14:17:05 GMT"],"Link":["<https://acme.zerossl.com/v2/DV90>;rel=\"index\""],"Replay-Nonce":["nPZO6_xE8kH5J6hzYX99hWywhywC7PeNjYax6izL7G4"],"Retry-After":["5"],"Server":["nginx"],"Strict-Transport-Security":["max-age=15724800; includeSubDomains"]},"status_code":200}
May 10 14:17:05 auth caddy[59928]: {"level":"info","ts":1715350625.4208717,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
May 10 14:17:05 auth caddy[59928]: {"level":"debug","ts":1715350625.8044975,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}

txt record:

TXT _acme-challenge.smx TD_9V163mAdW9ddz_u3Bnyxhz9s9wt_noppOqhBfxdU
DNS only

dig TXT @1.1.1.1 _acme-challenge.smx.ecfinternal.net

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> TXT @1.1.1.1 _acme-challenge.smx.ecfinternal.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35564
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.smx.ecfinternal.net. IN	TXT

;; ANSWER SECTION:
_acme-challenge.smx.ecfinternal.net. 300 IN TXT	"TD_9V163mAdW9ddz_u3Bnyxhz9s9wt_noppOqhBfxdU"

;; Query time: 56 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri May 10 10:22:11 EDT 2024
;; MSG SIZE  rcvd: 120

Gah. I guess your system’s resolvers aren’t configured such that it can reach public DNS servers to check. You’ll probably want resolvers 1.1.1.1 in your config as well. For that, you’ll need to use the tls directive instead of the acme_dns global option.

Oh bother, oh well easy fix. Just adding 1.1.1.1 as a forwarder in my Bind9 config didn’t seem to really change anything, but adding the revolvers seems to have made a difference.
Caddyfile:

{
                debug
}

(prop) {
        tls my@email.net {
                resolvers 1.1.1.1
                dns cloudflare api-token
        }
}

smx.ecfinternal.net {
        reverse_proxy https://10.0.0.7:3443
                   import prop
}

curl -v https://smx.ecfinternal.net

* Connected to smx.ecfinternal.net (10.0.0.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=smx.ecfinternal.net
*  start date: May 10 15:20:05 2024 GMT
*  expire date: Aug  8 15:20:04 2024 GMT
*  subjectAltName: host "smx.ecfinternal.net" matched cert's "smx.ecfinternal.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55e462767eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: smx.ecfinternal.net
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 502 
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Fri, 10 May 2024 16:22:45 GMT
< 
* Connection #0 to host smx.ecfinternal.net left intact

Logs:

May 10 12:19:49 auth systemd[1]: Started Caddy.
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.4549055,"msg":"serving initial configuration"}
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.4551482,"logger":"tls.obtain","msg":"acquiring lock","identifier":"smx.ecfinternal.net"}
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.458124,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.4591122,"logger":"tls","msg":"finished cleaning storage units"}
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.4600208,"logger":"tls.obtain","msg":"lock acquired","identifier":"smx.ecfinternal.net"}
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.4601762,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"smx.ecfinternal.net"}
May 10 12:19:49 auth caddy[60234]: {"level":"debug","ts":1715357989.460329,"logger":"events","msg":"event","name":"cert_obtaining","id":"722decab-b27d-4f04-8d64-9741323199d1","origin":"tls","data":{"identifier":"smx.ecfinternal.net"}}
May 10 12:19:49 auth caddy[60234]: {"level":"debug","ts":1715357989.460586,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
May 10 12:19:49 auth caddy[60234]: {"level":"debug","ts":1715357989.6445978,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["747"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:19:49 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:19:49 auth caddy[60234]: {"level":"debug","ts":1715357989.7024877,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 10 May 2024 16:19:49 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["6Jd4kJYipivjaBesyRi3M-x-0Jc1rvptbzWXj0Ce4j0i8bH-efo"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:19:49 auth caddy[60234]: {"level":"debug","ts":1715357989.7714572,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719474267"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["326"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:19:49 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/1719474267"],"Replay-Nonce":["7n34iCGf_cSyFZiAjJdpJ2NST3hUR2nG4xq9vpocUJPMTZ37wRY"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.771839,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.771852,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.7718716,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1719474267","account_contact":["mailto:my@email.net"]}
May 10 12:19:49 auth caddy[60234]: {"level":"debug","ts":1715357989.7718768,"logger":"tls.issuance.acme.acme_client","msg":"creating order","account":"https://acme-v02.api.letsencrypt.org/acme/acct/1719474267","identifiers":["smx.ecfinternal.net"]}
May 10 12:19:49 auth caddy[60234]: {"level":"debug","ts":1715357989.8565054,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719474267"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["345"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:19:49 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1719474267/268242330127"],"Replay-Nonce":["6Jd4kJYiTT1kErfPw6ZV4J6-kCi5KSIBbFJ6LnM7OIMhgAjNMj4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 10 12:19:49 auth caddy[60234]: {"level":"debug","ts":1715357989.9188807,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/349078965197","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719474267"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["803"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:19:49 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["6Jd4kJYiZdKIDoJJdy4uhmFGStSotyyznZXfwLi3zSUC6FYz6ps"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:19:49 auth caddy[60234]: {"level":"info","ts":1715357989.9189768,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
May 10 12:19:50 auth caddy[60234]: {"level":"debug","ts":1715357990.7676342,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 10 12:20:03 auth caddy[60234]: {"level":"debug","ts":1715358003.173214,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 10 12:20:03 auth caddy[60234]: {"level":"debug","ts":1715358003.2361262,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/349078965197/Lu-8XQ","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719474267"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["186"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:20:03 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/349078965197>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/349078965197/Lu-8XQ"],"Replay-Nonce":["6Jd4kJYidxwBYHXTb3rUFVaaJ3-8X60eZlY6VvjY59kFazQZePk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:20:03 auth caddy[60234]: {"level":"debug","ts":1715358003.2361805,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 10 12:20:03 auth caddy[60234]: {"level":"debug","ts":1715358003.5473006,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/349078965197","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719474267"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["513"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:20:03 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["6Jd4kJYi1spCGMG8ySuWbBGiS56NoESM36jXInNGJJxVpuHaZBA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:20:04 auth caddy[60234]: {"level":"info","ts":1715358004.9590812,"logger":"tls.issuance.acme.acme_client","msg":"authorization finalized","identifier":"smx.ecfinternal.net","authz_status":"valid"}
May 10 12:20:04 auth caddy[60234]: {"level":"info","ts":1715358004.9591327,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/1719474267/268242330127"}
May 10 12:20:05 auth caddy[60234]: {"level":"debug","ts":1715358005.7923877,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/finalize/1719474267/268242330127","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719474267"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["447"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:20:05 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1719474267/268242330127"],"Replay-Nonce":["7n34iCGfqEj5LF7hLp_Y-rf8xpO_ohZI6srH5IPC8T6NpyNojRA"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:20:05 auth caddy[60234]: {"level":"debug","ts":1715358005.8546913,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/cert/03aa1485a8799b8c2c837f70572004047cda","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["3332"],"Content-Type":["application/pem-certificate-chain"],"Date":["Fri, 10 May 2024 16:20:05 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/03aa1485a8799b8c2c837f70572004047cda/1>;rel=\"alternate\""],"Replay-Nonce":["7n34iCGf_1Z0HsKilreIQ-50NKJtF7MtqYvln_QPBUb33-K8u00"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:20:05 auth caddy[60234]: {"level":"debug","ts":1715358005.8547878,"logger":"tls.issuance.acme.acme_client","msg":"getting renewal info","names":["smx.ecfinternal.net"]}
May 10 12:20:05 auth caddy[60234]: {"level":"debug","ts":1715358005.9769819,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo//FC6zF7dYVsuuUAlA5h-vnYsUwsY.A6oUhah5m4wsg39wVyAEBHza","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:20:05 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:20:05 auth caddy[60234]: {"level":"info","ts":1715358005.9770653,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["smx.ecfinternal.net"],"window_start":1720453204,"window_end":1720626004,"selected_time":1720484247,"recheck_after":1715379605.9770608,"explanation_url":""}
May 10 12:20:06 auth caddy[60234]: {"level":"debug","ts":1715358006.0387075,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/cert/03aa1485a8799b8c2c837f70572004047cda/1","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["5256"],"Content-Type":["application/pem-certificate-chain"],"Date":["Fri, 10 May 2024 16:20:06 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/03aa1485a8799b8c2c837f70572004047cda/0>;rel=\"alternate\""],"Replay-Nonce":["7n34iCGf9sDyA1xPNI0L_G-LFGwYcv_B4uHEHIN8H1To3BJihFU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:20:06 auth caddy[60234]: {"level":"debug","ts":1715358006.038788,"logger":"tls.issuance.acme.acme_client","msg":"getting renewal info","names":["smx.ecfinternal.net"]}
May 10 12:20:06 auth caddy[60234]: {"level":"debug","ts":1715358006.1607723,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo//FC6zF7dYVsuuUAlA5h-vnYsUwsY.A6oUhah5m4wsg39wVyAEBHza","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:20:06 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:20:06 auth caddy[60234]: {"level":"info","ts":1715358006.1608286,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["smx.ecfinternal.net"],"window_start":1720453204,"window_end":1720626004,"selected_time":1720504140,"recheck_after":1715379606.1608255,"explanation_url":""}
May 10 12:20:06 auth caddy[60234]: {"level":"info","ts":1715358006.1608448,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/03aa1485a8799b8c2c837f70572004047cda"}
May 10 12:20:06 auth caddy[60234]: {"level":"debug","ts":1715358006.1608493,"logger":"tls.issuance.acme","msg":"selected certificate chain","url":"https://acme-v02.api.letsencrypt.org/acme/cert/03aa1485a8799b8c2c837f70572004047cda"}
May 10 12:20:06 auth caddy[60234]: {"level":"info","ts":1715358006.1611915,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory"}
May 10 12:20:06 auth caddy[60234]: {"level":"debug","ts":1715358006.1612663,"logger":"events","msg":"event","name":"cert_obtained","id":"97587806-757d-47df-acd4-44da1b81913f","origin":"tls","data":{"certificate_path":"certificates/acme-v02.api.letsencrypt.org-directory/smx.ecfinternal.net/smx.ecfinternal.net.crt","csr_pem":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIc01JR1RBZ0VBTUFBd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRQ0xFOXJNaklwUFlpRApRMk1VMEtFZE5OcjZTOXVtb0ZaNFM4SWJLV09lR2k2SlNnTkR2Wjh0a2IvbWJhRVY2d1NLcHN4VEhXTmZJWFcvCkxOSUpBWXBUb0RFd0x3WUpLb1pJaHZjTkFRa09NU0l3SURBZUJnTlZIUkVFRnpBVmdoTnpiWGd1WldObWFXNTAKWlhKdVlXd3VibVYwTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUNleHJhTFIrQ0U0QzVFUHBxbks1LzhqaU9qNQorRUFxSVZ1VnpSYnR6VU9oQWlFQTNPNEg2L2J2aHk4YnRBMFdZYVUyMmREckpkRFBRRHR0VzFiMWJmMXMycmc9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","metadata_path":"certificates/acme-v02.api.letsencrypt.org-directory/smx.ecfinternal.net/smx.ecfinternal.net.json","private_key_path":"certificates/acme-v02.api.letsencrypt.org-directory/smx.ecfinternal.net/smx.ecfinternal.net.key","renewal":false,"storage_path":"certificates/acme-v02.api.letsencrypt.org-directory/smx.ecfinternal.net"}}
May 10 12:20:06 auth caddy[60234]: {"level":"info","ts":1715358006.1613748,"logger":"tls.obtain","msg":"releasing lock","identifier":"smx.ecfinternal.net"}
May 10 12:20:06 auth caddy[60234]: {"level":"debug","ts":1715358006.1616058,"logger":"tls","msg":"loading managed certificate","domain":"smx.ecfinternal.net","expiration":1723130405,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
May 10 12:20:06 auth caddy[60234]: {"level":"debug","ts":1715358006.326834,"logger":"tls.cache","msg":"added certificate to cache","subjects":["smx.ecfinternal.net"],"expiration":1723130405,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4213fb41b0ff4968c1fa5ceeca03f28086fa3436aefc34b83437f3f247337a1e","cache_size":1,"cache_capacity":10000}
May 10 12:20:06 auth caddy[60234]: {"level":"debug","ts":1715358006.3268735,"logger":"events","msg":"event","name":"cached_managed_cert","id":"735a8e23-627f-428b-9904-64bb2778601b","origin":"tls","data":{"sans":["smx.ecfinternal.net"]}}
May 10 12:22:45 auth caddy[60234]: {"level":"debug","ts":1715358165.3133073,"logger":"events","msg":"event","name":"tls_get_certificate","id":"7b9dab9b-92df-4b67-a2fc-2782b807bc09","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"smx.ecfinternal.net","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.0.0.13","Port":39490,"Zone":""},"LocalAddr":{"IP":"10.0.0.13","Port":443,"Zone":""}}}}
May 10 12:22:45 auth caddy[60234]: {"level":"debug","ts":1715358165.3133512,"logger":"tls.handshake","msg":"choosing certificate","identifier":"smx.ecfinternal.net","num_choices":1}
May 10 12:22:45 auth caddy[60234]: {"level":"debug","ts":1715358165.3133786,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"smx.ecfinternal.net","subjects":["smx.ecfinternal.net"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4213fb41b0ff4968c1fa5ceeca03f28086fa3436aefc34b83437f3f247337a1e"}
May 10 12:22:45 auth caddy[60234]: {"level":"debug","ts":1715358165.313389,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"10.0.0.13","remote_port":"39490","subjects":["smx.ecfinternal.net"],"managed":true,"expiration":1723130405,"hash":"4213fb41b0ff4968c1fa5ceeca03f28086fa3436aefc34b83437f3f247337a1e"}
May 10 12:22:45 auth caddy[60234]: {"level":"debug","ts":1715358165.3158677,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"10.0.0.7:3443","total_upstreams":1}
May 10 12:22:45 auth caddy[60234]: {"level":"debug","ts":1715358165.3172507,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.0.0.7:3443","duration":0.001341967,"request":{"remote_ip":"10.0.0.13","remote_port":"39490","client_ip":"10.0.0.13","proto":"HTTP/2.0","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["10.0.0.13"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["smx.ecfinternal.net"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"smx.ecfinternal.net"}},"error":"tls: failed to verify certificate: x509: cannot validate certificate for 10.0.0.7 because it doesn't contain any IP SANs"}
May 10 12:22:45 auth caddy[60234]: {"level":"error","ts":1715358165.3173223,"logger":"http.log.error","msg":"tls: failed to verify certificate: x509: cannot validate certificate for 10.0.0.7 because it doesn't contain any IP SANs","request":{"remote_ip":"10.0.0.13","remote_port":"39490","client_ip":"10.0.0.13","proto":"HTTP/2.0","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"Accept":["*/*"],"User-Agent":["curl/7.81.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"smx.ecfinternal.net"}},"duration":0.001513142,"status":502,"err_id":"b9yj9ihnz","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
May 10 12:24:41 auth caddy[60234]: {"level":"debug","ts":1715358281.6908927,"logger":"events","msg":"event","name":"tls_get_certificate","id":"8df90b23-1d12-47be-b11d-17c858d90774","origin":"tls","data":{"client_hello":{"CipherSuites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"smx.ecfinternal.net","SupportedCurves":[10794,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[39578,772,771],"RemoteAddr":{"IP":"10.212.134.205","Port":50578,"Zone":""},"LocalAddr":{"IP":"10.0.0.13","Port":443,"Zone":""}}}}
May 10 12:24:41 auth caddy[60234]: {"level":"debug","ts":1715358281.6909337,"logger":"tls.handshake","msg":"choosing certificate","identifier":"smx.ecfinternal.net","num_choices":1}
May 10 12:24:41 auth caddy[60234]: {"level":"debug","ts":1715358281.690981,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"smx.ecfinternal.net","subjects":["smx.ecfinternal.net"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4213fb41b0ff4968c1fa5ceeca03f28086fa3436aefc34b83437f3f247337a1e"}
May 10 12:24:41 auth caddy[60234]: {"level":"debug","ts":1715358281.6909864,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"10.212.134.205","remote_port":"50578","subjects":["smx.ecfinternal.net"],"managed":true,"expiration":1723130405,"hash":"4213fb41b0ff4968c1fa5ceeca03f28086fa3436aefc34b83437f3f247337a1e"}
May 10 12:24:41 auth caddy[60234]: {"level":"debug","ts":1715358281.6965096,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"10.0.0.7:3443","total_upstreams":1}
May 10 12:24:41 auth caddy[60234]: {"level":"debug","ts":1715358281.6976063,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.0.0.7:3443","duration":0.001054794,"request":{"remote_ip":"10.212.134.205","remote_port":"50578","client_ip":"10.212.134.205","proto":"HTTP/2.0","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"124\", \"Google Chrome\";v=\"124\", \"Not-A.Brand\";v=\"99\""],"X-Forwarded-For":["10.212.134.205"],"Accept-Encoding":["gzip, deflate, br"],"Priority":["u=0, i"],"Sec-Fetch-User":["?1"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Sec-Ch-Ua-Mobile":["?0"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["document"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Host":["smx.ecfinternal.net"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Upgrade-Insecure-Requests":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"smx.ecfinternal.net"}},"error":"tls: failed to verify certificate: x509: cannot validate certificate for 10.0.0.7 because it doesn't contain any IP SANs"}
May 10 12:24:41 auth caddy[60234]: {"level":"error","ts":1715358281.6976728,"logger":"http.log.error","msg":"tls: failed to verify certificate: x509: cannot validate certificate for 10.0.0.7 because it doesn't contain any IP SANs","request":{"remote_ip":"10.212.134.205","remote_port":"50578","client_ip":"10.212.134.205","proto":"HTTP/2.0","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["en-US,en;q=0.9"],"Priority":["u=0, i"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Mode":["navigate"],"Sec-Ch-Ua":["\"Chromium\";v=\"124\", \"Google Chrome\";v=\"124\", \"Not-A.Brand\";v=\"99\""],"Sec-Ch-Ua-Mobile":["?0"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"smx.ecfinternal.net"}},"duration":0.00119966,"status":502,"err_id":"phxcj4jw4","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.5667534,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f891ddb7-82f7-4a59-b3c1-e834f9a4ffbf","origin":"tls","data":{"client_hello":{"CipherSuites":[19018,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"smx","SupportedCurves":[64250,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[6682,772,771],"RemoteAddr":{"IP":"10.212.134.205","Port":50584,"Zone":""},"LocalAddr":{"IP":"10.0.0.13","Port":443,"Zone":""}}}}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.566787,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"smx"}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.566793,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*"}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.5668101,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.212.134.205","remote_port":"50584","server_name":"smx","remote":"10.212.134.205:50584","identifier":"smx","cipher_suites":[19018,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.5668664,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.212.134.205:50584: no certificate available for 'smx'"}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.5716465,"logger":"events","msg":"event","name":"tls_get_certificate","id":"735775d0-2613-4a53-8ed7-af01ef329a69","origin":"tls","data":{"client_hello":{"CipherSuites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"smx","SupportedCurves":[51914,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[14906,772,771],"RemoteAddr":{"IP":"10.212.134.205","Port":50594,"Zone":""},"LocalAddr":{"IP":"10.0.0.13","Port":443,"Zone":""}}}}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.571663,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"smx"}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.5716693,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*"}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.571701,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.212.134.205","remote_port":"50594","server_name":"smx","remote":"10.212.134.205:50594","identifier":"smx","cipher_suites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
May 10 12:24:48 auth caddy[60234]: {"level":"debug","ts":1715358288.5717356,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.212.134.205:50594: no certificate available for 'smx'"}
May 10 12:24:57 auth caddy[60234]: {"level":"debug","ts":1715358297.9667902,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"10.0.0.7:3443","total_upstreams":1}
May 10 12:24:57 auth caddy[60234]: {"level":"debug","ts":1715358297.9672012,"logger":"events","msg":"event","name":"tls_get_certificate","id":"a896d7f8-8fd3-4dea-bb2b-a41c0d806abc","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"smx.ecfinternal.net","SupportedCurves":[25497,29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"RemoteAddr":{"IP":"10.212.134.205","Port":34808,"Zone":""},"LocalAddr":{"IP":"10.0.0.13","Port":443,"Zone":""}}}}
May 10 12:24:57 auth caddy[60234]: {"level":"debug","ts":1715358297.967305,"logger":"tls.handshake","msg":"choosing certificate","identifier":"smx.ecfinternal.net","num_choices":1}
May 10 12:24:57 auth caddy[60234]: {"level":"debug","ts":1715358297.9673162,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"smx.ecfinternal.net","subjects":["smx.ecfinternal.net"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4213fb41b0ff4968c1fa5ceeca03f28086fa3436aefc34b83437f3f247337a1e"}
May 10 12:24:57 auth caddy[60234]: {"level":"debug","ts":1715358297.9673212,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"10.212.134.205","remote_port":"34808","subjects":["smx.ecfinternal.net"],"managed":true,"expiration":1723130405,"hash":"4213fb41b0ff4968c1fa5ceeca03f28086fa3436aefc34b83437f3f247337a1e"}
May 10 12:24:57 auth caddy[60234]: {"level":"debug","ts":1715358297.968536,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.0.0.7:3443","duration":0.001274288,"request":{"remote_ip":"10.212.134.205","remote_port":"50578","client_ip":"10.212.134.205","proto":"HTTP/2.0","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"],"Sec-Fetch-Site":["none"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["document"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Ch-Ua-Mobile":["?0"],"Priority":["u=0, i"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Sec-Fetch-Mode":["navigate"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-For":["10.212.134.205"],"X-Forwarded-Host":["smx.ecfinternal.net"],"Sec-Ch-Ua":["\"Chromium\";v=\"124\", \"Google Chrome\";v=\"124\", \"Not-A.Brand\";v=\"99\""],"Sec-Fetch-User":["?1"],"Upgrade-Insecure-Requests":["1"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"smx.ecfinternal.net"}},"error":"tls: failed to verify certificate: x509: cannot validate certificate for 10.0.0.7 because it doesn't contain any IP SANs"}
May 10 12:24:57 auth caddy[60234]: {"level":"error","ts":1715358297.9685853,"logger":"http.log.error","msg":"tls: failed to verify certificate: x509: cannot validate certificate for 10.0.0.7 because it doesn't contain any IP SANs","request":{"remote_ip":"10.212.134.205","remote_port":"50578","client_ip":"10.212.134.205","proto":"HTTP/2.0","method":"GET","host":"smx.ecfinternal.net","uri":"/","headers":{"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua":["\"Chromium\";v=\"124\", \"Google Chrome\";v=\"124\", \"Not-A.Brand\";v=\"99\""],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Site":["none"],"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["en-US,en;q=0.9"],"Priority":["u=0, i"],"Sec-Ch-Ua-Mobile":["?0"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"smx.ecfinternal.net"}},"duration":0.001839034,"status":502,"err_id":"sazi9w73t","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

Changing the ip in address in the caddy file from https://10.0.0.7:3443 to 10.0.0.7:3443 seems to have resolved this error “509: cannot validate certificate for 10.0.0.7 because it doesn’t contain any IP SANs”,“request”

Updated logs with that change:

May 10 12:36:22 auth systemd[1]: Started Caddy.
May 10 12:36:22 auth caddy[60311]: {"level":"info","ts":1715358982.5107865,"logger":"tls.obtain","msg":"acquiring lock","identifier":"smx.ecfinternal.net"}
May 10 12:36:22 auth caddy[60311]: {"level":"info","ts":1715358982.5138905,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
May 10 12:36:22 auth caddy[60311]: {"level":"info","ts":1715358982.5147436,"logger":"tls","msg":"finished cleaning storage units"}
May 10 12:36:22 auth caddy[60311]: {"level":"info","ts":1715358982.5156076,"logger":"tls.obtain","msg":"lock acquired","identifier":"smx.ecfinternal.net"}
May 10 12:36:22 auth caddy[60311]: {"level":"info","ts":1715358982.5158136,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"smx.ecfinternal.net"}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.5159392,"logger":"events","msg":"event","name":"cert_obtaining","id":"a79219cb-7beb-4fc8-9a00-419de11f3b72","origin":"tls","data":{"identifier":"smx.ecfinternal.net"}}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.516185,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.7122438,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/directory","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["747"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:36:22 GMT"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.769612,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Fri, 10 May 2024 16:36:22 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["6Jd4kJYiyBBbRF68iMljagb09W9wPqas8ZbXeuKOPoGylh0H7ck"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.8374035,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-acct","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719494907"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["326"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:36:22 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf>;rel=\"terms-of-service\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/acct/1719494907"],"Replay-Nonce":["6Jd4kJYib1LZWspdyazU5JWkQl0pBv4cFWuhTU9svNudxUJfQLc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 10 12:36:22 auth caddy[60311]: {"level":"info","ts":1715358982.83774,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 10 12:36:22 auth caddy[60311]: {"level":"info","ts":1715358982.8377526,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["smx.ecfinternal.net"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"my@email.net"}
May 10 12:36:22 auth caddy[60311]: {"level":"info","ts":1715358982.8377883,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/1719494907","account_contact":["mailto:my@email.net"]}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.8377948,"logger":"tls.issuance.acme.acme_client","msg":"creating order","account":"https://acme-v02.api.letsencrypt.org/acme/acct/1719494907","identifiers":["smx.ecfinternal.net"]}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.9327738,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719494907"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["345"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:36:22 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1719494907/268245839177"],"Replay-Nonce":["6Jd4kJYiYMgipDZ8s-JvE-OiWcPUNirTDcZn0G7lAxrsxHYthnM"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.9941964,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/349084162957","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719494907"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["803"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:36:22 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["7n34iCGfUyD04oLg7JJ4c7Pi0dQ4Zy979Wv_kfdfr4cjIYuoUOI"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.994358,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"http-01"}
May 10 12:36:22 auth caddy[60311]: {"level":"debug","ts":1715358982.9943664,"logger":"tls.issuance.acme.acme_client","msg":"no solver configured","challenge_type":"tls-alpn-01"}
May 10 12:36:22 auth caddy[60311]: {"level":"info","ts":1715358982.9943707,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"smx.ecfinternal.net","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
May 10 12:36:23 auth caddy[60311]: {"level":"debug","ts":1715358983.5701804,"logger":"tls.issuance.acme.acme_client","msg":"waiting for solver before continuing","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 10 12:36:30 auth caddy[60311]: {"level":"debug","ts":1715358990.089698,"logger":"events","msg":"event","name":"tls_get_certificate","id":"3f541184-2d65-4ac4-98c5-31a21f7fc666","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"smx.ecfinternal.net","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.0.0.13","Port":60838,"Zone":""},"LocalAddr":{"IP":"10.0.0.13","Port":443,"Zone":""}}}}
May 10 12:36:30 auth caddy[60311]: {"level":"debug","ts":1715358990.0897295,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"smx.ecfinternal.net"}
May 10 12:36:30 auth caddy[60311]: {"level":"debug","ts":1715358990.089735,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.ecfinternal.net"}
May 10 12:36:30 auth caddy[60311]: {"level":"debug","ts":1715358990.0897374,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.net"}
May 10 12:36:30 auth caddy[60311]: {"level":"debug","ts":1715358990.0897408,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
May 10 12:36:30 auth caddy[60311]: {"level":"debug","ts":1715358990.089754,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"10.0.0.13","remote_port":"60838","server_name":"smx.ecfinternal.net","remote":"10.0.0.13:60838","identifier":"smx.ecfinternal.net","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0,"load_or_obtain_if_necessary":true,"on_demand":false}
May 10 12:36:30 auth caddy[60311]: {"level":"debug","ts":1715358990.0909655,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.0.13:60838: no certificate available for 'smx.ecfinternal.net'"}
May 10 12:36:37 auth caddy[60311]: {"level":"debug","ts":1715358997.9496508,"logger":"tls.issuance.acme.acme_client","msg":"done waiting for solver","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 10 12:36:38 auth caddy[60311]: {"level":"debug","ts":1715358998.0122943,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/349084162957/zmRofw","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719494907"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["186"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:36:37 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/authz-v3/349084162957>;rel=\"up\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/chall-v3/349084162957/zmRofw"],"Replay-Nonce":["7n34iCGfBrzisJWbB7IkM0bGnkEriw0Vo05WDnejr5qqBcRaEws"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:38 auth caddy[60311]: {"level":"debug","ts":1715358998.0123484,"logger":"tls.issuance.acme.acme_client","msg":"challenge accepted","identifier":"smx.ecfinternal.net","challenge_type":"dns-01"}
May 10 12:36:38 auth caddy[60311]: {"level":"debug","ts":1715358998.3232245,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/349084162957","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719494907"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["513"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:36:38 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["7n34iCGfMSmrRAVjJeE5KSo0FlvHcJ4ubAyaxagzaJMFIxtSPUQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:39 auth caddy[60311]: {"level":"info","ts":1715358999.705626,"logger":"tls.issuance.acme.acme_client","msg":"authorization finalized","identifier":"smx.ecfinternal.net","authz_status":"valid"}
May 10 12:36:39 auth caddy[60311]: {"level":"info","ts":1715358999.705653,"logger":"tls.issuance.acme.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/1719494907/268245839177"}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.0214741,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/finalize/1719494907/268245839177","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1719494907"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["447"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:36:39 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/1719494907/268245839177"],"Replay-Nonce":["6Jd4kJYi5vLi197JJYHFqwfVCldlVpoCsUX2n1z3qRYko0OPlNU"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.0817506,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/cert/03a8d230315f5098b71d2d8b2a27e5a72ce4","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["3328"],"Content-Type":["application/pem-certificate-chain"],"Date":["Fri, 10 May 2024 16:36:40 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/03a8d230315f5098b71d2d8b2a27e5a72ce4/1>;rel=\"alternate\""],"Replay-Nonce":["6Jd4kJYimZZvYLkJ5i8K1sXwoZOAi0UAq9tJPsytnAHLXYbAEBc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.0818446,"logger":"tls.issuance.acme.acme_client","msg":"getting renewal info","names":["smx.ecfinternal.net"]}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.2042205,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo//FC6zF7dYVsuuUAlA5h-vnYsUwsY.A6jSMDFfUJi3HS2LKiflpyzk","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:36:40 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:40 auth caddy[60311]: {"level":"info","ts":1715359000.2043173,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["smx.ecfinternal.net"],"window_start":1720454198,"window_end":1720626998,"selected_time":1720611060,"recheck_after":1715380600.20431,"explanation_url":""}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.266312,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/cert/03a8d230315f5098b71d2d8b2a27e5a72ce4/1","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["5252"],"Content-Type":["application/pem-certificate-chain"],"Date":["Fri, 10 May 2024 16:36:40 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/03a8d230315f5098b71d2d8b2a27e5a72ce4/0>;rel=\"alternate\""],"Replay-Nonce":["7n34iCGf81EhXGUpW5e_umeZZvdleLGgPgSySSbi-ZBHsLexJrg"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.2664828,"logger":"tls.issuance.acme.acme_client","msg":"getting renewal info","names":["smx.ecfinternal.net"]}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.3878896,"logger":"tls.issuance.acme.acme_client","msg":"http request","method":"GET","url":"https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo//FC6zF7dYVsuuUAlA5h-vnYsUwsY.A6jSMDFfUJi3HS2LKiflpyzk","headers":{"User-Agent":["Caddy/2.8.0-beta.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["101"],"Content-Type":["application/json"],"Date":["Fri, 10 May 2024 16:36:40 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Retry-After":["21600"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
May 10 12:36:40 auth caddy[60311]: {"level":"info","ts":1715359000.3879347,"logger":"tls.issuance.acme.acme_client","msg":"got renewal info","names":["smx.ecfinternal.net"],"window_start":1720454198,"window_end":1720626998,"selected_time":1720472714,"recheck_after":1715380600.387932,"explanation_url":""}
May 10 12:36:40 auth caddy[60311]: {"level":"info","ts":1715359000.387961,"logger":"tls.issuance.acme.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/03a8d230315f5098b71d2d8b2a27e5a72ce4"}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.3879669,"logger":"tls.issuance.acme","msg":"selected certificate chain","url":"https://acme-v02.api.letsencrypt.org/acme/cert/03a8d230315f5098b71d2d8b2a27e5a72ce4"}
May 10 12:36:40 auth caddy[60311]: {"level":"info","ts":1715359000.388351,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory"}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.3884315,"logger":"events","msg":"event","name":"cert_obtained","id":"d3506deb-7692-47a8-a9fe-f69409a7835b","origin":"tls","data":{"certificate_path":"certificates/acme-v02.api.letsencrypt.org-directory/smx.ecfinternal.net/smx.ecfinternal.net.crt","csr_pem":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIck1JR1RBZ0VBTUFBd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFUTWV5Zm5SMUU4ZkhEbgp5cnhPQmhMV3BMaUkzQ2lvUGNOL2FiWDNzYmN0dFFaeW5KYTBpUEpjdlVsZEtUNmxvNkpkaUZ1RWZSbGZZU05wCnJ1N250Y05Ub0RFd0x3WUpLb1pJaHZjTkFRa09NU0l3SURBZUJnTlZIUkVFRnpBVmdoTnpiWGd1WldObWFXNTAKWlhKdVlXd3VibVYwTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDSURsdGdHVXEyL2lkU0tPU2QybDNPKzErWkt0UgpNYUg0MXQwR0o0c0M2UUdtQWlBTTQrZUxvWU54Rk1FNXBKSXlkdHlwZndNQ3J5Njc2enNlUjdxKy8vRDlLdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=","identifier":"smx.ecfinternal.net","issuer":"acme-v02.api.letsencrypt.org-directory","metadata_path":"certificates/acme-v02.api.letsencrypt.org-directory/smx.ecfinternal.net/smx.ecfinternal.net.json","private_key_path":"certificates/acme-v02.api.letsencrypt.org-directory/smx.ecfinternal.net/smx.ecfinternal.net.key","renewal":false,"storage_path":"certificates/acme-v02.api.letsencrypt.org-directory/smx.ecfinternal.net"}}
May 10 12:36:40 auth caddy[60311]: {"level":"info","ts":1715359000.3884375,"logger":"tls.obtain","msg":"releasing lock","identifier":"smx.ecfinternal.net"}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.38866,"logger":"tls","msg":"loading managed certificate","domain":"smx.ecfinternal.net","expiration":1723131399,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.4935892,"logger":"tls.cache","msg":"added certificate to cache","subjects":["smx.ecfinternal.net"],"expiration":1723131399,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"e4680313aa8bd1f815b9be672437439d142423bd42218a5b2b77b7fbbe2d4d03","cache_size":1,"cache_capacity":10000}
May 10 12:36:40 auth caddy[60311]: {"level":"debug","ts":1715359000.4936144,"logger":"events","msg":"event","name":"cached_managed_cert","id":"c0642447-5eca-4317-81e8-09a10de93e91","origin":"tls","data":{"sans":["smx.ecfinternal.net"]}}

curl -v https://smx.ecfinternal.net

*   Trying 10.0.0.13:443...
* Connected to smx.ecfinternal.net (10.0.0.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=smx.ecfinternal.net
*  start date: May 10 15:36:39 2024 GMT
*  expire date: Aug  8 15:36:38 2024 GMT
*  subjectAltName: host "smx.ecfinternal.net" matched cert's "smx.ecfinternal.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x558ea4206eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: smx.ecfinternal.net
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 502 
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Fri, 10 May 2024 16:40:52 GMT
< 
* Connection #0 to host smx.ecfinternal.net left intact

So based on that the certificate part seems to be working properly now if I’m interpreting everything correctly? Also the TXT records seem to be being deleted instead of sticking around. Getting closer, thank you!
Just plain curl https://smx.ecfinternal.net/ returns nothing and navigating to https://smx.ecfinternal.net in a Firefox private window shows a blank page with a valid Let’s Encrypt certificate.
And an HTTP Error 502 plus a “Your Site is not Secure” in a Chrome Incognito Window.

Seems like it!

Yeah, 502 means that Caddy wasn’t able to connect to your upstream app.

Like I said earlier, trying proxying to the HTTP port of your app, not the HTTPS port.

Oh right. I made that change and also uncommitted two services that were already using HTTP port. ZMS worked perfectly fine! Though CMS and SMX do not.

Am I correct in interpreting this location in the curl -v for SMX, to mean it’s still coming in on the HTTPS port? Or perhaps sit is automatically redirecting port 3000 to port 3443. “https://smx.ecfinternal.net:3443/”

smx.ecfinternal.net {
        reverse_proxy 10.0.0.7:3000
                import prop
}

zms.ecfinternal.net {
        reverse_proxy 10.0.0.23:8080
                import prop
}

cms.ecfinternal.net {
        reverse_proxy 10.0.0.22:8080
                import prop
}

curl -v https://smx.ecfinternal.net

* Connected to smx.ecfinternal.net (10.0.0.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=smx.ecfinternal.net
*  start date: May 10 15:36:39 2024 GMT
*  expire date: Aug  8 15:36:38 2024 GMT
*  subjectAltName: host "smx.ecfinternal.net" matched cert's "smx.ecfinternal.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5562922cfeb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: smx.ecfinternal.net
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 302 
< alt-svc: h3=":443"; ma=2592000
< date: Fri, 10 May 2024 18:42:41 GMT
< location: https://smx.ecfinternal.net:3443/
< server: Caddy
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host smx.ecfinternal.net left intact

curl -v https://cms.ecfinternal.net

*   Trying 10.0.0.13:443...
* Connected to cms.ecfinternal.net (10.0.0.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=cms.ecfinternal.net
*  start date: May 10 17:52:30 2024 GMT
*  expire date: Aug  8 17:52:29 2024 GMT
*  subjectAltName: host "cms.ecfinternal.net" matched cert's "cms.ecfinternal.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x561750ba1eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: cms.ecfinternal.net
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 302 
< alt-svc: h3=":443"; ma=2592000
< date: Fri, 10 May 2024 18:54:25 GMT
< location: http://cms.ecfinternal.net/exclude/LoginDialog.jsp
< server: Caddy
< server: Apache-Coyote/1.1
< set-cookie: JSESSIONID=618C498B45BDFEE8B9A2FA84A64A359D; Path=/
< content-length: 0
< 
* Connection #0 to host cms.ecfinternal.net left intact

curl -v https://zms.ecfinternal.net

*   Trying 10.0.0.13:443...
* Connected to zms.ecfinternal.net (10.0.0.13) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=zms.ecfinternal.net
*  start date: May 10 17:52:10 2024 GMT
*  expire date: Aug  8 17:52:09 2024 GMT
*  subjectAltName: host "zms.ecfinternal.net" matched cert's "zms.ecfinternal.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55983890beb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: zms.ecfinternal.net
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< alt-svc: h3=":443"; ma=2592000
< content-language: en-US
< content-type: text/html;charset=UTF-8
< date: Fri, 10 May 2024 18:55:13 GMT
< server: Caddy
< set-cookie: JSESSIONID=fp0lPlm9yU6xx2lk0idwdedZ4a3jftX9ZMLLtJrp.zms; path=/
< x-content-type-options: nosniff
< x-frame-options: sameorigin
< x-powered-by: JSP/2.3
< x-xss-protection: 1; mode=block
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
<!DOCTYPE HTML>
Bunch of HTML I'm not going to include

Plain Curl for 10.0.0.22:8080 and 10.0.0.7:3000 also return nothing though they both work in a browser.

Your upstream app is doing an HTTP->HTTPS redirect of its own, to the 3443 port. You’ll need to turn that off somehow. I don’t know anything about the app your proxying to, so that’s up to you.

Ah ok, makes sense. For Unifi which is https only, I added this which worked.

unifi.ecfinternal.net {
       reverse_proxy 10.0.0.26:8443 {
            transport http {
              tls
              tls_insecure_skip_verify
          }
        }
           import prop
}

The equivalent did not work for SMX but I’ll keep plugging away at it. Thank you so much for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.