Reverse proxy with Cloudflare and Tailscale: TLS handshake error from x.x.x.x no certificate available

1. The problem I’m having:

Caddy is failing to get a certificate from Cloudflare randomly for some of the subdomains, inspite of replicating the exact settings.
Have tried different browsers, incognito mode, curl -vL.

All subdomains 'A' records on Cloudflare DNS have the exact same settings, pointing to the Tailscale IP address. All caddy reverse proxies have the same settings as well.

Error msg: 
'TLS handshake error from 172.23.0.1:38630: no certificate available for 'plex.mydomain.com'

2. Error messages and/or full log output:

Success logs:
{"level":"debug","ts":1730324557.4122012,"logger":"events","msg":"event","name":"tls_get_certificate","id":"39db50b8-4641-461f-9038-60f0fc06fc38","origin":"tls","data":{"client_hello":{"CipherSuites":[4867,4866,4865,52393,52392,52394,49200,49196,49192,49188,49172,49162,159,107,57,65413,196,136,129,157,61,53,192,132,49199,49195,49191,49187,49171,49161,158,103,51,190,69,156,60,47,186,65,49169,49159,5,4,49170,49160,22,10,255],"ServerName":"sphotos.sjayanna.com","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2054,1537,1539,2053,1281,1283,2052,1025,1027,513,515],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"172.23.0.1","Port":39588,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730324557.4122424,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sphotos.sjayanna.com","num_choices":1}
{"level":"debug","ts":1730324557.4122655,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sphotos.sjayanna.com","subjects":["sphotos.sjayanna.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"7c5b7dc7ffcfae4e2b9d7b2a254c92f658f397d1455e6f66d3e5c3e4d8fafae8"}
{"level":"debug","ts":1730324557.4122784,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"172.23.0.1","remote_port":"39588","subjects":["sphotos.sjayanna.com"],"managed":true,"expiration":1737950572,"hash":"7c5b7dc7ffcfae4e2b9d7b2a254c92f658f397d1455e6f66d3e5c3e4d8fafae8"}

Failure logs:
{"level":"debug","ts":1730323393.2469225,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f260fa0d-f429-48a1-8ab8-dd58e62cd9f5","origin":"tls","data":{"client_hello":{"CipherSuites":[23130,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"immich.mydomain.com","SupportedCurves":[35466,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[60138,772,771],"RemoteAddr":{"IP":"172.23.0.1","Port":38520,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730323393.2469633,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"immich.mydomain.com"}
{"level":"debug","ts":1730323393.2469747,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.mydomain.com"}
{"level":"debug","ts":1730323393.2469802,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
{"level":"debug","ts":1730323393.246984,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1730323393.2615206,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.23.0.1","remote_port":"38524","server_name":"immich.mydomain.com","remote":"172.23.0.1:38524","identifier":"immich.mydomain.com","cipher_suites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0004,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1730323393.2616272,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.23.0.1:38524: no certificate available for 'immich.mydomain.com'"}
{"level":"debug","ts":1730323439.7047424,"logger":"events","msg":"event","name":"tls_get_certificate","id":"8e828d07-6530-49f2-ab5e-f9a2ae2d4677","origin":"tls","data":{"client_hello":{"CipherSuites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"nas.mydomain.com","SupportedCurves":[2570,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[10794,772,771],"RemoteAddr":{"IP":"172.23.0.1","Port":38568,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730323439.7047777,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"nas.mydomain.com"}
{"level":"debug","ts":1730323439.7047858,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.mydomain.com"}
{"level":"debug","ts":1730323439.7047925,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
{"level":"debug","ts":1730323439.7047968,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1730323459.381689,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.23.0.1","remote_port":"38598","server_name":"drive.mydomain.com","remote":"172.23.0.1:38598","identifier":"drive.mydomain.com","cipher_suites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0004,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1730323459.3817713,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.23.0.1:38598: no certificate available for 'drive.mydomain.com'"}
{"level":"debug","ts":1730323459.393371,"logger":"events","msg":"event","name":"tls_get_certificate","id":"6307ee4e-af52-42d1-99d7-d18d18166914","origin":"tls","data":{"client_hello":{"CipherSuites":[51914,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"drive.mydomain.com","SupportedCurves":[47802,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[10794,772,771],"RemoteAddr":{"IP":"172.23.0.1","Port":38602,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730323459.3934007,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"drive.mydomain.com"}
{"level":"debug","ts":1730323459.3934085,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.mydomain.com"}
{"level":"debug","ts":1730323459.3934128,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
{"level":"debug","ts":1730323459.3934166,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1730323470.8752117,"logger":"events","msg":"event","name":"tls_get_certificate","id":"11876018-6902-4574-a5bd-1655d79afbda","origin":"tls","data":{"client_hello":{"CipherSuites":[19018,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"plex.mydomain.com","SupportedCurves":[39578,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[2570,772,771],"RemoteAddr":{"IP":"172.23.0.1","Port":38630,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730323470.875241,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"plex.mydomain.com"}
{"level":"debug","ts":1730323470.875249,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.mydomain.com"}
{"level":"debug","ts":1730323470.8752527,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
{"level":"debug","ts":1730323470.8752568,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1730323470.875267,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.23.0.1","remote_port":"38630","server_name":"plex.mydomain.com","remote":"172.23.0.1:38630","identifier":"plex.mydomain.com","cipher_suites":[19018,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0004,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1730323470.8753347,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.23.0.1:38630: no certificate available for 'plex.mydomain.com'"}

3. Caddy version:

CADDY_VERSION	v2.8.4

4. How I installed and ran Caddy:

Used below to generate my own caddy image.

FROM caddy:builder AS builder
RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare
FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Setup on Synology NAS

Installed Portainer -> Setup Caddy, Tailscale along with other applications in dockers. Connected over a bridge network. Caddy is listening to 80 and 443 ports.

a. System environment:

Synology NAS -> Caddy setup on Portainer.
      Cloudflare is the DNS provider, necessary A records for subdomains setup on portainer

b. Command:

Using command line only for viewing caddy logs, formatting Caddyfile and testing with curl.

c. Docker compose file:

version: '3.9'

# Network definitions
name: caddy
networks:
  caddy_network:
    driver: bridge
    external: true
  
services:
  caddy:
    image: docker.io/dockersnacks/caddy-cloudflare:latest
    restart: always
    container_name: caddy
    hostname: caddy
    networks:
      - caddy_network
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - /volume1/docker/caddy-with-dns/etc/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /volume1/docker/caddy-with-dns/data:/data
      - /volume1/docker/caddy-with-dns/config:/config
      - /volume1/docker/caddy-with-dns/site:/srv
      # tailscale creates its socket on /tmp, so we'll kidnap from there to expose to caddy
      - /volume1/docker/tailscale/tmp/tailscaled.sock:/var/run/tailscale/tailscaled.sock

d. My complete Caddy config:

{
	debug
}

(tls_cloudflare_dns) {
	tls {
		dns cloudflare ${CLOUDFLARE_API_TOKEN}
		resolvers 1.1.1.1
	}
}

################# Reverse proxies #################
portainer.sjayanna.com {
	import tls_cloudflare_dns
	reverse_proxy http://192.xx.xx.xx:REDACTED
}

iphotos.sjayanna.com {
	import tls_cloudflare_dns
	reverse_proxy http://192.xx.xx.xx:REDACTED
}

immich.sjayanna.com {
	import tls_cloudflare_dns
	reverse_proxy http://192.xx.xx.xx:REDACTED
}

teslamate.sjayanna.com {
	import tls_cloudflare_dns
	reverse_proxy http://192.xx.xx.xx:REDACTED
}

grafana.sjayanna.com {
	import tls_cloudflare_dns
	reverse_proxy http://192.xx.xx.xx:REDACTED
}

plex.sjayanna.com {
	import tls_cloudflare_dns
	reverse_proxy 192.xx.xx.xx:REDACTED
}

################# Redirects #################
nas.sjayanna.com {
	import tls_cloudflare_dns
	redir https://synologyhost.ts.net:REDACTED
}

calendar.sjayanna.com {
	import tls_cloudflare_dns
	#redir https://synologyhost.ts.net:REDACTED
	redir https://synologyhost.ts.net:REDACTED/calendar
}

contacts.sjayanna.com {
	import tls_cloudflare_dns
	#redir https://synologyhost.ts.net:REDACTED
	redir https://synologyhost.ts.net:REDACTED/contacts
}

downloads.sjayanna.com {
	import tls_cloudflare_dns
	#redir https://synologyhost.ts.net:REDACTED
	redir https://synologyhost.ts.net:REDACTED/downloads
}

files.sjayanna.com {
	import tls_cloudflare_dns
	#redir https://synologyhost.ts.net:REDACTED
	redir https://synologyhost.ts.net:REDACTED/files
}

drive.sjayanna.com {
	import tls_cloudflare_dns
	#redir https://synologyhost.ts.net:REDACTED
	redir https://synologyhost.ts.net:REDACTED/drive
}

photos.sjayanna.com {
	import tls_cloudflare_dns
	#redir https://synologyhost.ts.net:REDACTED
	redir https://synologyhost.ts.net:REDACTED/photos
}

sphotos.sjayanna.com {
	import tls_cloudflare_dns
	#redir https://synologyhost.ts.net:REDACTED
	redir https://synologyhost.ts.net:REDACTED/photos
}

5. Links to relevant resources:

Adding curl -vL output for both success and failure scenarios.

  1. Success
Last login: Tue Oct 29 12:22:02 on ttys001
➜  ~ curl -vL sphotos.mydomain.com      
* Host sphotos.mydomain.com:80 was resolved.
* IPv6: (none)
* IPv4: 100.xx.xx.xx
*   Trying 100.xx.xx.xx:80...
* Connected to sphotos.mydomain.com (100.xx.xx.xx) port 80
> GET / HTTP/1.1
> Host: sphotos.mydomain.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://sphotos.mydomain.com/
< Server: Caddy
< Date: Wed, 30 Oct 2024 21:42:37 GMT
< Content-Length: 0
< 
* Closing connection
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://sphotos.mydomain.com/'
* Host sphotos.mydomain.com:443 was resolved.
* IPv6: (none)
* IPv4: 100.xx.xx.xx
*   Trying 100.xx.xx.xx:443...
* Connected to sphotos.mydomain.com (100.xx.xx.xx) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=sphotos.mydomain.com
*  start date: Oct 29 04:02:52 2024 GMT
*  expire date: Jan 27 04:02:51 2025 GMT
*  subjectAltName: host "sphotos.mydomain.com" matched cert's "sphotos.mydomain.com"
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://sphotos.mydomain.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: sphotos.mydomain.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: sphotos.mydomain.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 302 
< alt-svc: h3=":443"; ma=2592000
< location: https://tailscalehost.ts.net:7311/photos
< server: Caddy
< content-length: 0
< date: Wed, 30 Oct 2024 21:42:37 GMT
< 
* Ignoring the response-body
* Connection #1 to host sphotos.mydomain.com left intact
* Clear auth, redirects to port from 443 to 7311
* Issue another request to this URL: 'https://tailscalehost.ts.net:7311/photos'
* Host tailscalehost.ts.net:7311 was resolved.
* IPv6: (none)
* IPv4: 100.xx.xx.xx
*   Trying 100.xx.xx.xx:7311...
* Connected to tailscalehost.ts.net (100.xx.xx.xx) port 7311
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=tailscalehost.ts.net
*  start date: Oct 26 19:15:17 2024 GMT
*  expire date: Jan 24 19:15:16 2025 GMT
*  subjectAltName: host "tailscalehost.ts.net" matched cert's "tailscalehost.ts.net"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://tailscalehost.ts.net:7311/photos
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: tailscalehost.ts.net:7311]
* [HTTP/2] [1] [:path: /photos]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /photos HTTP/2
> Host: tailscalehost.ts.net:7311
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 301 
< server: noindex
< date: Wed, 30 Oct 2024 21:42:37 GMT
< content-type: text/html
< content-length: 162
< location: photos/
< 
* Ignoring the response-body
* Connection #2 to host tailscalehost.ts.net left intact
* Issue another request to this URL: 'https://tailscalehost.ts.net:7311/photos/'
* Found bundle for host: 0x600000b380f0 [can multiplex]
* Re-using existing connection with host tailscalehost.ts.net
* [HTTP/2] [3] OPENED stream for https://tailscalehost.ts.net:7311/photos/
* [HTTP/2] [3] [:method: GET]
* [HTTP/2] [3] [:scheme: https]
* [HTTP/2] [3] [:authority: tailscalehost.ts.net:7311]
* [HTTP/2] [3] [:path: /photos/]
* [HTTP/2] [3] [user-agent: curl/8.7.1]
* [HTTP/2] [3] [accept: */*]
> GET /photos/ HTTP/2
> Host: tailscalehost.ts.net:7311
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 200 
< server: noindex
< date: Wed, 30 Oct 2024 21:42:37 GMT
< content-type: text/html; charset="UTF-8"
< cache-control: no-store
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< x-frame-options: SAMEORIGIN
< p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
< content-security-policy: base-uri 'self';  connect-src data: ws: wss: http: https:; default-src 'self' 'unsafe-eval' data: blob: https://*.synology.com https://www.synology.cn/ https://help.synology.cn/; font-src 'self' data: https://*.googleapis.com https://*.gstatic.com https://*.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' data: blob: https://*.synology.com https://*.synology.cn http://*.synology.com http://*.synology.cn http://global.synologydownload.com https://global.synologydownload.com; img-src 'self' data: blob: https://*.google.com https://*.googleapis.com http://*.googlecode.com https://*.gstatic.com https://global.download.synology.com https://*.gstatic.com https://*.googleapis.com https://*.google.com https://*.baidu.com http://*.baidu.com https://*.bdstatic.com https://*.bdimg.com; media-src 'self' data: about: https://*.synology.com https://help.synology.cn blob:;  script-src 'self' 'unsafe-eval' data: blob: https://maps.google.com https://maps.googleapis.com https://ajax.googleapis.com https://help.synology.com https://help.synology.cn https://*.google.com https://*.googleapis.com https://*.baidu.com http://*.baidu.com https://*.bdstatic.com https://*.bdimg.com; style-src 'self' 'unsafe-inline' https://*.googleapis.com https://*.googleapis.com https://api.map.baidu.com;
< 
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=11" />
<meta name="msapplication-TileImage" content="resources/images/icon_tile.png?v=4398" />
<meta name="application-name" content="synology-slcd&nbsp;-&nbsp;Synology&nbsp;NAS" />
<meta name="msapplication-TileColor" content="#246BB3"/>
<meta name="description" content="Synology NAS provides a full-featured network attached storage (NAS) solution to help you manage, backup and share data among Windows, Mac and Linux easily." />
<meta name="keywords" content="Multitasking,Web Application,Personal Cloud" />
<meta name="viewport" content="">

<link rel="apple-touch-icon" href="webman/resources/images/icon_dsm_96.png?v=40438" />
<link rel="mask-icon" href="webman/safari_pin_icon.svg" color="#0086E5" />
<link rel="icon" href="webman/favicon.ico?v=40438" />
<link rel="icon" href="webman/resources/images/icon_dsm_96.png?v=40438" sizes="96x96"/>
<link rel="icon" href="webman/resources/images/icon_dsm_64.png?v=40438" sizes="64x64"/>
<link rel="icon" href="webman/resources/images/icon_dsm_48.png?v=40438" sizes="48x48"/>
<link rel="icon" href="webman/resources/images/icon_dsm_32.png?v=40438" sizes="32x32"/>
<link rel="icon" href="webman/resources/images/icon_dsm_16.png?v=40438" sizes="16x16"/>
<title>synology-slcd&nbsp;-&nbsp;Synology&nbsp;NAS</title>
<link rel="stylesheet" type="text/css" href="webman/unsupported-browsers/dist/bundle.css?v=1711103609" />
<link rel="stylesheet" type="text/css" href="scripts/ext-3.4/resources/css/ext-all.css?v=1672898121" />
<link rel="stylesheet" type="text/css" href="scripts/syno-vue-components/style/syno-vue-components.css?v=1710467838" />
<link rel="stylesheet" type="text/css" href="scripts/scrollbar/flexcroll.css?v=1672898121" />
<link rel="stylesheet" type="text/css" href="scripts/ext-3/ux/ux-all.css?v=1672898121" />
<link rel="stylesheet" type="text/css" href="synoSDSjslib/sds.css?v=1715242943" />
<link rel="stylesheet" type="text/css" href="webman/desktop/dist/style.css?v=1711103609" />
<link rel="stylesheet" type="text/css" href="webman/sds/dist/style.css?v=1711103609" />
<link rel="stylesheet" type="text/css" href="webman/taskbar/dist/style.css?v=1711103609" />
<link rel="stylesheet" type="text/css" href="webman/login/dist/style.css?v=1711103609" />
<link rel="stylesheet" type="text/css" href="webman/resources/css/desktop.css?v=1711103609" />
<link rel="stylesheet" type="text/css" href="webman/modules/FileChooser/style.css?v=1725262674" />
<link rel="stylesheet" type="text/css" href="webman/modules/Utils/style.css?v=1725262674" />
<link rel="stylesheet" type="text/css" href="webman/3rdparty/SynologyApplicationService/style.css?v=1729048583" />
<link rel="stylesheet" type="text/css" href="webman/3rdparty/SynologyPhotos/style.css?v=1729763488" />

</head>
<body role="application">
<div id="sds-wallpaper"></div>
<!-- Don't contain any text node to avoid IE insertBefore bug -->
<div id="sds-login-vue"></div>
<div id="framework-attach"></div>
<script type="text/javascript" src="webapi/entry.cgi?api=SYNO.Core.Desktop.SessionData&version=1&method=getjs&launchApp=SYNO.Foto.AppInstance&SynoToken=&v=1723687827"></script>
<script type="text/javascript" src="scripts/babel-polyfill/polyfill.js?v=1672898121"></script>
<script type="text/javascript" src="scripts/synowebapi.js/synowebapi.min.js?v=1675322301"></script>
<script type="text/javascript" src="scripts/synocredential.js/synocredential.min.js?v=1712744176"></script>
<script type="text/javascript" src="webapi/entry.cgi?api=SYNO.Core.Desktop.Defs&version=1&method=getjs&launchApp=SYNO.Foto.AppInstance&v=1729915559"></script>
<script type="text/javascript" src="webapi/entry.cgi?api=SYNO.Core.Desktop.JSUIString&version=1&method=getjs&lang=enu&v=1729915460"></script>
<script type="text/javascript" src="webapi/entry.cgi?api=SYNO.Core.Desktop.UIString&version=1&method=getjs&lang=enu&v=1729915463"></script>
<script type="text/javascript" src="webman/unsupported-browsers/dist/bundle.js?v=1711103609"></script>
<script type="text/javascript" src="scripts/noise/noise-c.js?v=1672898121"></script>
<script type="text/javascript" src="scripts/noise/constants.js?v=1672898121"></script>
<script type="text/javascript" src="scripts/noise/index.js?v=1672898121"></script>
<script type="text/javascript" src="scripts/noise/sodium.js?v=1672898121"></script>
<script type="text/javascript" src="synoSDSjslib/dist/vendor.bundle.js?v=1715242943"></script>
<script type="text/javascript" src="synoSDSjslib/dist/sds.bundle.js?v=1715242943"></script>
<script type="text/javascript" src="scripts/vue/vue.min.js?v=1689132810"></script>
<script type="text/javascript" src="scripts/vuex/vuex.min.js?v=1664290698"></script>
<script type="text/javascript" src="scripts/vue-router/vue-router.min.js?v=1667901351"></script>
<script type="text/javascript" src="scripts/syno-vue-components/syno-vue-components.min.js?v=1710467838"></script>
<script type="text/javascript" src="webman/taskbar/dist/dsm.taskbar.bundle.js?v=1711103609"></script>
<script type="text/javascript" src="webman/sds/dist/dsm.common.bundle.js?v=1711103609"></script>
<script type="text/javascript" src="webman/desktop/dist/dsm.desktop.bundle.js?v=1711103609"></script>
<script type="text/javascript" src="webman/sds/dist/dsm.sds.bundle.js?v=1711103609"></script>
<script type="text/javascript" src="webman/login/dist/dsm.login.bundle.js?v=1711103609"></script>
<script type="text/javascript" src="webman/entry/dist/dsm.entry.bundle.js?v=1711103609"></script>

<div class="pre-load-x-window-br"></div>
</body>
<noscript>
<div class='syno-no-script'>
<div class='title align-center'>This page can't be displayed</div>
<div class='desc align-center'>Please allow your browser to run JavaScript.</div>
<div class='icon align-center'></div>
</div>
</noscript>
</html>
* Connection #2 to host tailscalehost.ts.net left intact
  1. Failure
➜  ~ curl -vL photos.mydomain.com 
* Host photos.mydomain.com:80 was resolved.
* IPv6: (none)
* IPv4: 100.xx.xx.xx
*   Trying 100.xx.xx.xx:80...
* Connected to photos.mydomain.com (100.xx.xx.xx) port 80
> GET / HTTP/1.1
> Host: photos.mydomain.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://photos.mydomain.com/
< Server: Caddy
< Date: Wed, 30 Oct 2024 21:42:59 GMT
< Content-Length: 0
< 
* Closing connection
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://photos.mydomain.com/'
* Host photos.mydomain.com:443 was resolved.
* IPv6: (none)
* IPv4: 100.xx.xx.xx
*   Trying 100.xx.xx.xx:443...
* Connected to photos.mydomain.com (100.xx.xx.xx) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error
➜  ~ 

So stupid of me, this is really embarassing.
All i had to do is change my API Token env variable from

"CLOUDFLARE_API_TOKEN" to "CF_API_TOKEN" ,

and everything works like charm :slight_smile:

I’ll leave the ticket here hoping it helps someone else in similar scenario!