1. The problem I’m having:
Caddy is failing to get a certificate from Cloudflare randomly for some of the subdomains, inspite of replicating the exact settings.
Have tried different browsers, incognito mode, curl -vL.
All subdomains 'A' records on Cloudflare DNS have the exact same settings, pointing to the Tailscale IP address. All caddy reverse proxies have the same settings as well.
Error msg:
'TLS handshake error from 172.23.0.1:38630: no certificate available for 'plex.mydomain.com'
2. Error messages and/or full log output:
Success logs:
{"level":"debug","ts":1730324557.4122012,"logger":"events","msg":"event","name":"tls_get_certificate","id":"39db50b8-4641-461f-9038-60f0fc06fc38","origin":"tls","data":{"client_hello":{"CipherSuites":[4867,4866,4865,52393,52392,52394,49200,49196,49192,49188,49172,49162,159,107,57,65413,196,136,129,157,61,53,192,132,49199,49195,49191,49187,49171,49161,158,103,51,190,69,156,60,47,186,65,49169,49159,5,4,49170,49160,22,10,255],"ServerName":"sphotos.sjayanna.com","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2054,1537,1539,2053,1281,1283,2052,1025,1027,513,515],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"172.23.0.1","Port":39588,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730324557.4122424,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sphotos.sjayanna.com","num_choices":1}
{"level":"debug","ts":1730324557.4122655,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sphotos.sjayanna.com","subjects":["sphotos.sjayanna.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"7c5b7dc7ffcfae4e2b9d7b2a254c92f658f397d1455e6f66d3e5c3e4d8fafae8"}
{"level":"debug","ts":1730324557.4122784,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"172.23.0.1","remote_port":"39588","subjects":["sphotos.sjayanna.com"],"managed":true,"expiration":1737950572,"hash":"7c5b7dc7ffcfae4e2b9d7b2a254c92f658f397d1455e6f66d3e5c3e4d8fafae8"}
Failure logs:
{"level":"debug","ts":1730323393.2469225,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f260fa0d-f429-48a1-8ab8-dd58e62cd9f5","origin":"tls","data":{"client_hello":{"CipherSuites":[23130,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"immich.mydomain.com","SupportedCurves":[35466,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[60138,772,771],"RemoteAddr":{"IP":"172.23.0.1","Port":38520,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730323393.2469633,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"immich.mydomain.com"}
{"level":"debug","ts":1730323393.2469747,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.mydomain.com"}
{"level":"debug","ts":1730323393.2469802,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
{"level":"debug","ts":1730323393.246984,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1730323393.2615206,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.23.0.1","remote_port":"38524","server_name":"immich.mydomain.com","remote":"172.23.0.1:38524","identifier":"immich.mydomain.com","cipher_suites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0004,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1730323393.2616272,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.23.0.1:38524: no certificate available for 'immich.mydomain.com'"}
{"level":"debug","ts":1730323439.7047424,"logger":"events","msg":"event","name":"tls_get_certificate","id":"8e828d07-6530-49f2-ab5e-f9a2ae2d4677","origin":"tls","data":{"client_hello":{"CipherSuites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"nas.mydomain.com","SupportedCurves":[2570,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[10794,772,771],"RemoteAddr":{"IP":"172.23.0.1","Port":38568,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730323439.7047777,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"nas.mydomain.com"}
{"level":"debug","ts":1730323439.7047858,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.mydomain.com"}
{"level":"debug","ts":1730323439.7047925,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
{"level":"debug","ts":1730323439.7047968,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1730323459.381689,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.23.0.1","remote_port":"38598","server_name":"drive.mydomain.com","remote":"172.23.0.1:38598","identifier":"drive.mydomain.com","cipher_suites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0004,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1730323459.3817713,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.23.0.1:38598: no certificate available for 'drive.mydomain.com'"}
{"level":"debug","ts":1730323459.393371,"logger":"events","msg":"event","name":"tls_get_certificate","id":"6307ee4e-af52-42d1-99d7-d18d18166914","origin":"tls","data":{"client_hello":{"CipherSuites":[51914,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"drive.mydomain.com","SupportedCurves":[47802,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[10794,772,771],"RemoteAddr":{"IP":"172.23.0.1","Port":38602,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730323459.3934007,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"drive.mydomain.com"}
{"level":"debug","ts":1730323459.3934085,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.mydomain.com"}
{"level":"debug","ts":1730323459.3934128,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
{"level":"debug","ts":1730323459.3934166,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1730323470.8752117,"logger":"events","msg":"event","name":"tls_get_certificate","id":"11876018-6902-4574-a5bd-1655d79afbda","origin":"tls","data":{"client_hello":{"CipherSuites":[19018,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"plex.mydomain.com","SupportedCurves":[39578,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[2570,772,771],"RemoteAddr":{"IP":"172.23.0.1","Port":38630,"Zone":""},"LocalAddr":{"IP":"172.23.0.11","Port":443,"Zone":""}}}}
{"level":"debug","ts":1730323470.875241,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"plex.mydomain.com"}
{"level":"debug","ts":1730323470.875249,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.mydomain.com"}
{"level":"debug","ts":1730323470.8752527,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.com"}
{"level":"debug","ts":1730323470.8752568,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
{"level":"debug","ts":1730323470.875267,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.23.0.1","remote_port":"38630","server_name":"plex.mydomain.com","remote":"172.23.0.1:38630","identifier":"plex.mydomain.com","cipher_suites":[19018,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0004,"load_or_obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1730323470.8753347,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.23.0.1:38630: no certificate available for 'plex.mydomain.com'"}
3. Caddy version:
CADDY_VERSION v2.8.4
4. How I installed and ran Caddy:
Used below to generate my own caddy image.
FROM caddy:builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/cloudflare
FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
Setup on Synology NAS
Installed Portainer -> Setup Caddy, Tailscale along with other applications in dockers. Connected over a bridge network. Caddy is listening to 80 and 443 ports.
a. System environment:
Synology NAS -> Caddy setup on Portainer.
Cloudflare is the DNS provider, necessary A records for subdomains setup on portainer
b. Command:
Using command line only for viewing caddy logs, formatting Caddyfile and testing with curl.
c. Docker compose file:
version: '3.9'
# Network definitions
name: caddy
networks:
caddy_network:
driver: bridge
external: true
services:
caddy:
image: docker.io/dockersnacks/caddy-cloudflare:latest
restart: always
container_name: caddy
hostname: caddy
networks:
- caddy_network
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- /volume1/docker/caddy-with-dns/etc/caddy/Caddyfile:/etc/caddy/Caddyfile
- /volume1/docker/caddy-with-dns/data:/data
- /volume1/docker/caddy-with-dns/config:/config
- /volume1/docker/caddy-with-dns/site:/srv
# tailscale creates its socket on /tmp, so we'll kidnap from there to expose to caddy
- /volume1/docker/tailscale/tmp/tailscaled.sock:/var/run/tailscale/tailscaled.sock
d. My complete Caddy config:
{
debug
}
(tls_cloudflare_dns) {
tls {
dns cloudflare ${CLOUDFLARE_API_TOKEN}
resolvers 1.1.1.1
}
}
################# Reverse proxies #################
portainer.sjayanna.com {
import tls_cloudflare_dns
reverse_proxy http://192.xx.xx.xx:REDACTED
}
iphotos.sjayanna.com {
import tls_cloudflare_dns
reverse_proxy http://192.xx.xx.xx:REDACTED
}
immich.sjayanna.com {
import tls_cloudflare_dns
reverse_proxy http://192.xx.xx.xx:REDACTED
}
teslamate.sjayanna.com {
import tls_cloudflare_dns
reverse_proxy http://192.xx.xx.xx:REDACTED
}
grafana.sjayanna.com {
import tls_cloudflare_dns
reverse_proxy http://192.xx.xx.xx:REDACTED
}
plex.sjayanna.com {
import tls_cloudflare_dns
reverse_proxy 192.xx.xx.xx:REDACTED
}
################# Redirects #################
nas.sjayanna.com {
import tls_cloudflare_dns
redir https://synologyhost.ts.net:REDACTED
}
calendar.sjayanna.com {
import tls_cloudflare_dns
#redir https://synologyhost.ts.net:REDACTED
redir https://synologyhost.ts.net:REDACTED/calendar
}
contacts.sjayanna.com {
import tls_cloudflare_dns
#redir https://synologyhost.ts.net:REDACTED
redir https://synologyhost.ts.net:REDACTED/contacts
}
downloads.sjayanna.com {
import tls_cloudflare_dns
#redir https://synologyhost.ts.net:REDACTED
redir https://synologyhost.ts.net:REDACTED/downloads
}
files.sjayanna.com {
import tls_cloudflare_dns
#redir https://synologyhost.ts.net:REDACTED
redir https://synologyhost.ts.net:REDACTED/files
}
drive.sjayanna.com {
import tls_cloudflare_dns
#redir https://synologyhost.ts.net:REDACTED
redir https://synologyhost.ts.net:REDACTED/drive
}
photos.sjayanna.com {
import tls_cloudflare_dns
#redir https://synologyhost.ts.net:REDACTED
redir https://synologyhost.ts.net:REDACTED/photos
}
sphotos.sjayanna.com {
import tls_cloudflare_dns
#redir https://synologyhost.ts.net:REDACTED
redir https://synologyhost.ts.net:REDACTED/photos
}