SSL handshake failed Error code 525 for multiple cloudflare subdomains

1. The problem I’m having:

I’ve been using caddy for several years as a reverse proxy.
I’ve recently bought a cloudflare domain and want to move my current pages from my ddns provider to subdomains in my cloudflare domain.
Cloudflare has all subdomains added as CNAMES to a single A entry smythstreet.com pointing to my current IP.
Cloudflare is setup with Full (not strict) SSL, cloudflare proxy enabled.
Oddly only one subdomain reverse proxy is working.
The arr.smythstreet.com subdomain is working for all paths, but any other subdomains receive the following error via browser:
SSL handshake failed Error code 525
They’re all setup the same in cloudflare so I’m unsure what’s wrong. Can you not use an API token for multiple subdomains?

2. Error messages and/or full log output:

Via Curl

curl -svo /dev/null https://ha.smythstreet.com --connect-to ::122.199.45.55 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"
* Connecting to hostname: 122.199.45.55
*   Trying 122.199.45.55:443...
* Connected to (nil) (122.199.45.55) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0

My working subdomain

curl -svo /dev/null https://arr.smythstreet.com/radarr --connect-to ::122.199.45.55 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"
* Connecting to hostname: 122.199.45.55
*   Trying 122.199.45.55:443...
* Connected to (nil) (122.199.45.55) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=arr.smythstreet.com
*  start date: Aug 16 10:17:06 2024 GMT
*  expire date: Nov 14 10:17:05 2024 GMT
*  subjectAltName: host "arr.smythstreet.com" matched cert's "arr.smythstreet.com"
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify ok.

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

Installed caddy as an LXC ttek script.
Followed

https://caddyserver.com/docs/build#package-support-files-for-custom-builds-for-debianubunturaspbian

to add a new custom build with cloudflare and dynamic dns checker added.

a. System environment:

Proxmox Virtual Environment 8.2.4
Running as LXC container under Debian 12.

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

{
	debug
	email david.ratten@gmail.com
	dynamic_dns {
		provider cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
		domains {
			smythstreet.com
		}
		check_interval 15m
		versions ipv4
	}
}
daveflix2.ddns.net {
	encode gzip
	log {
		output file /var/log/caddy/jelly_access.log {
			roll_size 10mb # Set max size 10 MB
			roll_local_time # use local time in logs
			roll_keep 4 # Keep at most 4 log files
			roll_keep_for 1080h # Keep log files for 45 days
		}
	}
	reverse_proxy 192.168.1.6:8096
}

arr.smythstreet.com {
	tls {
		dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
	}
	encode gzip
	log {
		output file /var/log/caddy/server_access.log {
			roll_size 10mb # Set max size 10 MB
			roll_local_time # use local time in logs
			roll_keep 4 # Keep at most 4 log files
			roll_keep_for 1080h # Keep log files for 45 days
		}
	}
	reverse_proxy /radarr* 192.168.1.63:7878
	reverse_proxy /sonarr* 192.168.1.64:8989
	reverse_proxy /lidarr* 192.168.1.65:8686
	reverse_proxy /sabnzbd* 192.168.1.60:7777
	redir /qbt /qbt/
	handle_path /qbt/* {
		reverse_proxy 192.168.1.66:8090
	}
}

ha.smythstreet.com {
	tls {
		dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
	}
	encode gzip
	log {
		output file /var/log/caddy/hass_access.log {
			roll_size 10mb # Set max size 10 MB
			roll_local_time # use local time in logs
			roll_keep 4 # Keep at most 4 log files
			roll_keep_for 1080h # Keep log files for 45 days
		}
	}
	reverse_proxy 192.168.1.51:8123
}
hasshellbound.ddns.net {
	encode gzip
	log {
		output file /var/log/caddy/hass_access.log {
			roll_size 10mb # Set max size 10 MB
			roll_local_time # use local time in logs
			roll_keep 4 # Keep at most 4 log files
			roll_keep_for 1080h # Keep log files for 45 days
		}
	}
	reverse_proxy 192.168.1.51:8123
}
df.smythstreet.com {
	tls {
		dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
	}
	encode gzip
	log {
		output file /var/log/caddy/nxc_access.log {
			roll_size 10mb # Set max size 10 MB
			roll_local_time # use local time in logs
			roll_keep 4 # Keep at most 4 log files
			roll_keep_for 1080h # Keep log files for 45 days
		}
	}
	reverse_proxy 192.168.1.61:8096
}

5. Links to relevant resources:

Mainly followed this guide:

But also ran through multiple other pages

https://caddy.community/t/error-525-ssl-handshake-failed/11615
https://caddy.community/t/recommendations-for-caddy-and-cloudflare-proxy/18076

As well as the GitHub repos for both custom modules

What’s in your Caddy logs? Any cert issuance errors? Which proxy mode are you using in Cloudflare for your domains? Make sure they’re the same mode as your arr. domain I guess.

1 Like

Supplemental and possibly related

That’s the odd thing, there’s nothing in the caddy logs at all when a call is made.
Not sure what you mean by proxy mode sorry, the proxy status is “Proxied” for all subdomains.

I’ve now turned off the cf proxy and removed the tls section in the caddyfile and the subdomain now works, but it’s just using the regular caddy generated cert. So I’m guessing there’s a problem with how the cloudflare plugin is interacting with cf?

There’s 4 different modes. You should probably be using “Full (Strict)” mode.

1 Like

Ok, SSL is set to Full (strict). I also tried it with Full but no change

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.