1. The problem I’m having:
I’ve been using caddy for several years as a reverse proxy.
I’ve recently bought a cloudflare domain and want to move my current pages from my ddns provider to subdomains in my cloudflare domain.
Cloudflare has all subdomains added as CNAMES to a single A entry smythstreet.com pointing to my current IP.
Cloudflare is setup with Full (not strict) SSL, cloudflare proxy enabled.
Oddly only one subdomain reverse proxy is working.
The arr.smythstreet.com subdomain is working for all paths, but any other subdomains receive the following error via browser:
SSL handshake failed Error code 525
They’re all setup the same in cloudflare so I’m unsure what’s wrong. Can you not use an API token for multiple subdomains?
2. Error messages and/or full log output:
Via Curl
curl -svo /dev/null https://ha.smythstreet.com --connect-to ::122.199.45.55 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"
* Connecting to hostname: 122.199.45.55
* Trying 122.199.45.55:443...
* Connected to (nil) (122.199.45.55) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
My working subdomain
curl -svo /dev/null https://arr.smythstreet.com/radarr --connect-to ::122.199.45.55 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"
* Connecting to hostname: 122.199.45.55
* Trying 122.199.45.55:443...
* Connected to (nil) (122.199.45.55) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=arr.smythstreet.com
* start date: Aug 16 10:17:06 2024 GMT
* expire date: Nov 14 10:17:05 2024 GMT
* subjectAltName: host "arr.smythstreet.com" matched cert's "arr.smythstreet.com"
* issuer: C=US; O=Let's Encrypt; CN=E5
* SSL certificate verify ok.
3. Caddy version:
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
4. How I installed and ran Caddy:
Installed caddy as an LXC ttek script.
Followed
https://caddyserver.com/docs/build#package-support-files-for-custom-builds-for-debianubunturaspbian
to add a new custom build with cloudflare and dynamic dns checker added.
a. System environment:
Proxmox Virtual Environment 8.2.4
Running as LXC container under Debian 12.
b. Command:
sudo systemctl start caddy
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
{
debug
email david.ratten@gmail.com
dynamic_dns {
provider cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
domains {
smythstreet.com
}
check_interval 15m
versions ipv4
}
}
daveflix2.ddns.net {
encode gzip
log {
output file /var/log/caddy/jelly_access.log {
roll_size 10mb # Set max size 10 MB
roll_local_time # use local time in logs
roll_keep 4 # Keep at most 4 log files
roll_keep_for 1080h # Keep log files for 45 days
}
}
reverse_proxy 192.168.1.6:8096
}
arr.smythstreet.com {
tls {
dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
}
encode gzip
log {
output file /var/log/caddy/server_access.log {
roll_size 10mb # Set max size 10 MB
roll_local_time # use local time in logs
roll_keep 4 # Keep at most 4 log files
roll_keep_for 1080h # Keep log files for 45 days
}
}
reverse_proxy /radarr* 192.168.1.63:7878
reverse_proxy /sonarr* 192.168.1.64:8989
reverse_proxy /lidarr* 192.168.1.65:8686
reverse_proxy /sabnzbd* 192.168.1.60:7777
redir /qbt /qbt/
handle_path /qbt/* {
reverse_proxy 192.168.1.66:8090
}
}
ha.smythstreet.com {
tls {
dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
}
encode gzip
log {
output file /var/log/caddy/hass_access.log {
roll_size 10mb # Set max size 10 MB
roll_local_time # use local time in logs
roll_keep 4 # Keep at most 4 log files
roll_keep_for 1080h # Keep log files for 45 days
}
}
reverse_proxy 192.168.1.51:8123
}
hasshellbound.ddns.net {
encode gzip
log {
output file /var/log/caddy/hass_access.log {
roll_size 10mb # Set max size 10 MB
roll_local_time # use local time in logs
roll_keep 4 # Keep at most 4 log files
roll_keep_for 1080h # Keep log files for 45 days
}
}
reverse_proxy 192.168.1.51:8123
}
df.smythstreet.com {
tls {
dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
}
encode gzip
log {
output file /var/log/caddy/nxc_access.log {
roll_size 10mb # Set max size 10 MB
roll_local_time # use local time in logs
roll_keep 4 # Keep at most 4 log files
roll_keep_for 1080h # Keep log files for 45 days
}
}
reverse_proxy 192.168.1.61:8096
}
5. Links to relevant resources:
Mainly followed this guide:
But also ran through multiple other pages
https://caddy.community/t/error-525-ssl-handshake-failed/11615
https://caddy.community/t/recommendations-for-caddy-and-cloudflare-proxy/18076
As well as the GitHub repos for both custom modules