Switching from nginx to caddy!

You already have the code to do it. On-Demand TLS uses the HTTP challenge. The DNS challenge is only needed for wildcard certificates, or situations where your server is not reachable over public networks (i.e. you’re running an intranet but still want publicly trusted certificates signed by an ACME issuer).

Reading through the docs it looks like all I had to do is add the on_demand to enable it.

tls {

However, going to pm0.11bricks.com still shows as

This site can’t provide a secure connection
pm0.11bricks.com sent an invalid response.

Here is the full config for the custom domain block below

https:// {
    encode gzip

    tls {

    import ../security-headers.conf
    import ../lucee.conf

    handle_path /shared/* {
        header Access-Control-Allow-Headers "Content-Type"
        header Access-Control-Allow-Origin *
        root * d:/web/honeystalk.io/shared

    root * d:/web/honeystalk.io/account

    import redirected

What am I forgetting or doing incorrectly?

What’s in your logs? Turn on the debug global option to see more.

Make the request with curl -v. What do you see?

Here is the output from the curl

$ curl -v https://pm0.11bricks.com
*   Trying
* Connected to pm0.11bricks.com ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: C:/Apps/git/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Here is the caddy log

2022/01/26 21:16:01.255 INFO    serving initial configuration
2022/01/26 21:16:33.294 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "pm0.11bricks.com"}
2022/01/26 21:16:33.314 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.11bricks.com"}
2022/01/26 21:16:33.315 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.com"}
2022/01/26 21:16:33.316 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.*"}
2022/01/26 21:16:33.322 DEBUG   tls.handshake   choosing certificate    {"identifier": "honeystalk.io", "num_choices": 1}
2022/01/26 21:16:33.323 DEBUG   tls.handshake   default certificate selection results   {"identifier": "honeystalk.io", "subjects": ["*.honeystalk.io", "honeystalk.io"], "managed": false, "issuer_key": "", "hash": "d1babd3aa9eade49bf1aa2279af5f632967627815410f39e03f7a52e2d92098a"}
2022/01/26 21:16:33.324 DEBUG   tls.handshake   matched certificate in cache    {"subjects": ["*.honeystalk.io", "honeystalk.io"], "managed": false, "expiration": "2022/09/13 23:59:59.000", "hash": "d1babd3aa9eade49bf1aa2279af5f632967627815410f39e03f7a52e2d92098a"}
2022/01/26 21:16:33.397 DEBUG   http.handlers.rewrite   rewrote request {"request": {"remote_addr": "", "proto": "HTTP/2.0", "method": "GET", "host": "honeystalk.io", "uri": "/api/v2/domaincheck?domain=pm0.11bricks.com", "headers": {"Accept-Encoding": ["gzip"], "User-Agent": ["Go-http-client/2.0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4867, "proto": "h2", "proto_mutual": true, "server_name": "honeystalk.io"}}, "method": "GET", "uri": "/index.cfm?domain=pm0.11bricks.com&path=%2Fapi%2Fv2%2Fdomaincheck"}
2022/01/26 21:16:33.398 DEBUG   http.handlers.rewrite   rewrote request {"request": {"remote_addr": "", "proto": "HTTP/2.0", "method": "GET", "host": "honeystalk.io", "uri": "/index.cfm?domain=pm0.11bricks.com&path=%2Fapi%2Fv2%2Fdomaincheck", "headers": {"Accept-Encoding": ["gzip"], "User-Agent": ["Go-http-client/2.0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4867, "proto": "h2", "proto_mutual": true, "server_name": "honeystalk.io"}}, "method": "GET", "uri": "/index.cfm?sub=&domain=pm0.11bricks.com&path=%2Fapi%2Fv2%2Fdomaincheck"}
2022/01/26 21:16:33.403 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "", "duration": 0.0019116, "request": {"remote_addr": "", "proto": "HTTP/2.0", "method": "GET", "host": "honeystalk.io", "uri": "/index.cfm?sub=&domain=pm0.11bricks.com&path=%2Fapi%2Fv2%2Fdomaincheck", "headers": {"X-Forwarded-Host": ["honeystalk.io"], "Accept-Encoding": ["gzip"], "User-Agent": ["Go-http-client/2.0"], "X-Forwarded-For": [""], "X-Forwarded-Proto": ["https"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4867, "proto": "h2", "proto_mutual": true, "server_name": "honeystalk.io"}}, "headers": {"Content-Length": ["81"], "Date": ["Wed, 26 Jan 2022 21:16:33 GMT"], "Set-Cookie": ["CFID=9f8d7feb-2ea6-48c1-bb35-8c1bd893ab09;Path=/", "CFTOKEN=0;Path=/"], "P3p": ["CP=\"CAO PSA OUR\""], "X-Frame-Options": ["SAMEORIGIN"], "Access-Control-Allow-Origin": ["*"], "Content-Type": ["application/json;charset=UTF-8"]}, "status": 401}
2022/01/26 21:16:33.415 DEBUG   http.stdlib     http: TLS handshake error from certificate for hostname 'pm0.11bricks.com' not allowed; non-2xx status code 401 returned from https://honeystalk.io/api/v2/domaincheck

This is the problem. You didn’t tell Caddy that it’s allowed to get a certificate for that domain name!

Yes, you are absolutely correct. We had a security check not to allow any calls to the api w/out the api_key. So I had to add a provision for the domaincheck to be allowed! It worked like a charm after that!!!

Thank you!

1 Like

I have published a release for libdns/godaddy but when trying to register the package under my Caddy account I get this error

Sorry, something went wrong:

unable to scan modules in package github.com/caddy-dns/godaddy

Please include this error ID if reporting:

What am I doing wrong?

@artknight Here’s the error in the logs:

go get: github.com/caddy-dns/godaddy@v0.0.0-20220126162451-b1743d4d9669: parsing go.mod:
        module declares its path as: github.com/caddy-dns/caddy-godaddy
                but was required as: github.com/caddy-dns/godaddy

Make sure your go.mod file is correct

That is already fixed and the module is available!


@matt @francislavoie You guys have been amazingly awesome!!! Thank you so much for putting up with the slew of my questions!!! Not only I learned a lot, but I am now an active developer to the Caddy community :smiley:

As a token of my appreciation, I would like to invite you guys to use our Project Management tools at Cogency ( https://cogency.io ) FOR FREE FOREVER!!!

We offer real-time collaboration services with the highest focus on privacy ( nothing tracked, ever! )

  • HD Video Conferencing ( 256-bit end-to-end encryption )
  • Chat
  • Sketch ( whiteboarding )
  • Boards ( kanban-style task management )
  • Pages
  • S3 File Storage ( if you have an existing S3 account, you can use yours )

All these services will of course be UNLIMITED to you guys!!!

@matt @francislavoie Please reach out to me to get you setup right away!!!



Glad to help!

I don’t think I’d have use for such a product myself, honestly. For my day job we already have everything set up to our liking, and Github’s covers our needs for the Caddy project.

The best way to give thanks and support the project would be to sponsor Matt on Github, since he works on Caddy essentially full-time. I just volunteer, and I have my own full-time job that pays me well. I rather see money go Matt’s way so the project can stay alive as long as possible.

I am pretty sure github does not offer real-time collaborative whiteboarding, nor hd video conferencing! However, if you ever change your mind and want to give Cogency a try… you can always ping me. This offer does not expire!

This topic was automatically closed after 30 days. New replies are no longer allowed.