1. The problem I’m having:
I am tying to use ACME cert management to receive certificates from our company CA. The CA only works with HTTP challenges (at least that’s what my admin said, or rather our firewall rules only allow for that), so the TLS_ALPN challenges that Caddy attempts fail. I have disabled TLS_ALPN in my Caddyfile, but the server still attempts these challenges. This does sometimes get fixed by recreating the container, but not always, for some reason. Is there anything I’m doing wrong here?
2. Error messages and/or full log output:
caddy | {"level":"info","ts":1774965783.680951,"msg":"maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined"}
caddy | {"level":"info","ts":1774965783.6809769,"msg":"GOMEMLIMIT is updated","GOMEMLIMIT":7450280755,"previous":9223372036854775807}
caddy | {"level":"info","ts":1774965783.6809819,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy | {"level":"info","ts":1774965783.6809845,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy | {"level":"warn","ts":1774965783.680987,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
caddy | {"level":"info","ts":1774965783.6876369,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy | {"level":"info","ts":1774965783.6879334,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x1c86f42bc180"}
caddy | {"level":"info","ts":1774965783.68806,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy | {"level":"info","ts":1774965783.6880844,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy | {"level":"debug","ts":1774965783.6881697,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["report.company.intern"]},{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"overleaf:80"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
caddy | {"level":"debug","ts":1774965783.688447,"logger":"http","msg":"starting server loop","address":"0.0.0.0:443","tls":true,"http3":false}
caddy | {"level":"info","ts":1774965783.6884735,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy | {"level":"info","ts":1774965783.6885831,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy | {"level":"info","ts":1774965783.6886995,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy | {"level":"debug","ts":1774965783.68878,"logger":"http","msg":"starting server loop","address":"0.0.0.0:80","tls":false,"http3":false}
caddy | {"level":"warn","ts":1774965783.6887918,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy | {"level":"warn","ts":1774965783.6887949,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy | {"level":"info","ts":1774965783.6887975,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy | {"level":"info","ts":1774965783.6888013,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["report.company.intern"]}
caddy | {"level":"debug","ts":1774965783.6892889,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [report.company.intern]: no OCSP server specified in certificate","identifiers":["report.company.intern"]}
caddy | {"level":"debug","ts":1774965783.6893675,"logger":"tls.cache","msg":"added certificate to cache","subjects":["report.company.intern"],"expiration":1774951319,"managed":true,"issuer_key":"deglacme01.company.intern-acme-acme-directory","hash":"4dc98b19fd772fb1c2d8d8cbcafcd2223412fd1764684bb9b05d3427f6b3c476","cache_size":1,"cache_capacity":10000}
caddy | {"level":"debug","ts":1774965783.6893868,"logger":"events","msg":"event","name":"cached_managed_cert","id":"de06143f-524d-4c96-a484-e020280731c4","origin":"tls","data":{"sans":["report.company.intern"]}}
caddy | {"level":"debug","ts":1774965783.6894405,"logger":"events","msg":"event","name":"started","id":"8ce0723f-e8b3-4dfc-876a-e8dae5fbf64e","origin":"","data":null}
caddy | {"level":"info","ts":1774965783.6895244,"logger":"tls","msg":"certificate is in configured renewal window based on expiration date","subjects":["report.company.intern"],"expiration":1774951319,"ari_cert_id":"","next_ari_update":null,"renew_check_interval":600,"window_start":-6795364578.8713455,"window_end":-6795364578.8713455,"remaining":-14464.689523857}
caddy | {"level":"info","ts":1774965783.6896136,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy | {"level":"info","ts":1774965783.6896217,"msg":"serving initial configuration"}
caddy | {"level":"info","ts":1774965783.6921117,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"34537ac2-48f3-4563-bb87-e5426da4ebcf","try_again":1775052183.6921084,"try_again_in":86399.99999927}
caddy | {"level":"info","ts":1774965783.6922204,"logger":"tls","msg":"finished cleaning storage units"}
caddy | {"level":"info","ts":1774965783.694594,"logger":"tls.renew","msg":"acquiring lock","identifier":"report.company.intern"}
caddy | {"level":"info","ts":1774965783.697793,"logger":"tls.renew","msg":"lock acquired","identifier":"report.company.intern"}
caddy | {"level":"info","ts":1774965783.698719,"logger":"tls.renew","msg":"renewing certificate","identifier":"report.company.intern","remaining":-14464.698707913}
caddy | {"level":"debug","ts":1774965783.6987865,"logger":"events","msg":"event","name":"cert_obtaining","id":"88be8b4e-7964-4d63-a235-600a057ad522","origin":"tls","data":{"forced":false,"identifier":"report.company.intern","issuer":"deglacme01.company.intern-acme-acme-directory","remaining":-14464698707913,"renewal":true}}
caddy | {"level":"debug","ts":1774965783.6989105,"logger":"tls","msg":"created CSR","identifiers":["report.company.intern"],"san_dns_names":["report.company.intern"],"san_emails":[],"common_name":"","extra_extensions":0}
caddy | {"level":"debug","ts":1774965783.6997294,"logger":"http","msg":"using existing ACME account because key found in storage associated with email","email":"default","ca":"https://deglacme01.company.intern/acme/acme/directory"}
caddy | {"level":"debug","ts":1774965783.6999238,"logger":"http","msg":"using existing ACME account because key found in storage associated with email","email":"","ca":"https://deglacme01.company.intern/acme/acme/directory"}
caddy | {"level":"info","ts":1774965783.6999547,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["report.company.intern"],"ca":"https://deglacme01.company.intern/acme/acme/directory","account":""}
caddy | {"level":"info","ts":1774965783.6999664,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["report.company.intern"],"ca":"https://deglacme01.company.intern/acme/acme/directory","account":""}
caddy | {"level":"info","ts":1774965783.6999757,"logger":"http","msg":"using ACME account","account_id":"https://deglacme01.company.intern/acme/acme/account/1hjKZTxmkDoErNrD9q8w46GdV4YmFQK7","account_contact":[]}
caddy | {"level":"debug","ts":1774965783.7124789,"msg":"http request","method":"GET","url":"https://deglacme01.company.intern/acme/acme/directory","headers":{"User-Agent":["Caddy/2.11.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Content-Length":["342"],"Content-Type":["application/json"],"Date":["Tue, 31 Mar 2026 14:03:03 GMT"],"X-Request-Id":["c16b7cf4-f92e-41a9-adbb-cfd09acfa78d"]},"status_code":200}
caddy | {"level":"debug","ts":1774965783.7126763,"msg":"creating order","account":"https://deglacme01.company.intern/acme/acme/account/1hjKZTxmkDoErNrD9q8w46GdV4YmFQK7","identifiers":["report.company.intern"]}
caddy | {"level":"debug","ts":1774965783.7166383,"msg":"http request","method":"HEAD","url":"https://deglacme01.company.intern/acme/acme/new-nonce","headers":{"User-Agent":["Caddy/2.11.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["no-store"],"Date":["Tue, 31 Mar 2026 14:03:03 GMT"],"Link":["<https://deglacme01.company.intern/acme/acme/directory>;rel=\"index\""],"Replay-Nonce":["aXVLWUYweFQ3bDI2S0x5bkNoVWhIZ2ZLcFRpZjh2OHQ"],"X-Request-Id":["bc32241b-ba34-4d8f-8348-b8cd146850cf"]},"status_code":200}
caddy | {"level":"debug","ts":1774965783.7350113,"msg":"http request","method":"POST","url":"https://deglacme01.company.intern/acme/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.11.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["no-store"],"Content-Length":["432"],"Content-Type":["application/json"],"Date":["Tue, 31 Mar 2026 14:03:03 GMT"],"Link":["<https://deglacme01.company.intern/acme/acme/directory>;rel=\"index\""],"Location":["https://deglacme01.company.intern/acme/acme/order/1TBW16qBTIguMdEkbLffj8FRnEvCmy43"],"Replay-Nonce":["dU83QnpxSmtVamhmSDlqVVVnUFNxNHNvYkRMSWVhV2E"],"X-Request-Id":["3bdf0751-5848-489b-9c1e-e0f58c6274c7"]},"status_code":201}
caddy | {"level":"debug","ts":1774965783.7417023,"msg":"http request","method":"POST","url":"https://deglacme01.company.intern/acme/acme/authz/G6i1Q1JQ5uTXbAxI2uqueQWOChxz3wEP","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.11.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["no-store"],"Content-Length":["772"],"Content-Type":["application/json"],"Date":["Tue, 31 Mar 2026 14:03:03 GMT"],"Link":["<https://deglacme01.company.intern/acme/acme/directory>;rel=\"index\""],"Location":["https://deglacme01.company.intern/acme/acme/authz/G6i1Q1JQ5uTXbAxI2uqueQWOChxz3wEP"],"Replay-Nonce":["SWMwQlRLWXRXZkNxSG5PMjBrUW1YeUtJOEZ0bEhpTFE"],"X-Request-Id":["480e9067-7b11-453b-bdfc-60b07a05bde8"]},"status_code":200}
caddy | {"level":"info","ts":1774965783.7420483,"msg":"trying to solve challenge","identifier":"report.company.intern","challenge_type":"tls-alpn-01","ca":"https://deglacme01.company.intern/acme/acme/directory"}
caddy | {"level":"debug","ts":1774965783.74567,"msg":"waiting for solver before continuing","identifier":"report.company.intern","challenge_type":"tls-alpn-01"}
caddy | {"level":"debug","ts":1774965783.745697,"msg":"done waiting for solver","identifier":"report.company.intern","challenge_type":"tls-alpn-01"}
caddy | {"level":"debug","ts":1774965783.7459073,"logger":"http.stdlib","msg":"http: TLS handshake error from 127.0.0.1:44208: EOF"}
caddy | {"level":"debug","ts":1774965795.2348738,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f86f5a3e-748a-4a8b-9559-e537937cf117","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"10.10.5.22","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"172.16.99.47","Port":46108,"Zone":""},"LocalAddr":{"IP":"172.16.99.47","Port":443,"Zone":""}}}}
caddy | {"level":"debug","ts":1774965795.2350957,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.10.5.22"}
caddy | {"level":"debug","ts":1774965795.2351027,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.10.5.22"}
caddy | {"level":"debug","ts":1774965795.2351072,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.5.22"}
caddy | {"level":"debug","ts":1774965795.2351115,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.22"}
caddy | {"level":"debug","ts":1774965795.2351155,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
caddy | {"level":"debug","ts":1774965795.2351613,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.16.99.47","remote_port":"46108","server_name":"10.10.5.22","remote":"172.16.99.47:46108","identifier":"10.10.5.22","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy | {"level":"debug","ts":1774965795.2352383,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.16.99.47:46108: no certificate available for '10.10.5.22'"}
3. Caddy version:
v2.11.2 h1:iOlpsSiSKqEW+SIXrcZsZ/NO74SzB/ycqqvAIEfIm64=
4. How I installed and ran Caddy:
a. System environment:
Rootless Podman Compose
b. Command:
podman compose up -d
c. Service/unit/compose file:
services:
caddy:
image: docker.io/caddy:2.11
restart: always
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- /usr/local/share/ca-certificates/company_root2.crt:/etc/certs/company_root2.crt:ro
- caddy_data:/data
- caddy_config:/config
networks:
- overleaf-net
container_name: caddy
overleaf:
restart: always
image: registry.deglgit01.company.intern/overleaf/overleaf-cep:${OVERLEAF_IMAGE_TAG:-latest}
container_name: overleaf
depends_on:
mongo:
condition: service_healthy
redis:
condition: service_started
stop_grace_period: 60s
volumes:
- ./server/overleaf_data:/var/lib/overleaf
- ./certs/company_certs.crt:/data/certs/company_certs.crt
env_file:
- ./server/variables.env
networks:
- overleaf-net
mongo:
restart: always
image: docker.io/mongo:8.0
container_name: mongo
command: "--replSet overleaf"
expose:
- 27017
ports:
#- 127.0.0.1:27017:27017
- 27017:27017
volumes:
- "./server/mongo_data:/data/db"
healthcheck:
# test: 'true'
test: echo 'db.stats().ok' | mongosh localhost:27017/test --quiet
interval: 10s
timeout: 10s
retries: 5
networks:
- overleaf-net
redis:
restart: always
image: docker.io/redis:7.4
container_name: redis
expose:
- 6379
ports:
#- 127.0.0.1:6379:6379
- 6379:6379
volumes:
- ./server/redis_data:/data
networks:
- overleaf-net
networks:
overleaf-net:
ipam:
driver: default
config:
- subnet: "172.16.99.0/25"
name: "overleaf-net"
volumes:
caddy_data:
caddy_config:
d. My complete Caddy config:
{
cert_issuer acme {
disable_tlsalpn_challenge
}
debug
}
report.company.intern {
tls {
ca https://deglacme01.company.intern/acme/acme/directory
ca_root /etc/certs/company_root2.crt
}
reverse_proxy overleaf:80
}
My autosave.json from the container:
{"apps":{"http":{"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"overleaf:80"}]}]}]}],"match":[{"host":["report.company.intern"]}],"terminal":true}]}}},"tls":{"automation":{"policies":[{"issuers":[{"ca":"https://deglacme01.company.intern/acme/acme/directory","module":"acme","trusted_roots_pem_files":["/etc/certs/company_root2.crt"]}],"subjects":["report.company.intern"]},{"issuers":[{"challenges":{"tls-alpn":{"disabled":true}},"module":"acme"}]}]}}},"logging":{"logs":{"default":{"level":"DEBUG"}}}}
5. Links to relevant resources:
I did follow this post, but that didn’t solve it for me.