Unable to request certificate from lego behind caddy

wererolf · January 23, 2026, 11:07am

1. The problem I’m having:

I am using Caddy as a reverse proxy for some sites I host on my server. I also run AdGuard Home on that server.

AdGuard Home needs a key and a certificate for DoT.

I was trying to use lego to grab a certificate for DoT, but I’m unable to get it working behind Caddy.

In general, I want to have a configuration, that allows me to use lego whenever I want, but have caddy manage any domains I explicitly configure in the Caddyfile, such as example.com, f.example.com, or dns.example.com (see Caddyfile below).

2. Error messages and/or full log output:

Jan 23 12:02:17 core.example.com systemd[1]: Starting caddy.service - Caddy...
Jan 23 12:02:17 core.example.com caddy[155161]: caddy.HomeDir=/var/lib/caddy
Jan 23 12:02:17 core.example.com caddy[155161]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Jan 23 12:02:17 core.example.com caddy[155161]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Jan 23 12:02:17 core.example.com caddy[155161]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Jan 23 12:02:17 core.example.com caddy[155161]: caddy.Version=2.6.2
Jan 23 12:02:17 core.example.com caddy[155161]: runtime.GOOS=linux
Jan 23 12:02:17 core.example.com caddy[155161]: runtime.GOARCH=amd64
Jan 23 12:02:17 core.example.com caddy[155161]: runtime.Compiler=gc
Jan 23 12:02:17 core.example.com caddy[155161]: runtime.NumCPU=4
Jan 23 12:02:17 core.example.com caddy[155161]: runtime.GOMAXPROCS=4
Jan 23 12:02:17 core.example.com caddy[155161]: runtime.Version=go1.22.2
Jan 23 12:02:17 core.example.com caddy[155161]: os.Getwd=/
Jan 23 12:02:17 core.example.com caddy[155161]: LANG=en_US.UTF-8
Jan 23 12:02:17 core.example.com caddy[155161]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/snap/bin
Jan 23 12:02:17 core.example.com caddy[155161]: NOTIFY_SOCKET=/run/systemd/notify
Jan 23 12:02:17 core.example.com caddy[155161]: USER=caddy
Jan 23 12:02:17 core.example.com caddy[155161]: LOGNAME=caddy
Jan 23 12:02:17 core.example.com caddy[155161]: HOME=/var/lib/caddy
Jan 23 12:02:17 core.example.com caddy[155161]: INVOCATION_ID=7e19a16603384c66ae6af57e8e856258
Jan 23 12:02:17 core.example.com caddy[155161]: JOURNAL_STREAM=8:2462084
Jan 23 12:02:17 core.example.com caddy[155161]: SYSTEMD_EXEC_PID=155161
Jan 23 12:02:17 core.example.com caddy[155161]: MEMORY_PRESSURE_WATCH=/sys/fs/cgroup/system.slice/caddy.service/memory.pressure
Jan 23 12:02:17 core.example.com caddy[155161]: MEMORY_PRESSURE_WRITE=c29tZSAyMDAwMDAgMjAwMDAwMAA=
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9191022,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"warn","ts":1769166137.9239826,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9267025,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9271216,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.92724,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"warn","ts":1769166137.927284,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9274445,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000217c00"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9284868,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9285886,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9287965,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9291906,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9292152,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9293041,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9293187,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9293327,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["example.com","*.example.com","dns.example.com","f.example.com"]}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9316947,"logger":"tls","msg":"loading managed certificate","domain":"example.com","expiration":1776544834,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"warn","ts":1769166137.934822,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [example.com]: no OCSP server specified in certificate","identifiers":["example.com"]}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9348922,"logger":"tls.cache","msg":"added certificate to cache","subjects":["example.com"],"expiration":1776544834,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"14036ae491283a8fdb774edd35f35f31b62e0b1352ef30769def6987ff584064","cache_size":1,"cache_capacity":10000}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.934966,"logger":"events","msg":"event","name":"cached_managed_cert","id":"2c37c715-6b67-4e14-9fe4-6f3d85de1997","origin":"tls","data":{"sans":["example.com"]}}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9356642,"logger":"tls","msg":"finished cleaning storage units"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9359646,"logger":"tls","msg":"loading managed certificate","domain":"dns.example.com","expiration":1776620331,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"warn","ts":1769166137.9363623,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [dns.example.com]: no OCSP server specified in certificate","identifiers":["dns.example.com"]}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9363837,"logger":"tls.cache","msg":"added certificate to cache","subjects":["dns.example.com"],"expiration":1776620331,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"1db6de8517d3d3c2ea91a1771060412de08c17f117efcf3771919ae0e7fd6842","cache_size":2,"cache_capacity":10000}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9364042,"logger":"events","msg":"event","name":"cached_managed_cert","id":"8762b1af-8d15-4ff9-b91f-562c8408c728","origin":"tls","data":{"sans":["dns.example.com"]}}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9365988,"logger":"tls.obtain","msg":"acquiring lock","identifier":"*.example.com"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9368062,"logger":"tls","msg":"loading managed certificate","domain":"f.example.com","expiration":1776544854,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"warn","ts":1769166137.9372325,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [f.example.com]: no OCSP server specified in certificate","identifiers":["f.example.com"]}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9372518,"logger":"tls.cache","msg":"added certificate to cache","subjects":["f.example.com"],"expiration":1776544854,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"d040489db80d99e339ec9a5a34e8658de924740311094a8746de6a7235df754a","cache_size":3,"cache_capacity":10000}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9372756,"logger":"events","msg":"event","name":"cached_managed_cert","id":"22d15d91-6bf6-47af-98de-a8b3d7b77e38","origin":"tls","data":{"sans":["f.example.com"]}}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9374704,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9375615,"msg":"serving initial configuration"}
Jan 23 12:02:17 core.example.com systemd[1]: Started caddy.service - Caddy.
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9405951,"logger":"tls.obtain","msg":"lock acquired","identifier":"*.example.com"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9408414,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.example.com"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9408863,"logger":"events","msg":"event","name":"cert_obtaining","id":"94d6cc6e-55d2-4b86-8a41-0736dea191ce","origin":"tls","data":{"identifier":"*.example.com"}}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"debug","ts":1769166137.9413993,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9421415,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 23 12:02:17 core.example.com caddy[155161]: {"level":"info","ts":1769166137.9421725,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["*.example.com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 23 12:02:18 core.example.com caddy[155161]: {"level":"debug","ts":1769166138.9417853,"logger":"http.acme_client","msg":"no solver configured","challenge_type":"dns-01"}
Jan 23 12:02:19 core.example.com caddy[155161]: {"level":"error","ts":1769166139.1620011,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.example.com] solving challenges: *.example.com: no solvers available for remaining challenges (configured=[http-01 tls-alpn-01] offered=[dns-01] remaining=[dns-01]) (order=https://acme-v02.api.letsencrypt.org/acme/order/2975634416/472583650916) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
Jan 23 12:02:19 core.example.com caddy[155161]: {"level":"debug","ts":1769166139.1621015,"logger":"tls.obtain","msg":"trying issuer 2/2","issuer":"acme.zerossl.com-v2-DV90"}
Jan 23 12:02:19 core.example.com caddy[155161]: {"level":"warn","ts":1769166139.1626563,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
Jan 23 12:02:19 core.example.com caddy[155161]: {"level":"error","ts":1769166139.7611926,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.example.com","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)"}
Jan 23 12:02:19 core.example.com caddy[155161]: {"level":"debug","ts":1769166139.7612793,"logger":"events","msg":"event","name":"cert_failed","id":"fdea2e12-5184-45ae-bf5b-f2924459ac6e","origin":"tls","data":{"error":{},"identifier":"*.example.com","issuers":["acme-v02.api.letsencrypt.org-directory","acme.zerossl.com-v2-DV90"],"renewal":false}}
Jan 23 12:02:19 core.example.com caddy[155161]: {"level":"error","ts":1769166139.7613177,"logger":"tls.obtain","msg":"will retry","error":"[*.example.com] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)","attempt":1,"retrying_in":60,"elapsed":1.820682398,"max_duration":2592000}
Jan 23 12:02:34 core.example.com caddy[155161]: {"level":"error","ts":1769166154.7773638,"logger":"http","msg":"looking up info for HTTP challenge","host":"dns.example.com","error":"no information found to solve challenge for identifier: dns.example.com"}
Jan 23 12:02:34 core.example.com caddy[155161]: {"level":"error","ts":1769166154.777491,"logger":"http","msg":"looking up info for HTTP challenge","host":"dns.example.com","error":"no information found to solve challenge for identifier: dns.example.com"}
Jan 23 12:02:34 core.example.com caddy[155161]: {"level":"debug","ts":1769166154.777559,"logger":"http.handlers.rewrite","msg":"rewrote request","request":{"remote_ip":"23.178.112.105","remote_port":"64183","proto":"HTTP/1.1","method":"GET","host":"dns.example.com","uri":"/.well-known/acme-challenge/Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8","headers":{"User-Agent":["Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"],"Accept":["*/*"],"Accept-Encoding":["gzip"],"Connection":["close"]}},"method":"GET","uri":"/Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8"}
Jan 23 12:02:34 core.example.com caddy[155161]: {"level":"debug","ts":1769166154.777743,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:8004","total_upstreams":1}
Jan 23 12:02:34 core.example.com caddy[155161]: {"level":"debug","ts":1769166154.7792902,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:8004","duration":0.001483406,"request":{"remote_ip":"23.178.112.105","remote_port":"64183","proto":"HTTP/1.1","method":"GET","host":"dns.example.com","uri":"/Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8","headers":{"Accept":["*/*"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["23.178.112.105"],"User-Agent":["Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["dns.example.com"]}},"headers":{"Content-Type":["text/plain; charset=utf-8"],"X-Content-Type-Options":["nosniff"],"Date":["Fri, 23 Jan 2026 11:02:34 GMT"],"Content-Length":["19"]},"status":404}
Jan 23 12:02:34 core.example.com caddy[155161]: {"level":"error","ts":1769166154.779561,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"23.178.112.105","remote_port":"64183","proto":"HTTP/1.1","method":"GET","host":"dns.example.com","uri":"/.well-known/acme-challenge/Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8","headers":{"Connection":["close"],"User-Agent":["Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"],"Accept":["*/*"],"Accept-Encoding":["gzip"]}},"user_id":"","duration":0.002344362,"size":19,"status":404,"resp_headers":{"Server":["Caddy"],"Content-Type":["text/plain; charset=utf-8"],"X-Content-Type-Options":["nosniff"],"Date":["Fri, 23 Jan 2026 11:02:34 GMT"],"Content-Length":["19"]}}
Jan 23 12:02:54 core.example.com caddy[155161]: {"level":"debug","ts":1769166174.2714694,"logger":"events","msg":"event","name":"tls_get_certificate","id":"dc3627b9-8842-424a-bcbb-e3471c17f049","origin":"tls","data":{"client_hello":{"CipherSuites":[49200,49196,49192,49188,49172,49162,163,159,107,106,57,56,136,135,49202,49198,49194,49190,49167,49157,157,61,53,132,49199,49195,49191,49187,49171,49161,162,158,103,64,51,50,154,153,69,68,49201,49197,49193,49189,49166,49156,156,60,47,150,65,49169,49159,49164,49154,5,4,49170,49160,22,19,49165,49155,10,255],"ServerName":"example.com","SupportedCurves":[23,25,28,27,24,26,22,14,13,11,12,9,10],"SupportedPoints":"AAEC","SignatureSchemes":[1537,1538,1539,1281,1282,1283,1025,1026,1027,769,770,771,513,514,515],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{}}}}
Jan 23 12:02:54 core.example.com caddy[155161]: {"level":"debug","ts":1769166174.271825,"logger":"tls.handshake","msg":"choosing certificate","identifier":"example.com","num_choices":1}
Jan 23 12:02:54 core.example.com caddy[155161]: {"level":"debug","ts":1769166174.2718925,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"example.com","subjects":["example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"14036ae491283a8fdb774edd35f35f31b62e0b1352ef30769def6987ff584064"}
Jan 23 12:02:54 core.example.com caddy[155161]: {"level":"debug","ts":1769166174.2719145,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"54.167.201.169","remote_port":"33518","subjects":["example.com"],"managed":true,"expiration":1776544834,"hash":"14036ae491283a8fdb774edd35f35f31b62e0b1352ef30769def6987ff584064"}
Jan 23 12:02:54 core.example.com caddy[155161]: {"level":"debug","ts":1769166174.691027,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:8001","total_upstreams":1}
Jan 23 12:02:54 core.example.com caddy[155161]: {"level":"debug","ts":1769166174.7609746,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:8001","duration":0.0698088,"request":{"remote_ip":"54.167.201.169","remote_port":"33518","proto":"HTTP/1.1","method":"GET","host":"example.com","uri":"/feed/","headers":{"Accept-Encoding":["gzip,deflate"],"X-Forwarded-Host":["example.com"],"Referer":["https://www.google.com/"],"If-Modified-Since":["Tue, 06 Dec 2022 13:08:00 GMT"],"Accept-Language":["en-US,en;q=0.8"],"If-None-Match":["\"9f5a402345d25a224a8632c9a67c9f19\""],"X-Forwarded-For":["54.167.201.169"],"X-Forwarded-Proto":["https"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15"],"Cache-Control":["max-age=60"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"","server_name":"example.com"}},"headers":{"Date":["Fri, 23 Jan 2026 11:02:54 GMT"],"Server":["Apache/2.4.66 (Debian)"],"X-Powered-By":["PHP/8.3.30"],"Last-Modified":["Tue, 06 Dec 2022 13:08:00 GMT"],"Etag":["\"9f5a402345d25a224a8632c9a67c9f19\""]},"status":304}
Jan 23 12:02:54 core.example.com caddy[155161]: {"level":"info","ts":1769166174.7612035,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"54.167.201.169","remote_port":"33518","proto":"HTTP/1.1","method":"GET","host":"example.com","uri":"/feed/","headers":{"If-None-Match":["\"9f5a402345d25a224a8632c9a67c9f19\""],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15"],"Referer":["https://www.google.com/"],"If-Modified-Since":["Tue, 06 Dec 2022 13:08:00 GMT"],"Accept-Language":["en-US,en;q=0.8"],"Accept-Encoding":["gzip,deflate"],"Cache-Control":["max-age=60"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"","server_name":"example.com"}},"user_id":"","duration":0.070190833,"size":0,"status":304,"resp_headers":{"Server":["Caddy","Apache/2.4.66 (Debian)"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"X-Powered-By":["PHP/8.3.30"],"Last-Modified":["Tue, 06 Dec 2022 13:08:00 GMT"],"Etag":["\"9f5a402345d25a224a8632c9a67c9f19\""],"Date":["Fri, 23 Jan 2026 11:02:54 GMT"]}}
Jan 23 12:02:55 core.example.com caddy[155161]: {"level":"debug","ts":1769166175.546776,"logger":"events","msg":"event","name":"tls_get_certificate","id":"091ce21f-b90e-4594-86fd-5ae50bc436fd","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"f.example.com","SupportedCurves":[4588,29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
Jan 23 12:02:55 core.example.com caddy[155161]: {"level":"debug","ts":1769166175.546985,"logger":"tls.handshake","msg":"choosing certificate","identifier":"f.example.com","num_choices":1}
Jan 23 12:02:55 core.example.com caddy[155161]: {"level":"debug","ts":1769166175.5470116,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"f.example.com","subjects":["f.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"d040489db80d99e339ec9a5a34e8658de924740311094a8746de6a7235df754a"}
Jan 23 12:02:55 core.example.com caddy[155161]: {"level":"debug","ts":1769166175.5470307,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"176.199.23.21","remote_port":"60529","subjects":["f.example.com"],"managed":true,"expiration":1776544854,"hash":"d040489db80d99e339ec9a5a34e8658de924740311094a8746de6a7235df754a"}
Jan 23 12:02:55 core.example.com caddy[155161]: {"level":"debug","ts":1769166175.5784757,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:8002","total_upstreams":1}
Jan 23 12:02:55 core.example.com caddy[155161]: {"level":"debug","ts":1769166175.6078722,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:8002","duration":0.029285565,"request":{"remote_ip":"176.199.23.21","remote_port":"60529","proto":"HTTP/2.0","method":"POST","host":"f.example.com","uri":"/backend.php","headers":{"Sec-Fetch-Site":["same-origin"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["cors"],"X-Requested-With":["XMLHttpRequest"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Origin":["https://f.example.com"],"Cookie":[],"Sec-Fetch-Dest":["empty"],"Content-Type":["application/x-www-form-urlencoded"],"Content-Length":["72"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0"],"Accept":["*/*"],"Dnt":["1"],"Accept-Language":["en-US,en;q=0.5"],"Te":["trailers"],"X-Forwarded-For":["176.199.23.21"],"X-Forwarded-Host":["f.example.com"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"f.example.com"}},"headers":{"Content-Type":["text/json; charset=utf-8"],"X-Powered-By":["PHP/8.3.30"],"Cache-Control":["no-store, no-cache, must-revalidate"],"Pragma":["no-cache"],"Content-Length":["108"],"Date":["Fri, 23 Jan 2026 11:02:55 GMT"],"Server":["Apache/2.4.66 (Debian)"],"Set-Cookie":[],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"]},"status":200}
Jan 23 12:02:56 core.example.com caddy[155161]: {"level":"debug","ts":1769166176.5191672,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"127.0.0.1:8002","total_upstreams":1}
Jan 23 12:02:56 core.example.com caddy[155161]: {"level":"debug","ts":1769166176.852185,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"127.0.0.1:8002","duration":0.332850772,"request":{"remote_ip":"176.199.23.21","remote_port":"60529","proto":"HTTP/2.0","method":"POST","host":"f.example.com","uri":"/backend.php","headers":{"Sec-Fetch-Mode":["cors"],"Origin":["https://f.example.com"],"Te":["trailers"],"X-Forwarded-Host":["f.example.com"],"Content-Length":["114"],"Sec-Fetch-Dest":["empty"],"X-Forwarded-For":["176.199.23.21"],"X-Requested-With":["XMLHttpRequest"],"Cookie":[],"Accept-Encoding":["gzip, deflate, br, zstd"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0"],"Accept-Language":["en-US,en;q=0.5"],"Accept":["*/*"],"Dnt":["1"],"X-Forwarded-Proto":["https"],"Content-Type":["application/x-www-form-urlencoded"],"Sec-Fetch-Site":["same-origin"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"f.example.com"}},"headers":{"Date":["Fri, 23 Jan 2026 11:02:56 GMT"],"Server":["Apache/2.4.66 (Debian)"],"Pragma":["no-cache"],"Content-Type":["text/json; charset=utf-8"],"X-Powered-By":["PHP/8.3.30"],"Set-Cookie":[],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"Cache-Control":["no-store, no-cache, must-revalidate"]},"status":200}

Lego output:

wererolf@core:~$ sudo lego --accept-tos --email REDACTED --http --http.port :8004 --tls.port :4434 --domains dns.example.com run
2026/01/23 12:02:23 [INFO] [dns.example.com] acme: Obtaining bundled SAN certificate
2026/01/23 12:02:24 [INFO] [dns.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2990877636/647515271636
2026/01/23 12:02:24 [INFO] [dns.example.com] acme: Could not find solver for: tls-alpn-01
2026/01/23 12:02:24 [INFO] [dns.example.com] acme: use http-01 solver
2026/01/23 12:02:24 [INFO] [dns.example.com] acme: Trying to solve HTTP-01
2026/01/23 12:02:39 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/2990877636/647515271636
2026/01/23 12:02:39 Could not obtain certificates:
        error: one or more domains had a problem:
[dns.example.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: REDACTED: Invalid response from http://dns.example.com/.well-known/acme-challenge/Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8: 404

3. Caddy version:

2.6.2

4. How I installed and ran Caddy:

apt install caddy

a. System environment:

Ubuntu 24.04.3 LTS

b. Command:

systemctl start caddy

c. Service/unit/compose file:

d. My complete Caddy config:

{
    debug
}

http://example.com, http://*.example.com {
    handle_path /.well-known/acme-challenge/* {
        reverse_proxy 127.0.0.1:8004
    }
    log
}

https://example.com, https://*.example.com {
    handle_path /.well-known/acme-challenge/* {
        reverse_proxy 127.0.0.1:4434
    }
    log
}

example.com {
    reverse_proxy 127.0.0.1:8001
}

f.example.com {
    rewrite /config* /
    rewrite /update_daemon2* /
    rewrite /update* /
    reverse_proxy 127.0.0.1:8002
}

dns.example.com {
    reverse_proxy 127.0.0.1:8003 {
        header_up X-Real-IP {remote_host}
    }
}

5. Links to relevant resources:

timelordx · January 23, 2026, 6:19pm

Any reason why you’re using

handle_path /.well-known/acme-challenge/*

instead of

handle /.well-known/acme-challenge/*

There’s a significant difference between those two.

matt · January 23, 2026, 9:36pm

Welcome to our community… unfortunately you’ve redacted the domain names, which is against the rules (as mentioned quite loudly in the help template you filled out), because now we don’t have enough information to help you. Please restore the proper config and commands you ran so we can help you.

wererolf · January 23, 2026, 11:39pm

Thanks for the welcome.

Just to clarify: I did not redact information in a way that removes technical context. Replacing a real domain with a placeholder like example.com is a common and accepted way to stay anonymous while preserving configuration structure and behaviour.

I’m not comfortable posting real domain names or other identifying details publicly. If there is specific information missing that is technically required to diagnose the issue (beyond the literal hostname), please point that out explicitly and I’ll be happy to provide an anonymised equivalent.

If the issue truly cannot be analysed without a real domain, I’d appreciate an explanation of why, since from my understanding nothing in this setup depends on the actual domain value.

Thanks for understanding.

wererolf · January 23, 2026, 11:40pm

Ignorace. I will have another look at this and see, if that may be the cause of the issue. Thank you.

timelordx · January 24, 2026, 5:16am

No worries, that was an honest question. A lot of people trim down their Caddyfile to what they see as the bare minimum before posting it here, but sometimes they end up stripping too much. I just wanted to make sure that wasn’t the case here.

Here’s a quick test based on your use case to show you the difference between handle_path and handle:

foo.example.com {
	tls internal

	handle_path /.well-known/acme-challenge/* {
		reverse_proxy 127.0.0.1:4434
	}
}

bar.example.com {
	tls internal

	handle /.well-known/acme-challenge/* {
		reverse_proxy 127.0.0.1:4434
	}
}

# Simulate LEGO
:4434 {
	respond "LEGO sees: {uri}"
}

Result:

$ curl https://foo.example.com/.well-known/acme-challenge/Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8
LEGO sees: /Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8

$ curl https://bar.example.com/.well-known/acme-challenge/Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8
LEGO sees: /.well-known/acme-challenge/Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8

So if LEGO expects to see the full path:

/.well-known/acme-challenge/Qr-02hfMKNjij8Z2slz3qdPv7GxXSJ7hunpTF2haqc8

then you’ll want to use handle instead of handle_path, since handle_path strips the matching prefix.

matt · January 26, 2026, 3:32pm

The problem is we NEED that information because Caddy makes different decisions based on the actual values.

And we see that people often redact incorrectly, leading to wasted time anyway.

I am glad @timelordx was apparently able to help you; Caddy makes routing decisions that supersede configured routes depending on the hostname of the request versus what is in the configuration, so it matters sometimes.