Using Caddy with Cloudflare for SaaS gives SSL Error

1. The problem I’m having:

Hi I’m not sure this is the right place to post this because I think it’s a Cloudflare problem but I see many posts here using the same Caddy + Cloudflare for SaaS setup that’s why I’m asking.

Anyway, I am running a Caddy server on ‘supa.blog’, it has SSL setup for both wildcard subdomains and main domain (*.supa.blog and supa.blog)

I am using Cloudflare for SaaS to create custom hostnames for my customers and let them CNAME to a subdomain on my server.

2. Error messages and/or full log output:

Cloudflare successfully generates the certificate and custom host name but I get a SSL error

I suspect this is because the SSL cert served from my custom host name (blog.notodog.com) doesn’t have Subject Alternative Names for actual the CNAME forwarded domain (*.supa.blog, and supa.blog)

However I am not sure how to add these SANs onto the SSL cert Cloudflare generates for my Custom Hostname. It looks like this feature is only for enterprise customers, which doesn’t make much sense.

How are all of the people using Cloudflare for SaaS serving their subdomains on customer’s custom domains if they SSL certificate doesn’t have SANs for their own apps subdomains/domain?

Could someone point me in right direction

3. Caddy version:

Custom image of caddy-docker-proxy with xcaddy module for Cloudflare

4. How I installed and ran Caddy:

a. System environment:

Docker

b. Command:

I run through docker compose 

c. Service/unit/compose file:

version: '3.9'
services:
  db:
    container_name: db
    image: postgres:latest 
    restart: always
    expose: 
      - 5432
    ports:
      - 5432
    environment:
      - POSTGRES_DB=supadb
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres
    volumes:
      - './data/db:/var/lib/postgresql/data'
    networks:
      - djangonetwork 


  nginx: 
    image: jonasal/nginx-certbot:latest
    ports:
      - 80:80
      - 443:443
    depends_on:
      - web
    restart: "always"
    links:
      - web:web
    networks:
      - djangonetwork
    environment:
      - CERTBOT_EMAIL
    env_file:
      - ./nginx-certbot.env
    volumes:
      - ./conf.d:/etc/nginx/conf.d
      - ./nginx_secrets:/etc/letsencrypt
      - ./staticfiles:/staticfiles


  web:
    build: .
    command: sh -c "gunicorn notobackend.wsgi:application --bind 0.0.0.0:8000"
    restart: always
    ports:
      - "8000:8000"
    environment:
      - POSTGRES_DB=supadb
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres
    networks:
      - djangonetwork
    depends_on:
      - db
    links: 
      - db:db
    env_file:
      - .env

networks:
    djangonetwork:
        driver: bridge


volumes:
  nginx_secrets:
  static_volume:

They’re not using Cloudflare’s proxy, only for DNS.

Caddy can solve this for you with On-Demand TLS, but you need to point DNS to your server directly and not through Cloudflare.

Thank you, I disabled my proxy records in Cloudflare and configured my on_demand tls settings!

Works like a charm now

1 Like