Using Cloudflare Origin Certificate and Lets encrypt side by side

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

a. System environment:

Ubuntu 22.04.1 LTS, 5.15.0-1017-raspi, aarch64
Caddy is running inside a docker container

b. Command:

docker-compose up -d

c. Service/unit/compose file:

version: "3.7"

    container_name: caddy
    image: caddy
      - "50404:80"
      - "60504:443"
      - "60504:443/udp"
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./site:/srv
      - ./data:/data
      - ./config:/config
    restart: unless-stopped

    name: testing
    external: true

d. My complete Caddy config:

(basic-auth) {
	basicauth {
		user hashed-password
} {
	tls /data/caddy/certificates/cert.pem /data/caddy/certificates/cert.key
	import basic-auth
} {
	tls /data/caddy/certificates/cert.pem /data/caddy/certificates/cert.key
	import basic-auth
} {
	import basic-auth

3. The problem I’m having:

I have some services running with a cloudflare origin certificate [,], and others with lets encrypt [].

I cant seem to run both. It works perfectly fine if i just run the ones with origin cert or just lets encrypt. When i include both, the origin cert ones work fine [family, port] but the lets encrypt [git] one shows up with a cloudflare ssl cert and since its using lets encrypt i get a “not secure, your connection is not private. The moment i remove port and family [CF] and keep git [lets encrypt] its back to normal with the correct ssl (lets encrypt)”

The first subdomain I added was “git” i was issued a lets encrypt cert. It worked, so then i decided to add more subdomains and after i added the ones using CF origin cert “port, family” its completely ignoring lets encrypt cert.

4. Error messages and/or full log output:

2022-10-30T05:36:58.483247791Z {"level":"info","ts":1667108218.4828503,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}

2022-10-30T05:36:58.491776969Z {"level":"info","ts":1667108218.491429,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//","//localhost:2019"]}

2022-10-30T05:36:58.492348369Z {"level":"info","ts":1667108218.4921145,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x400043ce70"}

2022-10-30T05:36:58.493530170Z {"level":"warn","ts":1667108218.493308,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [cloudflare origin certificate *]: no URL to issuing certificate"}

2022-10-30T05:36:58.493738131Z {"level":"debug","ts":1667108218.493536,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"4a6a28ef-43e0-42f9-b865-558546b7d009","origin":"tls","data":{"sans":["cloudflare origin certificate","*",""]}}

2022-10-30T05:36:58.493800130Z {"level":"debug","ts":1667108218.493613,"logger":"tls.cache","msg":"added certificate to cache","subjects":["cloudflare origin certificate","*",""],"expiration":2104022221,"managed":false,"issuer_key":"","hash":"fbf4dc799612924b5b6ff92bfe19404117e54d6431d2be5df05402d152657844","cache_size":1,"cache_capacity":10000}

2022-10-30T05:36:58.494228662Z {"level":"info","ts":1667108218.4940534,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"","server_name":"srv0"}

2022-10-30T05:36:58.494269884Z {"level":"info","ts":1667108218.4941003,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"","server_name":"srv0"}

2022-10-30T05:36:58.494295402Z {"level":"info","ts":1667108218.4941223,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"","server_name":"srv0"}

2022-10-30T05:36:58.494319050Z {"level":"info","ts":1667108218.49414,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}

2022-10-30T05:36:58.496482358Z {"level":"info","ts":1667108218.4962194,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}

2022-10-30T05:36:58.496673837Z {"level":"info","ts":1667108218.4964697,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}

2022-10-30T05:36:58.496996444Z {"level":"info","ts":1667108218.4968154,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See for details."}

2022-10-30T05:36:58.497381107Z {"level":"debug","ts":1667108218.4971159,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}

2022-10-30T05:36:58.497436365Z {"level":"info","ts":1667108218.4971695,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}

2022-10-30T05:36:58.497733695Z {"level":"debug","ts":1667108218.4973693,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}

2022-10-30T05:36:58.497817213Z {"level":"info","ts":1667108218.4974277,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}

2022-10-30T05:36:58.498290429Z {"level":"info","ts":1667108218.4980798,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}

2022-10-30T05:36:58.498345429Z {"level":"info","ts":1667108218.49813,"msg":"serving initial configuration"}

2022-10-30T05:36:58.500632106Z {"level":"info","ts":1667108218.5001671,"logger":"tls","msg":"finished cleaning storage units"}

5. What I already tried:

Before i noticed i was still being issued a cloudflare cert for “git”:

  • I tried using zerossl instead of lets encrypt
  • tried switching the order of which subdomain was first incase that played a role (it did not)
  • tried setting email as a global flag instead of inside each subdomain

When i noticed i was being issued a cloudflare cert instead of the previous letsencrypt cert it had:

  • changed ssl mode on cloudflare (flexible, full, full strict)

Other things to note is on cloudflare i only have proxied enabled for the ones with origin cert. the “git” one is just dns since its suppose to be using lets encrypt. I was previously using npm with same setup (using both lets encrypt and origin cert for different services) and it worked fine but wanted to move over to caddy so i know it worked.

6. Links to relevant resources:

The problem is Cloudflare origin certs have a wildcard domain in the SAN field, so Caddy matches that cert in its cache for the other domain, preventing it from being managed with ACME.

You could use auto_https ignore_loaded_certs Global options (Caddyfile) — Caddy Documentation but that probably won’t have the intended effect either, because it’ll try to obtain a cert for all your domains listed in your config.

I’m not sure what the solution is, I’m not sure if there’s a way to do this in the Caddyfile (I may be wrong). But it definitely is possible to do via JSON config with TLS automation policies.

I think @matt should chime in here, he might know what to do.

This topic was automatically closed after 30 days. New replies are no longer allowed.