Hopefully you all can help!

I’ve been to hundreds of threads over the last few days trying to puzzle this out, with no luck.

The problem:

  1. Caddy v2 with acme HTTP-1 ACME challenge (Changed from TLS-ALPN challenge)
  2. Cloudflair DNS with proxy ON
  3. All cloudflair https is off
  4. This is a .co domain

Any attempt to get certificates fails with an invalid challenge response. If I try and navigate (or curl) to the challenge directly I always get SSL validation errors as if all the requests are trying to upgrade to HTTPS.

I’m kind of at my wit’s end here and am running out of things to try.

If I turn Cloud flare proxy off and go back to TLS-ALPN challenge, everything works as expected. However I do not wish to expose myself directly and want to use the proxy.

What should I be doing?


I have now solved this by using Cloudflair DNS ACME challenge. Cloudflair SSL turned back on. Everything works as expected now, I can have external clients terminate SSL at cloudflair, cloudflair communicate with my proxy through HTTPS, and have internal clients terminate SSL at caddy.

  • just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    2 months ago

    Having an HTTPS enabled server behind a proxy means the server is connecting with the proxy endpoint. That’s not how HTTPS works. If you want HTTPS enabled for a server BEHIND a proxy, you would do it at the original hand off (forward proxy), in this case meaning the Cloudflare proxy that clients connect to.

    You’re seeing the errors because the proxy backend is being told to speak HTTPS with Caddy, and it doesn’t work like that.

    • douglasg14b@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      I am doing SSL termination at the handoff which is the caddy proxy. My internal servers have their SSL terminated at caddy, my traffic does not go to the internet… It loops back from my router to my internal Network.

      However DNS still needs to have subdomains in order to get those certificates, this cloudflair DNS. I do not want my IP to be associated with the subdomains, thus exposing it, therefore cloudflair proxy.

      You’re seeing the errors because the proxy backend is being told to speak HTTPS with Caddy, and it doesn’t work like that.

      You can have SSL termination at multiple points. Cloudflare can do SSL termination and Cloudflair can also connect to your proxy which also has SSL termination. This is allowed, this works, I have services that do this already. You can have SSL termination at every hop if you want, with different certificates.

      That said, I have cloudflair SSL off, as stated in the OP. Cloudflare is not providing a cert, nor is it trying to communicate with my proxy via HTTPS.

      Contrary to your statement about this not working that way, cloudflair has no issues proxying to my proxy where I already have valid certs. Or even self signed ones, or even no certs. The only thing that doesn’t work is the ACME challenge…


      Edit: I have now solved this by using Cloudflair DNS ACME challenge. Cloudflair SSL turned back on. Everything works as expected now, I can have external clients terminate SSL at cloudflair, cloudflair communicate with my proxy through HTTPS, and have internal clients terminate SSL at caddy.

      • just_another_person@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 months ago

        Yeah…I’m not sure where you’re confused, but that’s what I said. You can’t have: Client > HTTP Proxy > HTTPS endpoint. It doesn’t work that way. Enabling TLS on the forward proxy where the client makes the initial request fixes this…which is what I explained.

  • Cyberflunk@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    2
    ·
    2 months ago

    In this episode of “Doing everything the hardest way possible.”

    Cloudflare has SSL, y u need mo?

    • Akinzekeel@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Can’t speak for OP but I was also attempting this and couldn’t get it working. My use case is that CF tunnels make multiple of my self hosted services available on the Internet via HTTPS and without directly exposing my home IP.

      It does however mean that even when I use a service on my home network, everything is being proxied through CF which makes things much slower than they need to be 90% of the time. So my idea is to use caddy in parallel to CF and have a local DNS server point to my homelab, thereby circumventing the proxy whenever I’m on my home network.

      But like I said I could not get this working just yet.

      • mik@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        I run the setup you’re aiming for, and as the other guy said, DNS challenge is the way to go. That’s what I do, and it works beautifully. It even works with Caddy auto-https, you just need to build Caddy with the cloudflare-dns plugin.

    • douglasg14b@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      Because the majority of my traffic and services are internal with internal DNS? And I want valid HTTPS certs for them, without exposing my IP in the DNS for those A records.

      If I don’t care about leaking my IP in my a records then this is pretty easy. However I don’t want to do this for various reasons. One of those being that I engage in security related activities and have no desire to put myself at risk by leaking.

      Even services that I exposed to the internet I still don’t want to have my local network traffic go to the internet and back when there is no need for that. SSL termination at my own internal proxy solves that problem.

      I now have this working by using the cloudflare DNS ACME challenge. Those services which I exposed to the internet cloudflare is providing https termination for, cloudflare is then communicating with my proxy which also provides https termination. My internal communication with those services is terminated at my proxy.