Hopefully you all can help!
I’ve been to hundreds of threads over the last few days trying to puzzle this out, with no luck.
The problem:
- Caddy v2 with acme HTTP-1 ACME challenge (Changed from TLS-ALPN challenge)
- Cloudflair DNS with proxy ON
- All cloudflair https is off
- This is a .co domain
Any attempt to get certificates fails with an invalid challenge response. If I try and navigate (or curl) to the challenge directly I always get SSL validation errors as if all the requests are trying to upgrade to HTTPS.
I’m kind of at my wit’s end here and am running out of things to try.
If I turn Cloud flare proxy off and go back to TLS-ALPN challenge, everything works as expected. However I do not wish to expose myself directly and want to use the proxy.
What should I be doing?
I have now solved this by using Cloudflair DNS ACME challenge. Cloudflair SSL turned back on. Everything works as expected now, I can have external clients terminate SSL at cloudflair, cloudflair communicate with my proxy through HTTPS, and have internal clients terminate SSL at caddy.
If you’re behind Cloudflare, don’t. Just get an origin certificate from CF, it’s a cert that CF trust between itself and your server. By using Cloudflare you’re making Cloudflare responsible for your cert.
I stated in the OP that cloudflair HTTPS is off :/
I’m not using cloudflare for the certificate. I also can’t use the cloud for certificate anyways for internal services through a loopback.
Similarly you can have SSL termination at multiple layers. That’s works I have services that proxy through multiple SSL terminations. The issue that I’m having is that the ACME challenge seems to be having issues, these issues are documented and explained in various GitHub threads, however the set of solutions are seemingly different and convoluted for different environments.
This is why I’m asking this question here after having done a reasonable amount of research and trial and error.