Hopefully you all can help!

I’ve been to hundreds of threads over the last few days trying to puzzle this out, with no luck.

The problem:

  1. Caddy v2 with acme HTTP-1 ACME challenge (Changed from TLS-ALPN challenge)
  2. Cloudflair DNS with proxy ON
  3. All cloudflair https is off
  4. This is a .co domain

Any attempt to get certificates fails with an invalid challenge response. If I try and navigate (or curl) to the challenge directly I always get SSL validation errors as if all the requests are trying to upgrade to HTTPS.

I’m kind of at my wit’s end here and am running out of things to try.

If I turn Cloud flare proxy off and go back to TLS-ALPN challenge, everything works as expected. However I do not wish to expose myself directly and want to use the proxy.

What should I be doing?

  • chiisana@lemmy.chiisana.net
    link
    fedilink
    English
    arrow-up
    7
    ·
    2 months ago

    It is easier to think of the SSL termination in legs.

    1. Client to Cloudflare; if you’re behind orange cloud, you get this for free, don’t turn orange cloud off unless you want to have direct exposure.
    2. Cloudflare to your sever; use their origin cert, this is easiest and secure. You can even get one made specific so your subdomains, or wildcard of your subdomain. Unless you have specific compliance needs, you shouldn’t need to turn this off, and you don’t need to roll your own cert.
    3. Your reverse proxy to your apps; honestly, it’s already on your machine, you can do self signed cert if it really bothers you, but at the end of the day, probably not worth the hassle.

    If, however, you want to directly expose your service without orange cloud (running a game server on the same subdomain for example), then you’d disable the orange cloud and do Let’s Encrypt or deploy your own certificate on your reverse proxy.

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 months ago

    If you’re behind Cloudflare, don’t. Just get an origin certificate from CF, it’s a cert that CF trust between itself and your server. By using Cloudflare you’re making Cloudflare responsible for your cert.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CF CloudFlare
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    SSL Secure Sockets Layer, for transparent encryption

    [Thread #977 for this sub, first seen 18th Sep 2024, 03:15] [FAQ] [Full list] [Contact] [Source code]

  • Cyberflunk@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    2 months ago

    In this episode of “Doing everything the hardest way possible.”

    Cloudflare has SSL, y u need mo?