Caddy and Cloudflare

self signed certs for running Caddy behind Cloudflare

I saw some goofy logs this morning-

acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, url:
[ERROR] Renewing: acme: Error -> One or more domains had a problem:
[INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4017030008
[INFO] acme: Trying to solve TLS-ALPN-01
[INFO] acme: use tls-alpn-01 solver
[INFO] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4017030008
[INFO] acme: Obtaining bundled SAN certificate
[INFO] acme: Trying renewal with -3768 hours remaining

I had a Caddy server doing ACME challenges behind Cloudflare, it turned out. That wasn’t really working. I restarted Caddy, and then it just sat there trying to do its ACME challenge and not serving any pages.

Anyway, in case it ever helps anyone else, the magic Caddyfile incantation is

mydomain.com:443 {
    proxy  / localhost:1234 {
    }
    tls self_signed
}

That :443 is the real trick, because without it, Caddy wants to run self-signed domains on port 2015, which doesn’t do anyone any good.

Systems administration. The gift that keeps on giving.