this post was submitted on 17 Sep 2024
29 points (100.0% liked)

Selfhosted

40211 readers
1489 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hopefully you all can help!

I've been to hundreds of threads over the last few days trying to puzzle this out, with no luck.

The problem:

  1. Caddy v2 with acme HTTP-1 ACME challenge (Changed from TLS-ALPN challenge)
  2. Cloudflair DNS with proxy ON
  3. All cloudflair https is off
  4. This is a .co domain

Any attempt to get certificates fails with an invalid challenge response. If I try and navigate (or curl) to the challenge directly I always get SSL validation errors as if all the requests are trying to upgrade to HTTPS.

I'm kind of at my wit's end here and am running out of things to try.

If I turn Cloud flare proxy off and go back to TLS-ALPN challenge, everything works as expected. However I do not wish to expose myself directly and want to use the proxy.

What should I be doing?


I have now solved this by using Cloudflair DNS ACME challenge. Cloudflair SSL turned back on. Everything works as expected now, I can have external clients terminate SSL at cloudflair, cloudflair communicate with my proxy through HTTPS, and have internal clients terminate SSL at caddy.

you are viewing a single comment's thread
view the rest of the comments
[–] douglasg14b@lemmy.world 1 points 1 month ago* (last edited 1 month ago)

Because the majority of my traffic and services are internal with internal DNS? And I want valid HTTPS certs for them, without exposing my IP in the DNS for those A records.

If I don't care about leaking my IP in my a records then this is pretty easy. However I don't want to do this for various reasons. One of those being that I engage in security related activities and have no desire to put myself at risk by leaking.

Even services that I exposed to the internet I still don't want to have my local network traffic go to the internet and back when there is no need for that. SSL termination at my own internal proxy solves that problem.

I now have this working by using the cloudflare DNS ACME challenge. Those services which I exposed to the internet cloudflare is providing https termination for, cloudflare is then communicating with my proxy which also provides https termination. My internal communication with those services is terminated at my proxy.