I am tying to use ACME cert management to receive certificates from our company CA. The CA only works with HTTP challenges (at least that's what my admin said, or rather our firewall rules only allow for that), so the TLS_ALPN challenges that Caddy attempts fail. I have disabled TLS_ALPN in my Caddyfile, but the server still attempts these challenges. This does sometimes get fixed by recreating the container, but not always, for some reason. Is there anything I'm doing wrong here?
Another thing that I'm seeing is that requests to .well-known/acme-challenge/test get a 308 permanent redirect to HTTPS (which doesn't make sense for the HTTP challenge):
caddy | {"level":"info","ts":1774965783.680951,"msg":"maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined"}
caddy | {"level":"info","ts":1774965783.6809769,"msg":"GOMEMLIMIT is updated","GOMEMLIMIT":7450280755,"previous":9223372036854775807}
caddy | {"level":"info","ts":1774965783.6809819,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy | {"level":"info","ts":1774965783.6809845,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy | {"level":"warn","ts":1774965783.680987,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
caddy | {"level":"info","ts":1774965783.6876369,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy | {"level":"info","ts":1774965783.6879334,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x1c86f42bc180"}
caddy | {"level":"info","ts":1774965783.68806,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy | {"level":"info","ts":1774965783.6880844,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy | {"level":"debug","ts":1774965783.6881697,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["report.company.intern"]},{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"overleaf:80"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
caddy | {"level":"debug","ts":1774965783.688447,"logger":"http","msg":"starting server loop","address":"0.0.0.0:443","tls":true,"http3":false}
caddy | {"level":"info","ts":1774965783.6884735,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy | {"level":"info","ts":1774965783.6885831,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy | {"level":"info","ts":1774965783.6886995,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy | {"level":"debug","ts":1774965783.68878,"logger":"http","msg":"starting server loop","address":"0.0.0.0:80","tls":false,"http3":false}
caddy | {"level":"warn","ts":1774965783.6887918,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy | {"level":"warn","ts":1774965783.6887949,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy | {"level":"info","ts":1774965783.6887975,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy | {"level":"info","ts":1774965783.6888013,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["report.company.intern"]}
caddy | {"level":"debug","ts":1774965783.6892889,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [report.company.intern]: no OCSP server specified in certificate","identifiers":["report.company.intern"]}
caddy | {"level":"debug","ts":1774965783.6893675,"logger":"tls.cache","msg":"added certificate to cache","subjects":["report.company.intern"],"expiration":1774951319,"managed":true,"issuer_key":"deglacme01.company.intern-acme-acme-directory","hash":"4dc98b19fd772fb1c2d8d8cbcafcd2223412fd1764684bb9b05d3427f6b3c476","cache_size":1,"cache_capacity":10000}
caddy | {"level":"debug","ts":1774965783.6893868,"logger":"events","msg":"event","name":"cached_managed_cert","id":"de06143f-524d-4c96-a484-e020280731c4","origin":"tls","data":{"sans":["report.company.intern"]}}
caddy | {"level":"debug","ts":1774965783.6894405,"logger":"events","msg":"event","name":"started","id":"8ce0723f-e8b3-4dfc-876a-e8dae5fbf64e","origin":"","data":null}
caddy | {"level":"info","ts":1774965783.6895244,"logger":"tls","msg":"certificate is in configured renewal window based on expiration date","subjects":["report.company.intern"],"expiration":1774951319,"ari_cert_id":"","next_ari_update":null,"renew_check_interval":600,"window_start":-6795364578.8713455,"window_end":-6795364578.8713455,"remaining":-14464.689523857}
caddy | {"level":"info","ts":1774965783.6896136,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy | {"level":"info","ts":1774965783.6896217,"msg":"serving initial configuration"}
caddy | {"level":"info","ts":1774965783.6921117,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"34537ac2-48f3-4563-bb87-e5426da4ebcf","try_again":1775052183.6921084,"try_again_in":86399.99999927}
caddy | {"level":"info","ts":1774965783.6922204,"logger":"tls","msg":"finished cleaning storage units"}
caddy | {"level":"info","ts":1774965783.694594,"logger":"tls.renew","msg":"acquiring lock","identifier":"report.company.intern"}
caddy | {"level":"info","ts":1774965783.697793,"logger":"tls.renew","msg":"lock acquired","identifier":"report.company.intern"}
caddy | {"level":"info","ts":1774965783.698719,"logger":"tls.renew","msg":"renewing certificate","identifier":"report.company.intern","remaining":-14464.698707913}
caddy | {"level":"debug","ts":1774965783.6987865,"logger":"events","msg":"event","name":"cert_obtaining","id":"88be8b4e-7964-4d63-a235-600a057ad522","origin":"tls","data":{"forced":false,"identifier":"report.company.intern","issuer":"deglacme01.company.intern-acme-acme-directory","remaining":-14464698707913,"renewal":true}}
caddy | {"level":"debug","ts":1774965783.6989105,"logger":"tls","msg":"created CSR","identifiers":["report.company.intern"],"san_dns_names":["report.company.intern"],"san_emails":[],"common_name":"","extra_extensions":0}
caddy | {"level":"debug","ts":1774965783.6997294,"logger":"http","msg":"using existing ACME account because key found in storage associated with email","email":"default","ca":"https://deglacme01.company.intern/acme/acme/directory"}
caddy | {"level":"debug","ts":1774965783.6999238,"logger":"http","msg":"using existing ACME account because key found in storage associated with email","email":"","ca":"https://deglacme01.company.intern/acme/acme/directory"}
caddy | {"level":"info","ts":1774965783.6999547,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["report.company.intern"],"ca":"https://deglacme01.company.intern/acme/acme/directory","account":""}
caddy | {"level":"info","ts":1774965783.6999664,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["report.company.intern"],"ca":"https://deglacme01.company.intern/acme/acme/directory","account":""}
caddy | {"level":"info","ts":1774965783.6999757,"logger":"http","msg":"using ACME account","account_id":"https://deglacme01.company.intern/acme/acme/account/1hjKZTxmkDoErNrD9q8w46GdV4YmFQK7","account_contact":[]}
caddy | {"level":"debug","ts":1774965783.7124789,"msg":"http request","method":"GET","url":"https://deglacme01.company.intern/acme/acme/directory","headers":{"User-Agent":["Caddy/2.11.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Content-Length":["342"],"Content-Type":["application/json"],"Date":["Tue, 31 Mar 2026 14:03:03 GMT"],"X-Request-Id":["c16b7cf4-f92e-41a9-adbb-cfd09acfa78d"]},"status_code":200}
caddy | {"level":"debug","ts":1774965783.7126763,"msg":"creating order","account":"https://deglacme01.company.intern/acme/acme/account/1hjKZTxmkDoErNrD9q8w46GdV4YmFQK7","identifiers":["report.company.intern"]}
caddy | {"level":"debug","ts":1774965783.7166383,"msg":"http request","method":"HEAD","url":"https://deglacme01.company.intern/acme/acme/new-nonce","headers":{"User-Agent":["Caddy/2.11.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["no-store"],"Date":["Tue, 31 Mar 2026 14:03:03 GMT"],"Link":["<https://deglacme01.company.intern/acme/acme/directory>;rel=\"index\""],"Replay-Nonce":["aXVLWUYweFQ3bDI2S0x5bkNoVWhIZ2ZLcFRpZjh2OHQ"],"X-Request-Id":["bc32241b-ba34-4d8f-8348-b8cd146850cf"]},"status_code":200}
caddy | {"level":"debug","ts":1774965783.7350113,"msg":"http request","method":"POST","url":"https://deglacme01.company.intern/acme/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.11.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["no-store"],"Content-Length":["432"],"Content-Type":["application/json"],"Date":["Tue, 31 Mar 2026 14:03:03 GMT"],"Link":["<https://deglacme01.company.intern/acme/acme/directory>;rel=\"index\""],"Location":["https://deglacme01.company.intern/acme/acme/order/1TBW16qBTIguMdEkbLffj8FRnEvCmy43"],"Replay-Nonce":["dU83QnpxSmtVamhmSDlqVVVnUFNxNHNvYkRMSWVhV2E"],"X-Request-Id":["3bdf0751-5848-489b-9c1e-e0f58c6274c7"]},"status_code":201}
caddy | {"level":"debug","ts":1774965783.7417023,"msg":"http request","method":"POST","url":"https://deglacme01.company.intern/acme/acme/authz/G6i1Q1JQ5uTXbAxI2uqueQWOChxz3wEP","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.11.2 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["no-store"],"Content-Length":["772"],"Content-Type":["application/json"],"Date":["Tue, 31 Mar 2026 14:03:03 GMT"],"Link":["<https://deglacme01.company.intern/acme/acme/directory>;rel=\"index\""],"Location":["https://deglacme01.company.intern/acme/acme/authz/G6i1Q1JQ5uTXbAxI2uqueQWOChxz3wEP"],"Replay-Nonce":["SWMwQlRLWXRXZkNxSG5PMjBrUW1YeUtJOEZ0bEhpTFE"],"X-Request-Id":["480e9067-7b11-453b-bdfc-60b07a05bde8"]},"status_code":200}
caddy | {"level":"info","ts":1774965783.7420483,"msg":"trying to solve challenge","identifier":"report.company.intern","challenge_type":"tls-alpn-01","ca":"https://deglacme01.company.intern/acme/acme/directory"}
caddy | {"level":"debug","ts":1774965783.74567,"msg":"waiting for solver before continuing","identifier":"report.company.intern","challenge_type":"tls-alpn-01"}
caddy | {"level":"debug","ts":1774965783.745697,"msg":"done waiting for solver","identifier":"report.company.intern","challenge_type":"tls-alpn-01"}
caddy | {"level":"debug","ts":1774965783.7459073,"logger":"http.stdlib","msg":"http: TLS handshake error from 127.0.0.1:44208: EOF"}
caddy | {"level":"debug","ts":1774965795.2348738,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f86f5a3e-748a-4a8b-9559-e537937cf117","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"10.10.5.22","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"172.16.99.47","Port":46108,"Zone":""},"LocalAddr":{"IP":"172.16.99.47","Port":443,"Zone":""}}}}
caddy | {"level":"debug","ts":1774965795.2350957,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"10.10.5.22"}
caddy | {"level":"debug","ts":1774965795.2351027,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.10.5.22"}
caddy | {"level":"debug","ts":1774965795.2351072,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.5.22"}
caddy | {"level":"debug","ts":1774965795.2351115,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.22"}
caddy | {"level":"debug","ts":1774965795.2351155,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
caddy | {"level":"debug","ts":1774965795.2351613,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.16.99.47","remote_port":"46108","server_name":"10.10.5.22","remote":"172.16.99.47:46108","identifier":"10.10.5.22","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0.0001,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy | {"level":"debug","ts":1774965795.2352383,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.16.99.47:46108: no certificate available for '10.10.5.22'"}
Issue Details
Copied from https://caddy.community/t/tls-alpn-challenge-doesnt-get-disabled-by-caddyfile-directive/33620 as requested.
1. The problem I’m having:
I am tying to use ACME cert management to receive certificates from our company CA. The CA only works with HTTP challenges (at least that's what my admin said, or rather our firewall rules only allow for that), so the TLS_ALPN challenges that Caddy attempts fail. I have disabled TLS_ALPN in my Caddyfile, but the server still attempts these challenges. This does sometimes get fixed by recreating the container, but not always, for some reason. Is there anything I'm doing wrong here?
Another thing that I'm seeing is that requests to .well-known/acme-challenge/test get a 308 permanent redirect to HTTPS (which doesn't make sense for the HTTP challenge):
2. Error messages and/or full log output:
3. Caddy version:
v2.11.2 h1:iOlpsSiSKqEW+SIXrcZsZ/NO74SzB/ycqqvAIEfIm64=
4. How I installed and ran Caddy:
a. System environment:
Rootless Podman Compose
b. Command:
c. Service/unit/compose file:
d. My complete Caddy config:
My autosave.json from the container:
5. Links to relevant resources:
I did follow this post, but that didn't solve it for me.
Assistance Disclosure
AI not used
If AI was used, describe the extent to which it was used.
No response