#Caddy fails to generate valid certificates

I have the following setup

DNS (abc.example.com)
CNAME: host.tail-scale.ts

On the host I run caddy inside docker

services:
  caddy:
    build:
      context: .
      dockerfile: caddy.Dockerfile
    container_name: caddy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 2019:2019
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./data:/data
      - ./config:/config
      - ./logs/caddy:/var/log/caddy
    networks:
      - proxy
    environment:
      - CADDY_ADMIN=0.0.0.0:2019
    extra_hosts:
      - "host.docker.internal:host-gateway"

networks:
  proxy:
    external: true

(cloudflare) {
    tls {
        dns cloudflare cloudflare key
    }
}


:80 {
    respond "ok" 200
}

abc.example.com {
    import cloudflare

    route {
        reverse_proxy webserver:8000
    }
}

Curl response

curl https://localhost
curl: (35) OpenSSL/3.0.17: error:0A000438:SSL routines::tlsv1 alert internal error

@vapid tide i created a post so I don't spam the #tailscale-chat

Are you sure that caddy isn’t generating a valid certificate? Can you share any relevant logs?
Admittedly I don’t have much experience with caddy, and this sounds like it’s not a Tailscale problem, but I’m sure someone can help

You're trying to curl to "https://localhost", but Caddy doesn't know how to respond to that. It only knows how to respond to "https://abc.example.com".

{"level":"info","ts":1759184794.5730875,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"abc.example.com","issuer":"acme-v02.api.letsencrypt.org-directory"}

I think so

Firefox gives me a:

Hmm. We’re having trouble finding that site.

But i tried chrome and it gives me a bad gateway which makes much more sense since dig abc.example.com shows the correct dns results

I did some more digging

I can ping the webserver from the caddy container but making a request on the webserver port fails

curl: (7) Failed to connect to webserver port 8000 after 0 ms: Could not connect to server

Can you post the compose for webserver?

services:
  broker:
    image: docker.io/library/redis:8
    restart: unless-stopped
    volumes:
      - redisdata:/data
    networks:
      - internal

  db:
    image: docker.io/library/postgres:17
    restart: unless-stopped
    volumes:
      - pgdata:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: paperless
      POSTGRES_USER: paperless
      POSTGRES_PASSWORD: paperless
    networks:
      - internal

  webserver:
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    restart: unless-stopped
    depends_on:
      - db
      - broker
      - gotenberg
      - tika
    ports:
      - "8000:8000"
    volumes:
      - data:/usr/src/paperless/data
      - media:/usr/src/paperless/media
      - ./export:/usr/src/paperless/export
      - ./consume:/usr/src/paperless/consume
    env_file: docker-compose.env
    environment:
      PAPERLESS_REDIS: redis://broker:6379
      PAPERLESS_DBHOST: db
      PAPERLESS_TIKA_ENABLED: 1
      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
      PAPERLESS_TIKA_ENDPOINT: http://tika:9998
    networks:
      - internal
      - proxy

  gotenberg:
    image: docker.io/gotenberg/gotenberg:8.22
    restart: unless-stopped
    # The gotenberg chromium route is used to convert .eml files. We do not
    # want to allow external content like tracking pixels or even javascript.
    command:
      - "gotenberg"
      - "--chromium-disable-javascript=true"
      - "--chromium-allow-list=file:///tmp/.*"
    networks:
      - internal

  tika:
    image: docker.io/apache/tika:latest
    restart: unless-stopped
    networks:
      - internal

volumes:
  data:
  media:
  pgdata:
  redisdata:

networks:
  proxy:
    external: true
  internal:
    driver: bridge