Fix: Caddy TLS Handshake Failed Error

The Cause

Caddy uses automatic HTTPS via Let's Encrypt. TLS handshake failures occur when the ACME challenge fails — usually because port 80 is blocked by a firewall, DNS hasn't propagated, or the domain doesn't point to the server.

The Fix

1. Verify port 80 is open (required for ACME HTTP-01 challenge)

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload

2. Verify DNS points to your server

dig +short yourdomain.com
# Should return your server's IP

3. Check Caddy logs for the specific ACME error

journalctl -u caddy --since "1 hour ago" | grep -i "tls|acme|cert|error"

4. Force certificate re-issue (clear Caddy's cert cache)

sudo systemctl stop caddy
sudo rm -rf /var/lib/caddy/.local/share/caddy/certificates/
sudo systemctl start caddy

Paste your config to detect proxy misconfigurations and get exact fixes.

Open Reverse Proxy Mapper →

Frequently Asked Questions

Why does Caddy fail to get a certificate even with port 80 open?

Common causes: (1) DNS hasn't propagated yet — wait 5–10 minutes after pointing DNS to the server, (2) a UFW rule allows port 80 but Docker is bypassing UFW, (3) Caddy is rate-limited by Let's Encrypt — check caddy logs for rate limit errors.

Can I use Caddy with Cloudflare proxy enabled?

Yes, but you need to use Caddy's DNS-01 ACME challenge instead of HTTP-01. With Cloudflare proxying enabled, Caddy can't complete HTTP-01 challenges. Install the Caddy Cloudflare DNS module and configure DNS challenge with your Cloudflare API token.