From 40c36ef299f46452827f7fce1fc89b75c9a7e70f Mon Sep 17 00:00:00 2001 From: Serreau Jovann Date: Fri, 10 Apr 2026 16:48:56 +0200 Subject: [PATCH] Drop Cloudflare DNS TLS block from Caddy vhost Remove the tls { dns cloudflare ... } directive and fall back to Caddy's default automatic HTTPS (HTTP-01 / TLS-ALPN). The Cloudflare DNS plugin was causing issues during cert provisioning; standard ACME works fine as long as port 80/443 reach the server. Also drop the now-unused cloudflare_token variable from group_vars. Co-Authored-By: Claude Opus 4.6 (1M context) --- ansible/group_vars/all.yml | 9 +++------ ansible/templates/e-auth.conf.j2 | 4 ---- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 8fc02e9..67ceb3d 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -5,10 +5,7 @@ deploy_dir: /var/www/e-auth auth_domain: auth.e-cosplay.fr keycloak_local_port: 9450 -# Caddy (assumed already installed with the caddy-dns/cloudflare plugin -# and configured to load per-site files from /etc/caddy/sites/*.conf) +# Caddy (assumed already installed and configured to load per-site +# files from /etc/caddy/sites/*.conf). TLS is handled by Caddy's +# default ACME flow (HTTP-01 / TLS-ALPN), no Cloudflare DNS plugin. caddy_site_file: /etc/caddy/sites/e-auth.conf - -# Cloudflare API token consumed by the caddy-dns/cloudflare plugin -# for the ACME DNS-01 challenge. -cloudflare_token: cfat_rIHZqzCm9GKK3xVnQDNGfu6J91TseIDdTKeuWSFUdf6ccd31 diff --git a/ansible/templates/e-auth.conf.j2 b/ansible/templates/e-auth.conf.j2 index 17e3444..ba73312 100644 --- a/ansible/templates/e-auth.conf.j2 +++ b/ansible/templates/e-auth.conf.j2 @@ -2,10 +2,6 @@ # Reverse proxy for {{ auth_domain }} -> local Keycloak container on :{{ keycloak_local_port }} {{ auth_domain }} { - tls { - dns cloudflare {{ cloudflare_token }} - } - encode gzip zstd reverse_proxy 127.0.0.1:{{ keycloak_local_port }}