Skip to content

How to Fix Caddy TLS Certificate Error

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Caddy TLS Certificate Error. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Caddy fails to provision a TLS certificate with [ERROR] obtaining certificate: acme: error: 403 or uses a self-signed certificate instead of Let's Encrypt — the ACME challenge cannot complete or DNS validation fails.

The Problem

2026/06/24 10:00:00 [ERROR] obtaining certificate: acme: error: 403
urn:ietf:params:acme:error:unauthorized :::
The client lacks sufficient authorization

Step-by-Step Fix

Step 1: Check DNS resolves to the Caddy server

dig +short example.com
# Must return the public IP of your Caddy server

Step 2: Ensure port 80 is accessible

# Caddy uses HTTP-01 challenge by default
nc -zv example.com 80

Step 3: Use DNS challenge for wildcards

example.com {
    tls {
        dns cloudflare YOUR_API_TOKEN
    }
    reverse_proxy localhost:3000
}

Step 4: Use custom certificate

example.com {
    tls /etc/ssl/certs/example.crt /etc/ssl/private/example.key
    reverse_proxy localhost:3000
}

Step 5: Set ACME server to staging for testing

{
    acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

Step 6: Check certificate renewal

caddy renew --force

Prevention Tips

  • Use DNS challenge for production to avoid port 80 dependency
  • Set up monitoring for certificate expiry
  • Keep ACME account private key secure
  • Use the staging ACME endpoint for initial testing

Common Mistakes with tls cert

  1. Using foldl instead of foldl' causing stack overflow on large lists
  2. Forgetting deriving (Show, Eq) on custom data types needed for debugging
  3. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable

These mistakes appear frequently in real-world CADDY code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Why does Caddy fail to get a Let's Encrypt certificate?

Caddy requires port 80 to be reachable for the HTTP-01 challenge. If port 80 is blocked by a firewall or used by another service, the challenge fails. Use the DNS challenge instead: tls { dns <a href="/web-servers-hosting/cloudflare/">Cloudflare</a> YOUR_TOKEN }.

How do I use a custom SSL certificate with Caddy?

Specify the cert and key paths: tls /etc/ssl/certs/example.crt /etc/ssl/private/example.key. Caddy skips automatic certificate management when custom certificates are provided. Ensure the paths are readable by the Caddy user.

How does Caddy auto-renew certificates?

Caddy renews certificates automatically when they are within 30 days of expiry. The renewal runs in the background without downtime. Check the logs for renewal status: caddy logs. Caddy also staples OCSP responses automatically.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro