Firewall shows pass to 443 port but can`t be reached.

[mervynsword]

Hi guys.

I am trying to use Caddy behind OpnSense as a reverse proxy. But there are some problems.

I have added NAT rules and firewall rules, just in the attachment.

But the Caddy can not get https certificate. It showed

Code Select Expand

failed to get certificate: acme: Error 400 - urn:ietf:params:acme:error:connection - Fetching http://home.example.me/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXX: Timeout during connect (likely firewall problem)

The acme request port 80 or port 443 to get certificate, so I am thinking maybe it`s a firewall problem, or worse, the port 80 and port 443 are blocked by ISP.

So I tried to run a netdata in a docker, forwording port 19998(host) to 19999(docker)(because the port 19999 has been using by the netdata running in my host), and add a NAT rule to the firewall, it can be visited from the internet by http://home.example.me:19998.

So I changed the netdata docker port forward, from host 443 to docker 19999, and of course a NAT rule, the port test shows the host 443 port can be reached from the LAN, but I can`t visit netdata from the internet by http://home.example.me:443.

What makes this interesting is, the log of the firewall shows it allows the connection from the internet to the netdata docker.There is a screenshot in the attachment too.

I mean I can`t visit the netdata by http://home.example.me:443, so maybe the 443 port is blocked by ISP? But if it is blocked, why there is logs show the firewall accepted the connection?

[simonszu]

Maybe your browser is confused. HTTP on Port 443 is very uncommon, so it tries to speak HTTPS or expects a HTTPS answer.