Issues with Caddy TLS Certificates on Tutor Open edX (tutor local launch with TLS enabled)

Hi everyone,

I’m setting up Open edX with Tutor, and during the tutor local launch step I selected “y” when prompted for TLS support. After that, Caddy started automatically trying to fetch TLS certificates for my domains, but I’m running into several issues.

From the logs, I can see repeated errors like these:

challenge failed, identifier: www.tmacourse.com,
problem: Invalid response from http://www.tmacourse.com/.well-known/acme-challenge/… : 403

For some Tutor subdomains (apps.www.tmacourse.com, preview.www.tmacourse.com, studio.www.tmacourse.com, meilisearch.www.tmacourse.com), I get:

DNS problem: NXDOMAIN looking up A/AAAA record

Has anyone else run into this situation when enabling TLS in Tutor? How did you fix it ?

Thanks in advance!

Below is the caddy’s log file

caddy-log.txt (80.3 KB)

Hi @nguyenvinh0405
There are a few things that stand out to me:

• DNS Records missing (see Configuring DNS records documentation for more info)
• Redirect rules in effect

I see you have a DNS record for www.tmacourse.com

nslookup www.tmacourse.com 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1

Non-authoritative answer:
Name: tmacourse.com
Addresses: 15.197.142.173
3.33.152.147
Aliases: www.tmacourse.com

However, you lack DNS records that allow resolution of the subdomains:

nslookup studio.www.tmacourse.com 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1

*** one.one.one.one can’t find studio.www.tmacourse.com: Non-existent domain

nslookup preview.www.tmacourse.com 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1

*** one.one.one.one can’t find preview.www.tmacourse.com: Non-existent domain

nslookup apps.www.tmacourse.com 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1

*** one.one.one.one can’t find apps.www.tmacourse.com: Non-existent domain

other issue i see: Your site www.tmacourse.com currently has a 301 redirect to https://time-management-academy3.teachable.com

curl -Lv --output /dev/null www.tmacourse.com
Host www.tmacourse.com:80 was resolved.
* IPv6: (none)
* IPv4: 3.33.152.147, 15.197.142.173
*   Trying 3.33.152.147:80...
* Connected to www.tmacourse.com (3.33.152.147) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: www.tmacourse.com
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Date: Wed, 03 Sep 2025 10:02:38 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 116
< Connection: keep-alive
< Location: https://time-management-academy3.teachable.com/p/time-management-academy-for-moms
< Server: ip-100-74-4-108.eu-west-2.compute.internal
< Vary: Accept-Encoding
< X-Request-Id: bad8dee3-ba8a-4a23-993f-1b87e55fc5b7
* Ignoring the response-body
* setting size while ignoring

So if you specifically want your Tutor instance served on www.tmacourse.com then you should remove that 301 redirect, adjust the DNS entry (if it’s not currently correct) so that the public IP of your Tutor server is resolved, and set up a wildcard DNS CNAME entry so that *.www.tmacourse.com resolves to the A record configured for your www. entry. Optionally you can configure each of the required subdomains as a CNAME, but wildcards do simplify the operation by cutting down the number of records needed.

Lastly, if your Tutor server is behind a firewall then you should ensure the required ports are forwarded on the firewall to your server, this is needed for the acme challenge to verify that it can reach the correct server on a domain you own.

Hi @joel.edwards,

I haven’t actually added that domain into my DNS records yet, so I’m a bit confused why tmacourse.com already shows up as if it’s configured. Also, I don’t know why it is automatically redirecting to that Teachable site — I didn’t set that up myself.