1. The problem I’m having:
Updating from 2.6.4 to 2.7.0-beta.1.
My attempt on our setup results in SSL for all domains that were previously working like a charm. Reverting to 2.6.4 fixes the issue.
Basically it looks like caddy does not find existing certificates and try to get new certificates for all domains.
There are maybe around 3000 domains certificates on the server, so I guess it would take ages to get a new cert for each (ratelimiting ,etc).
May I ask if it is supposed to happen. Like maybe there was some changes in how certificates are stored/indexed and maybe 2.7.x can’t load existing certs from 2.6.4 ?
Thanks for the infos !
2. Error messages and/or full log output:
Nothing special in the log except it seems it tries to get a NEW certificate for all previously existing domains. Also some HTTP/3 stuff, but I’m not sure it’s related, example:
{"level":"error","ts":1687146821.2925706,"logger":"http.log","msg":"setting HTTP/3 Alt-Svc header","error":"no port can be announced, specify it explicitly using Server.Port or Server.Addr"}
3. Caddy version:
v2.7.0-beta.1 h1:hKYXjAR/7Tn/DVfsu9j1ER8O1qLHh6163a7RoStRBXI=
4. How I installed and ran Caddy:
Homemade RPM package for our platform
a. System environment:
CloudLinux 8.x (AlmaLinux)
b. Command:
Started with systemd
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
{
admin 127.0.0.1:8888
default_bind 127.0.0.1 [::1] 10.111.20.10 [fdaa:beef:b00b:85::20:10]
grace_period 3s
log {
output file /var/log/caddy/caddy.log {
roll_size 250MiB
roll_keep_for 15d
}
level ERROR
}
email letsencrypt@youwishyouknow.com
acme_dns rfc2136 {
key_name "dev.youwishyouknow.com"
key_alg "hmac-sha512"
key "crapkey"
server "83.X.158.X:53"
}
on_demand_tls {
ask https://api.youwishyouknow.com/caddy
interval 2m
burst 5
}
servers {
trusted_proxies cloudflare {
interval 12h
timeout 15s
}
}
}
# Common options we want to apply to every "virtualhosts"
(common) {
@sc_server_fqdn {
path /_sc_get_server_fqdn
}
respond @sc_server_fqdn "dev.youwishyouknow.com" 200 {
close
}
reverse_proxy http://127.0.0.80:80
}
# Default catchall endpoints
http:// {
import common
}
https:// {
import common
tls {
on_demand
load /etc/caddy/certs
}
}
# Hostname endpoint
http://dev.youwishyouknow.com {
redir https://{host}{uri}
}
https://dev.youwishyouknow.com {
# Imunify AV+ access restriction
@imav_access {
path /imav*
not remote_ip 192.168.50.0/24 10.111.0.4
}
route @imav_access {
respond "We're sorry, but this resource is not available for you. If you feed this is an error, please contact your amazing server administrator." 403 {
close
}
}
import common
}
# LVE Manager endpoint
http://manager.dev.youwishyouknow.com {
redir https://{host}{uri}
}
https://manager.dev.youwishyouknow.com {
@manager_access {
not remote_ip 192.168.50.0/24 10.111.0.4
}
route @manager_access {
respond "We're sorry, but this resource is not available for you. If you feed this is an error, please contact your amazing server administrator." 403 {
close
}
}
reverse_proxy http://127.0.0.1:9000
}
# IP endpoints
http://127.0.0.1, http://[::1], http://10.111.20.10, http://[fdaa:beef:b00b:85::20:10] {
import common
}
https://127.0.0.1, https://[::1], https://10.111.20.10, https://[fdaa:beef:b00b:85::20:10] {
import common
tls internal
}
# Per virtualhost specific configs
import /etc/caddy/customers/*.conf