1. Caddy version (caddy version
):
v2.4.3
2. How I run Caddy:
- We have 5 servers running behind an AWS network load balancer.
- They share the same storage using AWS EFS.
- Every server has the same Caddyfile but he doesn’t locate it in the shared storage (EFS). Just in the local storage of the server.
a. System environment:
Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-1041-aws x86_64)
Simple install without Docker
b. Command:
Auto Caddy services are running in the background
d. My complete Caddyfile or JSON config:
{
#debug
storage file_system {
root /mnt/efs/caddy_data
}
log HHHH {
output file /var/caddy_log/requests.log {
roll_size 200mb
roll_keep 3
roll_keep_for 24h
}
level WARN
}
# TLS Options
email HHHH @ HHHH .com
on_demand_tls {
ask https://www. HHHH .com/isDomainValid.php
}
}
https://
tls {
on_demand
issuer acme {
email HHHH @ HHHH .com
}
issuer zerossl HHHH {
email HHHH @ HHHH .com
}
}
reverse_proxy 76.223. HHHH . HHHH {
header_down -proxy-cache
}
3. The problem I’m having:
From the logs, I can see that Caddy try to bring SSL for domains that get SSL weeks ago. It looks like you can find them in the EFS and then try to request them from the ACME providers. Without success (anyway, Letsencrypt block us all the time because of that).
Example 1 (this domain already have an SSL and is working and don’t need to renew):
Feb 06 14:13:47 ip-172-30-0-105 caddy[478]: {"level":"info","ts":1644156827.5849168,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["userdomain . com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"noam @ myaccount .com"}
Feb 06 14:13:47 ip-172-30-0-105 caddy[478]: {"level":"error","ts":1644156827.8435564,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"userdomain . com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/"}
Feb 06 14:13:47 ip-172-30-0-105 caddy[478]: {"level":"info","ts":1644156827.8480592,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["userdomain . com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"noam @ myaccount .com"}
Feb 06 14:13:47 ip-172-30-0-105 caddy[478]: {"level":"info","ts":1644156827.8862772,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["userdomain . com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"noam @ myaccount .com"}
Example 2 (this domain already have an SSL and is working and don’t need to renew):
Feb 06 14:13:47 ip-172-30-0-105 caddy[478]: {"level":"info","ts":1644156827.3583622,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["userdomain . com"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":"noam @ myaccount .com"}
Feb 06 14:13:47 ip-172-30-0-105 caddy[478]: {"level":"error","ts":1644156827.5857646,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"userdomain . com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many new orders recently: see https://letsencrypt.org/docs/rate-limits/"}
Feb 06 14:13:47 ip-172-30-0-105 caddy[478]: {"level":"info","ts":1644156827.5882902,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["userdomain . com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"noam @ myaccount .com"}
Feb 06 14:13:47 ip-172-30-0-105 caddy[478]: {"level":"info","ts":1644156827.6695735,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["userdomain . com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"noam @ myaccount .com"}
Thanks