Caddy renewing already renewed certificates


(Geoffrey Richard) #1

Hi!

I got a notification for a new certificate issued for my domain. I checked the caddy logs :

2017/09/11 01:42:48 [INFO][domain .com] acme: Trying renewal with 714 hours remaining
2017/09/11 01:42:48 [INFO][domain .com] acme: Obtaining bundled SAN certificate
2017/09/11 01:42:48 [INFO][domain .com] AuthURL: https://acme-v01.api.letsencrypt. org/acme/authz/xxxxxxxxx
2017/09/11 01:42:48 [INFO][domain .com] acme: Could not find solver for: tls-sni-01
2017/09/11 01:42:48 [INFO][domain .com] acme: Could not find solver for: http-01
2017/09/11 01:42:48 [INFO][domain .com] acme: Trying to solve DNS-01
2017/09/11 01:42:49 [INFO][domain .com] Checking DNS record propagation using [127.0.0.11:53]
2017/09/11 01:42:53 [INFO][domain .com] The server validated our request
2017/09/11 01:42:54 [INFO][domain .com] acme: Validations succeeded; requesting certificates
2017/09/11 01:42:54 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt. org/acme/issuer-cert
2017/09/11 01:42:55 [INFO][domain .com] Server responded with a certificate.
2017/09/11 01:42:55 [INFO][domain .com] Certificate written to disk: /root/.caddy/acme/acme-v01.api.letsencrypt. org/sites/domain .com/domain .com.crt
2017/09/11 01:42:55 [NOTICE] There is already a certificate loaded for domain .com, so certificate for [domain .com] will not service that name

Then, 12 hours later…

2017/09/11 13:42:26 [INFO][domain .com] acme: Trying renewal with 2147 hours remaining
2017/09/11 13:42:26 [INFO][domain .com] acme: Obtaining bundled SAN certificate
2017/09/11 13:42:26 [INFO][domain .com] AuthURL: https://acme-v01.api.letsencrypt. org/acme/authz/xxxxxxxxxxxx
2017/09/11 13:42:26 [INFO][domain .com] acme: Authorization already valid;skipping challenge
2017/09/11 13:42:26 [INFO][domain .com] acme: Validations succeeded; requesting certificates
2017/09/11 13:42:27 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt. org/acme/issuer-cert
2017/09/11 13:42:27 [INFO][domain .com] Server responded with a certificate.
2017/09/11 13:42:27 [INFO][domain .com] Certificate written to disk: /root/.caddy/acme/acme-v01.api.letsencrypt. org/sites/domain .com/domain .com.crt
2017/09/11 13:42:27 [NOTICE] There is already a certificate loaded for domain .com, so certificate for [domain .com] will not service that name

So, Caddy renewed the certificate again. When I check my website, it’s still serving the old certificate (that is going to expire in 714 hours). But, decoding the domain .com.crt file on the disk, I can see that it’s the new certificate (valid till december 10). Did Caddy stores the old certificate in ram and did not check the disk ? Weirdly, it can see the new certificate as the first line of the second log mentions 2147 hours (about 3 month) but still serves the old certificate.

I did not restart caddy yet (it’s in a docker container) because I want to check if Caddy will try the renew the certificate again or if it will use the newly issued one.

Please note that I’m still on Caddy 0.10.7 (will upgrade to 0.10.8). Here’s my Caddyfile :

domain .com {
basicauth / user password
tls email@domain .com {
dns cloudflare
key_type p384
protocols tls1.2
must_staple
curves p384
ciphers ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
}
header / {
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Cache-Control "max-age=86400"
Content-Security-Policy "default-src https:; script-src https: ‘unsafe-inline’; style-src https: ‘unsafe-inline’"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
X-XSS-Protection "1; mode=block"
Referrer-Policy “no-referrer”
#-Server
}
proxy / ip:port
}

Thanks for any input about this issue ! (Please note that I added space between domain and .com as the forum converted them to links)


(Matt Holt) #2

This might be a bug. I’m looking into it.


(Geoffrey Richard) #3

Thanks! Let me know if you need my “real” logs and caddyfile.

I serve multiple domains and subdomains and the issue is the same for all certificates up for renewal.


(Matt Holt) #4

All fixed. Can you build from source and double-check? I confirmed here that I was able to reproduce the bug and it does not happen with this change.


(Geoffrey Richard) #5

Seems like it did the trick. Thanks for your help!


(system) #6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.