Hi!
I got a notification for a new certificate issued for my domain. I checked the caddy logs :
2017/09/11 01:42:48 [INFO][domain .com] acme: Trying renewal with 714 hours remaining
2017/09/11 01:42:48 [INFO][domain .com] acme: Obtaining bundled SAN certificate
2017/09/11 01:42:48 [INFO][domain .com] AuthURL: https://acme-v01.api.letsencrypt. org/acme/authz/xxxxxxxxx
2017/09/11 01:42:48 [INFO][domain .com] acme: Could not find solver for: tls-sni-01
2017/09/11 01:42:48 [INFO][domain .com] acme: Could not find solver for: http-01
2017/09/11 01:42:48 [INFO][domain .com] acme: Trying to solve DNS-01
2017/09/11 01:42:49 [INFO][domain .com] Checking DNS record propagation using [127.0.0.11:53]
2017/09/11 01:42:53 [INFO][domain .com] The server validated our request
2017/09/11 01:42:54 [INFO][domain .com] acme: Validations succeeded; requesting certificates
2017/09/11 01:42:54 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt. org/acme/issuer-cert
2017/09/11 01:42:55 [INFO][domain .com] Server responded with a certificate.
2017/09/11 01:42:55 [INFO][domain .com] Certificate written to disk: /root/.caddy/acme/acme-v01.api.letsencrypt. org/sites/domain .com/domain .com.crt
2017/09/11 01:42:55 [NOTICE] There is already a certificate loaded for domain .com, so certificate for [domain .com] will not service that name
Then, 12 hours laterā¦
2017/09/11 13:42:26 [INFO][domain .com] acme: Trying renewal with 2147 hours remaining
2017/09/11 13:42:26 [INFO][domain .com] acme: Obtaining bundled SAN certificate
2017/09/11 13:42:26 [INFO][domain .com] AuthURL: https://acme-v01.api.letsencrypt. org/acme/authz/xxxxxxxxxxxx
2017/09/11 13:42:26 [INFO][domain .com] acme: Authorization already valid;skipping challenge
2017/09/11 13:42:26 [INFO][domain .com] acme: Validations succeeded; requesting certificates
2017/09/11 13:42:27 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt. org/acme/issuer-cert
2017/09/11 13:42:27 [INFO][domain .com] Server responded with a certificate.
2017/09/11 13:42:27 [INFO][domain .com] Certificate written to disk: /root/.caddy/acme/acme-v01.api.letsencrypt. org/sites/domain .com/domain .com.crt
2017/09/11 13:42:27 [NOTICE] There is already a certificate loaded for domain .com, so certificate for [domain .com] will not service that name
So, Caddy renewed the certificate again. When I check my website, itās still serving the old certificate (that is going to expire in 714 hours). But, decoding the domain .com.crt file on the disk, I can see that itās the new certificate (valid till december 10). Did Caddy stores the old certificate in ram and did not check the disk ? Weirdly, it can see the new certificate as the first line of the second log mentions 2147 hours (about 3 month) but still serves the old certificate.
I did not restart caddy yet (itās in a docker container) because I want to check if Caddy will try the renew the certificate again or if it will use the newly issued one.
Please note that Iām still on Caddy 0.10.7 (will upgrade to 0.10.8). Hereās my Caddyfile :
domain .com {
basicauth / user password
tls email@domain .com {
dns cloudflare
key_type p384
protocols tls1.2
must_staple
curves p384
ciphers ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
}
header / {
Strict-Transport-Security āmax-age=63072000; includeSubDomains; preloadā
Cache-Control āmax-age=86400ā
Content-Security-Policy ādefault-src https:; script-src https: āunsafe-inlineā; style-src https: āunsafe-inlineāā
X-Content-Type-Options ānosniffā
X-Frame-Options āSAMEORIGINā
X-XSS-Protection ā1; mode=blockā
Referrer-Policy āno-referrerā
#-Server
}
proxy / ip:port
}
Thanks for any input about this issue ! (Please note that I added space between domain and .com as the forum converted them to links)