When looking at the logs, I notice that the time in Caddy is 1 hour different than the syetem time. I think this is causing the local certificate to be invalid.
I did not have this error a few days ago and I can’t get my head around on what I could have changed to have this mismatch. The system time(zone) is correct.
4. Error messages and/or full log output:
2021/03/07 16:28:59.735 ERROR http.log.error x509: certificate has expired or is not yet valid: current time 2021-03-07T17:28:59+01:00 is after 2021-03-05T03:52:06Z {“request”: {“remote_addr”: “192.168.5.1:4954”, “proto”: “HTTP/2.0”, “method”: “POST”, “host”: “bpass.intrafit.nl”, “uri”: “/identity/connect/token”, “headers”: {“Accept-Language”: [“en-GB,en;q=0.5”], “Accept-Encoding”: [“gzip, deflate, br”], “Device-Type”: [“3”], “Origin”: [“moz-extension://fa1d4d8a-3175-4671-9c06-8150bf64cb83”], “Content-Length”: [“151”], “Pragma”: [“no-cache”], “Te”: [“trailers”], “User-Agent”: [“Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0”], “Content-Type”: [“application/x-www-form-urlencoded; charset=utf-8”], “Cache-Control”: [“no-cache”], “Accept”: [“application/json”]}, “tls”: {“resumed”: false, “version”: 772, “cipher_suite”: 4865, “proto”: “h2”, “proto_mutual”: true, “server_name”: “bpass.intrafit.nl”}}, “duration”: 0.018063684, “status”: 502, “err_id”: “70h04ts6z”, “err_trace”: “reverseproxy.statusError (reverseproxy.go:783)”}
5. What I already tried:
Athough I’m pretty sure I had this working OK with the latest Caddy, I went back to Caddy 2.3.0 without any noticable change.
What user are you using to run Caddy? You can check if there’s a TZ environment variable set for that user. Running with the --environ flag will have Caddy print its environment at startup.
Well, I changed the timezone (back) to UTC which is the time Caddy uses in the log. So system time date is the same as the timestamps in the Caddy log.
I can’t recal to have changed it but I’ve been tweaking so many systems over the last couple of days that I may have… :-
I still have the same error message about the certificate. Could this be because it has not been regenerated yet? Is there a way to enforce this?
You can delete the certificate from Caddy’s storage and it’ll force a re-issue. But that error looks to be that Caddy can’t trust the certificate of your upstream app, not the certificate it’s managing itself on that server. So check your upstream server’s logs, something must’ve happened for it to not renew and end up with an expired cert.
I did not see any error message in the upstream Caddy that could give away the issue.
Didn’t think about just deleting the cert
I deleted the certificates for (all) the local hostsnames and restarted Caddy up- and downstream. New certificates were generated and all is working as expected.
No clue what could have caused this issue but I’ll monitor it for a few days before making changes again.