Caddy won't restart after updating certificates

1. Caddy version (caddy version):

2.4.6

2. How I run Caddy:

a. System environment:

CentOS 7

b. Command:

systemctl start caddy, or caddy run

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

bb-lg.comcast.net:443 {
    tls /etc/caddy/bb-lg.comcast.net.pem /etc/caddy/bb-lg.comcast.net.key
    file_server {
            root /etc/hyperglass/static/ui
        }
        file_server /custom/* {
            root /etc/hyperglass/static/custom/
        }
        file_server /images/* {
            root /etc/hyperglass/static/images/
        }
    reverse_proxy localhost:8001
}

3. The problem I’m having:

My tls certs expired, so I had to update them. I copied the new pem and key file to /etc/caddy using the same names as what was already in use, then I restarted caddy but it fails to restart.

4. Error messages and/or full log output:

$ caddy start
2022/04/27 17:17:18.726 INFO using adjacent Caddyfile
2022/04/27 17:17:18.728 WARN input is not formatted with ‘caddy fmt’ {“adapter”: “caddyfile”, “file”: “Caddyfile”, “line”: 2}
2022/04/27 17:17:18.729 INFO admin admin endpoint started {“address”: “tcp/localhost:2019”, “enforce_origin”: false, “origins”: [“localhost:2019”, “[::1]:2019”, “127.0.0.1:2019”]}
2022/04/27 17:17:18.730 INFO tls.cache.maintenance started background certificate maintenance {“cache”: “0xc0000e76c0”}
2022/04/27 17:17:18.730 INFO tls.cache.maintenance stopped background certificate maintenance {“cache”: “0xc0000e76c0”}
run: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: loading certificates: tls: failed to find “CERTIFICATE” PEM block in certificate input after skipping PEM blocks of the following types: [DH PARAMETERS]
start: caddy process exited with error: exit status 1

5. What I already tried:

I’m not sure what to try since it was working previously with the old certificate. I changed nothing except the certificate pem and key file. I did not alter Caddyfile and it is using the same filenames.

6. Links to relevant resources:

Please upgrade to v2.5.0!

What does your certificate file look like? Are you certain it’s in the right format? The error indicates that it’s likely not.

FYI, this probably won’t work as you expect. file_server is ordered after reverse_proxy according to the Caddyfile directive order, so your file_server lines will never do anything.

You’ll need to use handle blocks for routing if you need this.

It’s entirely possible I messed up the openssl command I used to prepare these files. I’ll look back in my history to see what was done last year and see if I can figure it out. I probably used the wrong syntax or did something out of order.

I’ll check into upgrading to 2.5. Thanks!

The formats of the new files look the same as the old files, and the commands to create them were the same since I just copied what I did previously from my command history.

EDIT: My mistake, the pem file actually is different, so I just need to figure that part out and I should be set.

2 Likes