Caddy's root certificate overridden when intermediate renewed

I’m having a problem with the root certificate being overwritten when the intermediate expires (after default 7 days). On the initial startup with a custom root CA, everything works great, the intermediate cert generated by Caddy is signed by my custom root CA. However, when it expires, a new root is generated and it signs the new intermediate. I haven’t submitted a bug report yet because I was still using v2.5.2. I just now upgraded to 2.6.1, and if I encounter the error again in a week, then I will follow up. Yes, I know I can dig into the json and change things to speed up the test, but I haven’t. Anyhow, I’m pretty sure this is a bug, unless it was addressed in 2.6+.

I haven’t heard of that before. If it happens again, can you tell us how to reproduce the problem? And the more specific information you present (logs – enable debug logs, etc – specific certificate files, etc.) the more we can help you.

I split this help question out from the wiki.

Hi Matt,

Thank you for responding. Yes, this problem happens every time. I can reproduce it every time without fail. Simply create a custom CA with a custom pre-generated root cert for it, and observe what happens after the intermediate expires. Here is an example Caddyfile:

  pki {
    ca private {
      #name My Custom CA
      #root_cn Custom CA
      intermediate_cn "My Custom CA ECC Intermediate"
      root {
        cert /etc/caddy/cacrt.pem
        key /etc/caddy/cakey.pem

(sn-tls-private) {
  tls {
    issuer internal {
      ca private

https://abc.example.private {
  import sn-tls-private
  reverse_proxy https://example.internal

I can include the log, but I’m not sure there is anything useful in what I have (I didn’t run it in debug mode, I’m afraid). It simply shows successful renewals. It will take me awhile to filter out and clean up sensitive info, so if you really really need them, then I can do it.

FYI, as you can see, I have the name and root_cn portions commented out in this example. I ran it both ways, i.e. commented/uncommented, with same results. With regards to the root_cn, I provided the exact same Common Name as the provided root certificate. Still same result…

@matt Should I post a bug report on this?

Sorry, I’ve been working on some things and getting a little behind. Sure, a bug report would be very helpful. Thank you for the details!

This topic was automatically closed after 29 days. New replies are no longer allowed.