Cannot start caddy.service after system restart

1. My Caddy version (caddy -version):


2. How I run Caddy:


a. System environment:

OS, relevant versions, systemd? docker? etc.

centos7 amd64 systemd

b. Command:

paste command here

c. Service/unit/compose file:

Description=Caddy HTTP/2 web server
Documentation= systemd-networkd-wait-online.service


; User and group the process will run as.

; Letsencrypt-issued certificates will be written to this directory.

; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -quic -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
; Unmodified caddy is not expected to use more than that.

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
; Make /usr, /boot, /etc and possibly some more folders read-only.
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!

; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.


d. My complete Caddyfile: {
} {
    root /var/www/
    tls ******** {
        curves X25519 P384
        key_type p384
        protocols tls1.2 tls1.3
    proxy /gameforum https://localhost:8888 {
        header_upstream X-Forwarded-Proto "https"
        header_upstream Host ""
    header / {
        Strict-Transport-Security "max-age=31536000;"
        X-XSS-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
    gzip {
       not /gameforum
    log access.log {
    rotate_size 50
    rotate_age  90
    rotate_keep 2

3. The problem I’m having:

After the system is restarted, the caddy.service cannot be started. The same caddy file and caddy.service run normally.

4. Error messages and/or full log output:

● caddy.service - Caddy HTTP/2 web server
Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2019-10-22 11:39:10 EDT; 18s ago
Process: 6893 ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -quic -root=/var/tmp (code=exited, status=1/FAILURE)
Main PID: 6893 (code=exited, status=1/FAILURE)

Oct 22 11:39:10 host.localdomain systemd[1]: Started Caddy HTTP/2 web server.
Oct 22 11:39:10 host.localdomain caddy[6893]: Activating privacy features… 2019/10/22 11:39:10 [INFO][cache:0xc0000888c0] Started certificate maintenance routine
Oct 22 11:39:10 host.localdomain caddy[6893]: 2019/10/22 11:39:10 [WARNING] Stapling OCSP: no OCSP stapling for []: parsing OCSP response: ocsp: error from server: unauthorized
Oct 22 11:39:10 host.localdomain caddy[6893]: 2019/10/22 11:39:10 [INFO] Certificate for [] expires in -3h43m9.600992126s; attempting renewal
Oct 22 11:39:10 host.localdomain caddy[6893]: 2019/10/22 11:39:10 [INFO][] Renew certificate
Oct 22 11:39:10 host.localdomain caddy[6893]: 2019/10/22 11:39:10 creating lock file: open /etc/ssl/caddy/locks/cert_acme_hehevv.xyz_httpsacme-v02.api.letsencrypt.orgdirectory.lock: read-only file system
Oct 22 11:39:10 host.localdomain systemd[1]: caddy.service: main process exited, code=exited, status=1/FAILURE
Oct 22 11:39:10 host.localdomain systemd[1]: Unit caddy.service entered failed state.
Oct 22 11:39:10 host.localdomain systemd[1]: caddy.service failed.

5. What I already tried:


6. Links to relevant resources:

Ah, we’ve seen this before on older systems like CentOS 7. Replace ReadWritePaths= with ReadWriteDirectories=.

1 Like

CentOS 7 is old… ? :sob: No VPS I use has CentOS 8 yet.

Ha, yes, CentOS 7 was released in 2014… that’s almost 6 years ago.