Certificate existing in acme-v01.api.letsencrypt.org but Caddy open a new one in acme-v02, why?


(Noam) #1

We moved to a new server and we moved all our Certificates with it.
Now we have a domain name that already got Certificate (it’s new and don’t need to renew) in the folder “acme-v01.api.letsencrypt.org”.
But when we enter to the domain name on the new server Caddy force the server to give the domain a new Certificates under the folder: acme-v02.api.letsencrypt.org.

Someone know why he doing it?

Thanks


(Matthew Fay) #2

Yeah - the same update Caddy got wildcard support, it was because we moved over from the ACME API v1 to v2. This required new ACME accounts and a new storage structure, I understand, so the old versions of your certificates aren’t compatible with upgraded versions of Caddy.


(Noam) #3

So all the domains will reload again for 10 seconds or more.
I have to say that this is something that need to be note somewhere when release a new version because it can make a downtime on some systems.
Anyway, thanks for the answer, I think I will need to go back :frowning: to the old version.


(Matt Holt) #4

Um, why?​​​​​​


(Matthew Fay) #5

It was noted near the top of the page in the blog post I linked, which was also noted and linked to in the Github releases page. Upgrading server software to a newer version without reading release notes is naturally a downtime inducing event!

I can’t recommend avoiding updates, though - bugfixes, security updates, features, etc etc etc - but that’s your choice to make as a server admin.

There are methods you can use to mitigate the delay in acquiring a large number of certificates via the new API, if that’s a critical issue.


(Matt Holt) #6

Using SIGUSR2, the upgrade can be made without downtime. This is not even an issue.

If that doesn’t work, then probably a bug should be filed.


(Noam) #7

Hi Matt, the problem is not with the upgrade.
We have more then 10K domains on our servers and if we move to version 10.12 Caddy will start getting new certificates for every domain.
This process is very slow (5-10 seconds) and sometimes is not 100% working and we need to wait for the next call of this domain name (5m and more sometimes).
So some of our domains will not be live until they will get the new certificate and it’s a real issue.
I think the way to solve it is:

  1. If the domain have certificate under v01 Caddy need to use it.
  2. If it’s a new domain Caddy need to use v02.
  3. When a v01 domain need to be renew Caddy will renew it under v02.
    So 3 months after the upgrade everything will be v02 without any downtime.

(Matt Holt) #8

I see… hmm, yeah, if there is an error getting certificates, that could slow you down. Are you using on-demand TLS? If so, it won’t happen at upgrade-time. I don’t recommend using that unless you need to, though.


(Noam) #9

I must use “on-demand TLS” because I don’t control all domains DNS.
Anyway this issue is really prevent us from upgrade and move to another server, I still think this is something that Caddy most think of that next time.
Anyway, I think on a solution and it will be great if you help me understand if it will work.
This is what I want to do:

  1. Copy the folder “acme-v01.api.letsencrypt.org” to the new server.
  2. Rename it to “acme-v02.api.letsencrypt.org”.
  3. Now when Caddy look for certificates he will find it under 02 (but it will be 01 file).
  4. And then when Caddy will make a renew request for the certificates it will update the files for 02.

Please tell me what you think? also we’re a paying customer and it will be great to know if this is something we can get a fix for it? we can also pay for that, we just really need a solution here.

Thanks


(Matthew Fay) #10

I’d previously operated under the assumption that the certs and keys themselves wouldn’t be portable, but looking at one of my instances that was around during the v2 update, they look the same (including folder structure).

The only difference appears to be the .json file. With ACME v1, the contents are:

{
	"domain": "[snip]",
	"certUrl": "https://acme-v01.api.letsencrypt.org/acme/cert/[snip]",
	"certStableUrl": "",
	"accountRef": "https://acme-v01.api.letsencrypt.org/acme/reg/[snip]"
}#

Whereas for ACME v2, Caddy keeps this in the .json file:

{
	"domain": "[snip]",
	"certUrl": "https://acme-v02.api.letsencrypt.org/acme/cert/[snip]",
	"certStableUrl": "https://acme-v02.api.letsencrypt.org/acme/cert/[snip]"
}#

It would be incorrect to adapt the JSON because it is describing the existing certificate. I don’t know whether that will impede the certs’ usage if you simply rename the containing folder to acme-v02.api.letsencrypt.org, but if not, I expect Caddy will work as you’ve proposed. It deserves some testing.

Something should be done about the acme-v02.api.letsencrypt.org/users folder, though; the new endpoint requires a new user registration. Possibly deleting this folder and having Caddy recreate it will suffice.


(Matt Holt) #11

You know, you may be right that their metadata files are (somewhat) compatible. The certs/keys definitely should be, I just wasn’t sure and hadn’t tested migrating them, so you might be able to with some minor changes. However, you will definitely need a new user account – that won’t transfer.

Again, I’m not sure whether you can just change v01 to v02 in the Url fields and have it work. Would be worth testing.


(Matt Holt) #12

Hey Noam,

No problem: we can take care of you. Just email us at support@lightcodelabs.com and we can help you out. Just reference this thread. :slight_smile:


(Noam) #13

Done. Thanks!