Certificates not getting renewed on renewal_window_ratio

Help
1

1. The problem I’m having:

I am trying to caddy for on-demand TLS for our products which are hosted on a custom domain.
What I observed was the certificates that were issued had an expiry of 90 days which is the default of Let’s Encrypt even though the default lifetime configuration in Caddy is 12h.
I wanted to test around if certificate renewal was working fine, so to test that I tried setting renewal_window_ratio to 1 as suggested here.
However, the issue is certificate renewals are not getting triggered even after 4 hours of setting renewal_window_ratio to 1.

2. Error messages and/or full log output:

There are no logs coming related to the issue

3. Caddy version:

caddy-2.6.4

4. How I installed and ran Caddy:

a. System environment:

Caddy alpine docker image

b. Command:

command: ["caddy", "run", "--config", "/config/caddy/caddy.json"]

c. Service/unit/compose file:

Used kubernetes deployment

d. My complete Caddy config:

{
    "apps": {
        "http": {
            "http_port": 80,
            "servers": {
                "https": {
                    "listen": [":443"],
                    "listener_wrappers": [{ "wrapper": "go_proxyproto" }, { "wrapper": "tls" }],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "reverse_proxy",
                                    "transport": { "protocol": "http", "tls": {} },
                                    "upstreams": [{ "dial": "localhost:9999" }]
                                }
                            ],
                            "terminal": true
                        }
                    ],
                    "tls_connection_policies": [{}]
                },
                "health-check": {
                    "listen": [":9999"],
                    "routes": [{ "handle": [{ "body": "OK", "handler": "static_response" }], "match": [{ "path": ["/"] }] }]
                }
            }
        },
        "tls": {
            "automation": {
                "on_demand": { "ask": "http://localhost:9999" },
                "policies": [
                    {
                        "issuers": [{ "module": "acme", "account_key": "<private_key_pem>" }],
                        "on_demand": true,
                        "key_type": "rsa4096",
                        "renewal_window_ratio": 1
                    }
                ]
            }
        }
    },
    "logging": { "logs": { "default": { "level": "DEBUG", "writer": { "output": "stdout" } } } },
    "storage": { "module": "mysql", "dsn": "" }
}

5. Links to relevant resources:

2

I’m not sure I follow:

FYI, those two links are the same, and without the correct link I’m afraid this sentence doesn’t make sense. Let’s Encrypt issues 90 day certs. Caddy cannot change that.

3

@matt The issue I am facing is the certificate renewal is not happening for me.
I have already set the renewal_window_ratio to 1 and its been already 8 hours since I set renewal_window_ratio to 1

What am I doing wrong? How can I trigger/enforce the certificate renewal?

4

That’s for the ACME server, i.e. when Caddy acts as the ACME issuer for self-managed certs. That does not apply to public issuers like Let’s Encrypt and ZeroSSL.

If issuance works, renewals will work. There’s no reason to try to force renewals. It’s the exact same process, except for a minor change in the data sent to the issuer in the API calls.

5

@francislavoie But, is there any reason why force renewals would not be working?

6

This is working. Something silly from my side.

Sorry for the trouble @matt @francislavoie

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.