Running Caddy Version 2.3.0 inside of Docker on AWS Fargate, connected with EFS (an AWS Network Filesystem) for Certificate storage and an “ask” backend for checking if we serve a given domain and then obtaining certificates from LE. Similar to this question: How Caddy manages certificates (when not in use; catch-all host - few K domains; delete/renew)?
Matt answered here that he is planning to implement cleanup of old certificates
There’s a TODO to remove them automatically, like Caddy does for old OCSP staples. I should spend a few hours and finish that up, but I’d welcome a contribution as well.
the question is: is this already done? If not: Can I just write a script that deletes certificate files from the EFS if they are outdated and we no longer serve that given domain?
Here the dockerfile, we use to build caddy (In case it is relevant which modules we use):
ARG GO_VERSION="1.14.9"
FROM golang:${GO_VERSION}-alpine AS builder
ARG CADDY_VERSION="2.3.0"
ARG XCADDY_VERSION="0.1.5"
RUN apk add --no-cache git ca-certificates
RUN wget -O xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v${XCADDY_VERSION}/xcaddy_${XCADDY_VERSION}_linux_amd64.tar.gz"; \
tar x -z -f xcaddy.tar.gz -C /usr/bin xcaddy; \
chmod +x /usr/bin/xcaddy;
COPY tls-insecure/ /usr/local/go/src/tls-insecure/
RUN /usr/bin/xcaddy build v${CADDY_VERSION} \
--output /usr/bin/caddy \
--with tls-insecure
FROM alpine:3.12
COPY --from=builder /usr/bin/caddy /usr/bin/caddy