Delete certificates after failed renewal attempt

1. The problem I’m having:

How to delete certificates after failed renewal?
I have web server that has a common config for all of connected domains. I use on demand tls to issue certificates. After some time certificates are going to expire and caddy is trying to renew them. However, many of the domains are no longer pointing to the server and certificate would never been renewed. When there is a bit amount of domains there is a problem of performance when for every of them caddy makes several attempts to renew.
I figured out a solution: periodically run script to delete certificated older than 59 days and reload caddy. If the domain is still valid, on demand tls would be triggered to issue new certificate.

But I’m afraid that this solution would cause some problems espetially if there is some traffic on this domains.
Is there any other solution of my problem? May be to delete certificates after 1 failed renewal attempt or to turn off auto renewal and just delete old certificates?

2. Error messages and/or full log output:

Please use the preview pane to ensure it looks nice.

3. Caddy version:


4. How I installed and ran Caddy:

a. System environment:

b. Command:

Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

Please use the preview pane to ensure it looks nice.

5. Links to relevant resources:

If you’re using On-Demand TLS, just stop allowing that domain in your ask endpoint. That’s all. Caddy will clean up its certs after they expire.


This could work, thanks. But for some reasons the list of domains in the check endpoint couldn’t allways be up to date. So the main questions are would be any probles if I would delete just certificates on my own? And could I turn off certs renewals?

Why? It must be. That’s the point of that endpoint. It’s authoritative.

That’s trying to solve the wrong problem. The problem is with your ask endpoint.

1 Like

That’s so because I have several users who could connect their own domains to my server. I couln’t manage others domains. And people usually just change A-record and forget to delete domain from database of my server. I expected that the point of using on demand tls is not to check domain’s dns records. It there is a record pointing to my server, connection to the website would trigger on demand tls and the certificate would be issued. But this logic fails for renewals. I expect someting for turning off renewals to issue new certificate only for the domains on demand

Okay, then you should delete it from your database. That’s all. Nothing else to do.

All you need to do to stop renewals is to stop giving a successful response in your ask endpoint. Expired certs will get deleted automatically.

1 Like

This solution involves coding background service that will regularly check DNS A records of each domain and disable it in database. I wanted to avoid this not to create extra load.

If the A record for that domain no longer reaches Caddy, there’s still nothing to do. On-Demand certs are only renewed in response to a TLS handshake coming in to trigger it (where Caddy will ask to see if it should still maintain it). If that domain’s DNS is no longer pointing to your server, then it’s impossible for Caddy to get requests with that domain in TLS-SNI (unless someone spoofs TLS-SNI, but nobody really does that in practice). So the cert will just expire on its own.


Thank you. I have had some issues with renewals where there were a lot of mistakes of the renewals but there could be something else