G’day guys,
I use manager.io
as my accounting package, it is an awesome cross-platform package that I’ve been using for about 2 years. At some point in that time, I set up Caddy
to facilitate SSL and get rid of the ugly “You connection is not secure” messages from my browser.
The Caddy
setup was provided by the developers of manager
and has operated without problem until I recently made some (momentary, but extended) changes to my firewall (port forwardings) for testing other services.
During the change/outage the certificate expired. It was a number of days before I realised this as I don’t use the software every day.
Upon the next time I used the software I was greeted with the insecure page message. I realised my error and re-forwarded the ports back to Caddy
and manager
. I mostly use the software internally and so port forwarding is not really necessary. However, I want a clean approach to using it without browser warnings.
In researching this over the last few days, I have learned about ACME and custom setups for internal domains and that will be my next adventure (ie, getting that to work), but for the moment, I’m trying to learn what it is that I’ve done wrong, what it is I need to do to fix it, and remedy the situation.
This has been for several days now (I thought it may be an issue that needed time to resolve itself, but that’s not the case). I’m now reaching out for any advice that can help me fix this.
I’m thinking I’m obviously missing something pretty simple, because I’m not finding any references to anyone else having problems with expired certificates not renewing as caddy takes care of this well in advance.
explain what you are trying to do,
The certificate for my site has expired and upon reverting everything to normal (ie re-opening the ports) the certificate will not renew.
show what you have already tried,
- I have stopped and restarted Caddy (I learned later that passing
SIGUSR1
is the better way to reload the configuration, and I have done this as well to n avail). Caddy starts without an issue and reports no errors (that I can see) - Caddy is run as a service through
systemctl
and checkingjournalctl
reveals nothing out of the ordinary (below). - I have stopped the service and run it from the command line, there is no errors appearing. I have logged errors to an external file, and it remains empty.
- I have tried removing (renaming) the certificate file(s). I ended up pruning the whole
.caddy
subdirectory on the server. - The ports are definitely open as I can access the site from the internet
include error messages and log output,
There just aren’t any (that I can find)
~$ journalctl -xef -u caddy.service
Nov 02 05:25:09 mubology systemd[1]: Started caddy.service.
-- Subject: Unit caddy.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit caddy.service has finished starting up.
--
-- The start-up result is RESULT.
Nov 02 05:25:09 mubology caddy[6275]: Activating privacy features... done.
Nov 02 05:25:09 mubology caddy[6275]: https://
Nov 02 05:25:09 mubology caddy[6275]: http://
Nov 02 05:30:51 mubology systemd[1]: Stopping caddy.service...
-- Subject: Unit caddy.service has begun shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit caddy.service has begun shutting down.
Nov 02 05:30:51 mubology systemd[1]: Stopped caddy.service.
-- Subject: Unit caddy.service has finished shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit caddy.service has finished shutting down.
Nov 02 05:30:57 mubology systemd[1]: Started caddy.service.
-- Subject: Unit caddy.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit caddy.service has finished starting up.
--
-- The start-up result is RESULT.
Nov 02 05:30:57 mubology caddy[6355]: Activating privacy features... done.
Nov 02 05:30:57 mubology caddy[6355]: https://
Nov 02 05:30:57 mubology caddy[6355]: http://
^C
and link to any relevant resources.
The service is running with the following parameters:
~$ cat /etc/systemd/system/caddy.service
[Unit]
After=network.target
[Service]
LimitNOFILE=1048576
ExecStart=/usr/local/bin/caddy -agree=true -conf=/usr/share/manager-server/caddy.conf -agree
Restart=on-failure
StartLimitInterval=600
[Install]
WantedBy=multi-user.target
a check via running processes:
~$ ps aux | grep caddy
... /usr/local/bin/caddy -agree=true -conf=/usr/share/manager-server/caddy.conf -agree
caddy.conf
contains:
:~$ cat /usr/share/manager-server/caddy.conf
:443 {
tls { max_certs 100 }
proxy / localhost:8082
errors /var/log/caddy-err.log
log /var/log/caddy-log.log
}
Downloading the page directly to the command line reveals the following (nothing really, except that the certificate expired a week ago):
~$ curl -Ikv https://<mywebsite>
* Rebuilt URL to: https://<mywebsite>
* Trying 192.168.5.2...
* TCP_NODELAY set
* Connected to <mywebsite> (192.168.5.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=<mywebsite>
* start date: Jul 28 19:51:29 2018 GMT
* expire date: Oct 26 19:51:29 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify result: certificate has expired (10), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55f5a29df8e0)
> HEAD / HTTP/2
> Host: <mywebsite>
> User-Agent: curl/7.58.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< cache-control: no-store
cache-control: no-store
< date: Fri, 02 Nov 2018 23:22:44 GMT
date: Fri, 02 Nov 2018 23:22:44 GMT
< server: Caddy
server: Caddy
< server: Mono-HTTPAPI/1.0
server: Mono-HTTPAPI/1.0
< content-length: 0
content-length: 0
If there’s anything else I can post to help diagnose this, just let me know.
TIA