Hi
How Caddy manages certificates (when not in use)?
To make my question clear I’ll describe the situation (to explain context).
I have thousands of domains which points to the server.
Those domains change over time.
Beause It’s complicated to tell which domains should be served in advance i use wildcard caddy file like that:
http://, https:// {
redir {
if {scheme} is HTTP
/ https://{host}{uri}
}
proxy / unix:/srv/data/projects/landing/wsgi.sock {
transparent
}
#tls off
tls michal@ddregistrar.pl {
max_certs 5000
}
}
Certificates are created on-demand.
But the question is what will happen if domain will no longer point to the server with caddy?
I know that Caddy renews certificates when they will expire.
The question is when, how it decides?
a) Does it just renew all expiring certificates in cert directory?
If yes - it may cause problems when domain no longer points caddy server.
If yes it can be solved by implementing some check if domain still points to caddy server and
caddy’s ‘ask’ directive (I understand that ‘ask’ directive is also used for renewals, correct me If I’m wrong).
b) Does it check certification expiration date on demand (on domain request) and decides
if it should be renewed.
If yes - that’s it.
Another question: what will happen to: old expired certificates?
a) Will they just stay on disk?
if yes I understand that I can create a script which will check cert date and just delete it if expired.
And it will not have an impact on cady server.
b) Or Caddy remove them automatically?
I notice that when starting caddy there is something like:
“Started certificate maintenance routine”
But I failed to find it and understand caddy code what it really does
Should I expect, that Caddy 2 will introduce breaking change with certifications -
I mean that they should be recreated?
It might be a problem with thousands of domains, because it takes ages to recreate them with let’s encrypt limits.
Currently, I’m trying to decide if we should choose Caddy or nginx + scripts.
I noticed that there are people also for who manages many domains (10k) with Caddy
so I believe there will be some solution