How Caddy manages certificates (when not in use; catch-all host - few K domains; delete/renew)?


How Caddy manages certificates (when not in use)?

To make my question clear I’ll describe the situation (to explain context).

I have thousands of domains which points to the server.
Those domains change over time.

Beause It’s complicated to tell which domains should be served in advance i use wildcard caddy file like that:

http://, https:// {
  redir {
    if {scheme} is HTTP
    / https://{host}{uri}
  proxy / unix:/srv/data/projects/landing/wsgi.sock {
  #tls off
  tls {
    max_certs 5000

Certificates are created on-demand.

But the question is what will happen if domain will no longer point to the server with caddy?

I know that Caddy renews certificates when they will expire.

The question is when, how it decides?

a) Does it just renew all expiring certificates in cert directory?
If yes - it may cause problems when domain no longer points caddy server.
If yes it can be solved by implementing some check if domain still points to caddy server and
caddy’s ‘ask’ directive (I understand that ‘ask’ directive is also used for renewals, correct me If I’m wrong).

b) Does it check certification expiration date on demand (on domain request) and decides
if it should be renewed.
If yes - that’s it.

Another question: what will happen to: old expired certificates?
a) Will they just stay on disk?
if yes I understand that I can create a script which will check cert date and just delete it if expired.
And it will not have an impact on cady server.
b) Or Caddy remove them automatically?

I notice that when starting caddy there is something like:
“Started certificate maintenance routine”

But I failed to find it and understand caddy code what it really does :confused:

Should I expect, that Caddy 2 will introduce breaking change with certifications -
I mean that they should be recreated?

It might be a problem with thousands of domains, because it takes ages to recreate them with let’s encrypt limits.

Currently, I’m trying to decide if we should choose Caddy or nginx + scripts.
I noticed that there are people also for who manages many domains (10k) with Caddy

so I believe there will be some solution :slight_smile:

Hi Michal, good questions.

To clarify, that is not a wildcard. That is a catch-all host. A wildcard has a very specific meaning in certificates, that is, using a * character in the subject name. Wildcard certs are good when you have lots of subdomains.

Certificates managed with On-Demand TLS will not be renewed until a TLS handshake comes in that requires that certificate and the certificate is expiring soon or already expired.

In other words, with On-Demand TLS, certificates are obtained on-demand, and renewed on-demand. They aren’t renewed “in the background” with the other certs.



There’s a TODO to remove them automatically, like Caddy does for old OCSP staples. I should spend a few hours and finish that up, but I’d welcome a contribution as well.

Not necessarily.

Rate limits should never be an issue for re-obtaining certificates. If you were able to obtain many in the first place, you should be able to renew them as well.

Use Caddy. No question!

1 Like

Thank you, Matt, very much for explaining how Caddy works and also providing TODO plans (cleanup of expired certificates) and very fast answer! :slight_smile:

Now it’s really clear.

Thanks for correcting ‘naming’.

Currently, I wouldn’t be able to contribute (not understanding Go, overloaded, small kid, trying survive, … )

It seems the way to go :slight_smile:
I have to admit, that I’m impressed how Caddy works (auto ssl, with A grade, very clean config) - WOW! Good job!

Thank you for your effort.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.