How important is it to back up Caddy storage?

A general query…

How important is it to back up Caddy storage? Consider the following two scenarios:

  1. Internal PKI is disabled (default)
  2. Internal PKI is enabled

It seems like the latter is of concern more so for Caddy running the ACME server, not so much for the endpoints. Caddy uses SmallStep libraries. The SmallStep discussion thread Fault tolerance is what’s prompted this question for me for Caddy.

1 Like

I would say “not that important” if you have a simple deployment because you can just regenerate an internal CA and copy the root cert onto any trust stores that need it afterwards.

If you have a bigger deployment, then the effort needed to start anew scales up, so it becomes a bigger inconvenience.

For non-internal PKI, then it’s the same deal, “not that important” because you can just reissue all the certs from LE/ZeroSSL.

But if you have like, a lot of domains then you might worry about the rate limiting slowing that process down to a point that it would cause too much downtime.

If you’re using a bigger deployment, you probably have the storage clustered anyways, so you could consider that a backup (unless one of the nodes goes ape and clobbers the data due to a bug, but let’s call that unlikely).

Ultimately, it’s for the user to decide whether the cost-benefit analysis of performing backups is worth the time to setup vs time saved during recovery.

2 Likes

My Caddy inventory is growing on both web PKI and internal PKI so the time to manually recover plus rate limits is looming as a concern.

1 Like

In the internal PKI scenario, where you are distributing the caddy root CA certificate for trust, you will want to make sure that you are removing the old instance of the Caddy internal root CA and then importing the new Caddy Root CA certificate in your various “trust stores”.

In trust evaluation (for java, openssl, etc) when your root CA’s have the same Subject DN String value but different underlying cryptographic properties, trust evaluation will fail which can be incredibly painful to troublshoot/isolate.

My wisdom is not intelligence, its baptism by fire acquired dealing with 700+ hadoop nodes with a mix of java, os and static trust files and duplicate CA’s imported for trust on 1/3 of them.

3 Likes