How often do the challenges occur?

I’d like to run a bunch of Caddy instances in separate Docker containers for Baikal Servers (CalDAV/CardDAV Server). I need both containers (Baikal and Caddy) for every 1 instance, baikal1, baikal2, etc. Eventually I will roll this into one container but not now.

Essentially I would like to see this:

Each one is a separate instance of Caddy and Baikal in Docker Containers.


I currently have one instance this running like this:

Docker Containers:

  • Baikal (running on port 20000)
  • Caddy (running on port 443)

Docker is running at 192.168.2.15

Caddyfile:

baikal1.patg.com {
     reverse_proxy 192.168.2.15:20000
}

In pfSense I port forward 443 to 192.168.2.15:20000 and I can access this whole setup from “https://baikal1.patg.com” just fine.


Now my question is this: From what I understand the Caddy server needs to reach out to the Let’s Encrypt servers in order to do a challenge request. It’s been about a week since I screwed with this to get this setup working so my terminology may be incorrect.

If I wish to scale this up to say have 3 of these container instances running how would I go about doing that? From what I understand I must run each “instance” (Caddy and Baikal) on port 443. I’m assuming that if I create a Baikal server on ports 10000, 11000, and 12000 and create three separate Caddy Files with the appropriate config this will work fine.

Will the certs all renew without an issue?
How many times a month do the challenges occur?

Let’s Encrypt certs are valid for 90 days, and Caddy will attempt to renew about 2/3 through their lifetime, so after 60 days.

Just make sure that each A/AAAA record for your subdomains points directly to your container for that subdomain (use whatever packet forwarding or routing you have to do in your network to make that happen), or use the DNS challenge so the ACME CA doesn’t have to connect to your servers.

Also, if you find yourself getting more subdomains, I’d recommend getting a wildcard certificate instead.

1 Like