How to configure automatic renewal of a certificate generated by an ACME server

Help
1

1. The problem I’m having:

Hi, I want to use my ACME server to generate certificates for my sites which pass through my reverse proxy Caddy, however I would like to check that the renewal works well so I would like to renew the certificate every 10 minutes to see if when it has expired, it is well renewed without me doing anything

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

2. Caddy version:

2.7.4

3. How I installed and ran Caddy:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

a. System environment:

Debian 11

b. Command:

Systemctl start/stop/restart caddy

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
  email admin@mydooomain.fr
  acme_ca https://my-acme-server.mydooomain.local/acme/acme/directory
  acme_ca_root /etc/caddy/ssl/root.crt
}


my-test-site.dooomain.local {
    tls {
      ca https://my-acme-server.mydooomain.local/acme/acme/directory
    }
    reverse_proxy my-machine-test.mydooomain.local
}

After a restart of caddy and a check of certificate of https://my-test-site.dooomain.local, the certificate didn’t change, it was the same that before with a duration of 1yo.

5. Links to relevant resources:

I also tried this configuration but nothing different

{
  email admin@mydooomain.fr
  acme_ca https://my-acme-server.mydooomain.local/acme/acme/directory
  acme_ca_root /etc/caddy/ssl/root.crt
  renew_interval 10m
}

acme_server https://my-acme-server.mydooomain.local/acme/acme/directory {
          lifetime 12h
      }

But same result. Thank you in advance for your help !

2

Caddy won’t regenerate certs on restart if it still has valid certs. You’ll need to delete them from storage then restart Caddy to force re-issuance.

3

How can I delete it?

4

When running as a systemd service, the storage is at /var/lib/caddy/.local/share/caddy

1 Like
5

I’ve to delete the .key and .crt from subfolder of the site i try to renew the certificate ?

6

Yes, basically. Or delete the whole folder containing them.

7

Ok, so it worked the certificate has been renewed, however this does not answer my problem. What I’m trying to know is, if the certificate expires, will my ACME server or Caddy itself (it doesn’t matter) take care of the renewal automatically. For this you have to do tests but the duration of the current certificate is one year and I am not going to wait a year to do my tests you see? So I’m looking to reduce the duration of the certificate, or add configuration elements that allow me to renew the certificate from a certain date (for example if the certificate expires in 364 days and 23 hours). I hope I was clearer. Thanks for your time and your help.

8

That would be the easiest way. Or you can use the JSON config and specify renewal_ratio_window to a very high value (close to 1, like .99 or similar) which will cause Caddy to renew a cert much sooner:

9

Oh ok, I wasn’t aware of this solution, but where is this file located in the tree?

10

You’ll need to use a JSON config file instead of Caddyfile (use caddy adapt to get JSON). It can be whereever you want. For a quick test, just put it in the current dir.

11

Oh okay i’m going to try this, I’ll keep you informed.

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.