Paste config here, replacing this text.
Use `caddy fmt` to make it readable.
DO NOT REDACT anything except credentials.
LEAVE DOMAIN NAMES INTACT.
Make sure the backticks stay on their own lines.
The latest version of Caddy has an increased speed for the internal certificate event rate limiter from 20 per minute up to 10 per 10 seconds (effectively triple the speed).
So at 10/10s, it should take 125 minutes (2h5min) to re-issue 7500 certs.
Like Francis said, the latest version of Caddy lets things move along a little faster. However, you’d still be subject to any CA rate limits (ZeroSSL doesn’t have any that I know of; Let’s Encrypt might limit to 300 orders every 3 hours.)
Can you please post your full logs here as the help template asks for? (Not just the access logs.) I can only guess otherwise. We’ll need the logs for the last 3-4 days or so. (If too long, please link to them instead.)
The easiest way to force certs to renew is to simply move them into a different folder (don’t delete, in case you need to get them back for some reason).
It’s possible that on-demand certificates don’t currently benefit from auto-renewal in the case of revocation.
When I first implemented the auto-replace feature it was not clear whether on-demand TLS is important, because Caddy does not have telemetry (primarily due to public backlash) to tell us how widely the feature is being used. When I saw that integrating this niche feature into a niche mode of operation was going to be non-trivial, I ended up shelving the idea for another time, if there was some demand for it.
Fast forward to today, and based on feedback over the last few months it seems clear to me that on-demand TLS is of greater importance than I had anticipated. Sorry I didn’t implement this sooner. With the lack of telemetry, this is why it is helpful for businesses to sponsor Caddy’s development and to have a relationship with the maintainers so that we can know how they are relying on the software to better serve their businesses. Back then, I only implemented this feature as a party trick, not because any businesses were actually relying on it.
I think that I forgot to add Caddy doesn`t update our renewal certificates. And i force it by deleting this certificates from a file system. Now for us important to renew it asap.
That’ll force a renewal, but in general it’s safer to simply rename the folder on disk so you can still have them if you need them. For future reference.
Caddy will renew ASAP, but only as fast as CA rate limits and other networking constraints allow.
We still have an issue that some certificates are still in the queue that is not updated. We use zerossl it seems that it shouldn’t have any limmitation.
Is it possible to prioritize certificate creation for some domains?
Matt it will be possible to have a call with you to help us optimize the config?
I found that some domains don`t propagate for a few days but all logs that I found it is it
Feb 02 14:41:44 api1-on-demend-fixed-latest caddy[3993579]: 2022/02/02 14:41:44 [INFO][FileStorage:/var/lib/caddy/.local/share/caddy] Lock for 'issue_cert_DOMAIN' is stale (created: 2022-02-02 14:39:49.539145176 +0000 UTC, last update: 2022-02-02 14:41:34.616606671 +0000 UTC); removing then retrying: /var/lib/caddy/.local/share/caddy/locks/issue_cert_DOMAIN.lock
and lock file constantly in share/caddy/locks that don`t seem right