Is it possible to avoid certificate renewals upon caddy upgrade?


(Sugarcube) #1

After some planning I am finally in the process of upgrading caddy (binary only) from a pretty old version in order to enable letsencrypt ALPN in stead of SNI challenges for HTTPS certs.

I noticed all certificates are being requested again, while valid certificates are actually present. Digging a little bit I saw a new acme-v02 folder next to the acme-v01 folder for the certificates. So it appears certificates are requested again and stored in this new folder.

Next to the usual sites and users folders, acme-v02 contains a new subfolder challenge_tokens. I’m not entirely sure what the significance is, but it appears to be a temporary folder while renewal is going on.

On first sight it is not possible to copy over the sites and users folders from acme-v01 to acme-v02, as the content fo the files is different.

Anyone has a solution to have this automatic ?

Maybe renewal is not a real issue, it’s not that many certificates. Just wondering if I can avoid renewal (and avoid hitting rate limits bringing the sites down)

At the moment I rolled back to the previous caddy version which still seems to run fine.


(Matthew Fay) #2

If your sites are all different domains, you’ll not have to worry about rate limits in the slightest unless you’ve got thousands of them.

If they’re all on the same domain, and you’re worried about hitting the Certificates per Registered Domain (50 per week) limit (which is still pretty decent), you might consider a wildcard certificate instead and backfill your certificates over time by moving them off the wildcard certificate in bunches every week.

https://letsencrypt.org/docs/rate-limits/

Off the top of my head, that folder is probably for Caddy clustering on file storage? If multiple instances of Caddy share a CADDYPATH, any of them can solve an ACME challenge for the others.