1. Caddy version (caddy version
):
v2.2.0-rc.1.0.20200811172619-e385be922569 h1:nHT41ZpC4TVkQ656c55jTpMOFmEJd5oylK/icQYbs+c=
2. How I run Caddy:
Caddy is installed through Homebrew.
It uses the Caddyfile for configuration.
a. System environment:
MacOS Catalina
homebrew
caddy --HEAD
b. Command:
brew services start caddy
c. Service/unit/compose file:
//Not applicable
d. My complete Caddyfile or JSON config:
schc.local {
root /* /Users/daniel/Sites/schc
tls internal {
on_demand
}
encode zstd gzip
php_fastcgi 127.0.0.1:9000
file_server
}
3. The problem I’m having:
Most of the time when going to schc.local the certificate is outdated. After some debugging, I recognized, that my computer is setup to deep sleep on lid close. Which means that obviously the background service that reloads the certificates is not running, and has no time to renew the certificates. Therefore, I added the on_demand functionality, which I thought would check the certificate at TLS handshake time, and renew them if needed. But as tested today this is not how it works, as caddy is still delivering the outdated certificate instead of renewing it “on demand”. This may be the planned functionality, but it would be great to have a real “on demand” functionality, that also checks if the certificate needs to be renewed during the TLS handshake.
4. Error messages and/or full log output:
2020/08/17 15:06:45 http: TLS handshake error from 127.0.0.1:63270: remote error: tls: unknown certificate
2020/08/17 15:06:45 http: TLS handshake error from 127.0.0.1:63272: remote error: tls: unknown certificate
2020/08/17 15:06:50 http: TLS handshake error from 127.0.0.1:63278: remote error: tls: unknown certificate
2020/08/17 15:06:57 http: TLS handshake error from 127.0.0.1:63293: remote error: tls: unknown certificate
2020/08/17 15:06:58 http: TLS handshake error from 127.0.0.1:63296: remote error: tls: unknown certificate
2020/08/17 15:06:58 http: TLS handshake error from 127.0.0.1:63298: remote error: tls: unknown certificate
2020/08/17 15:06:58 http: TLS handshake error from 127.0.0.1:63299: remote error: tls: unknown certificate
2020/08/17 15:06:59 http: TLS handshake error from 127.0.0.1:63301: remote error: tls: unknown certificate
2020/08/17 15:06:59 http: TLS handshake error from 127.0.0.1:63302: remote error: tls: unknown certificate
2020/08/17 15:07:29 http: TLS handshake error from 127.0.0.1:63343: remote error: tls: unknown certificate
2020/08/17 15:08:20 http: TLS handshake error from 127.0.0.1:63381: remote error: tls: unknown certificate
2020/08/17 15:10:13 http: TLS handshake error from 127.0.0.1:63400: remote error: tls: unknown certificate
2020/08/17 15:11:59 http: TLS handshake error from 127.0.0.1:63447: remote error: tls: unknown certificate
{"level":"info","ts":1597670042.988401,"logger":"tls.cache.maintenance","msg":"certificate expires soon; queuing for renewal","identifiers":["localhost"],"remaining":-61353.988388}
{"level":"info","ts":1597670042.988692,"logger":"tls.cache.maintenance","msg":"certificate expires soon; queuing for renewal","identifiers":["schc.local"],"remaining":-61353.98869}
{"level":"info","ts":1597670042.98877,"logger":"tls.cache.maintenance","msg":"attempting certificate renewal","identifiers":["localhost"],"remaining":-61353.988769}
{"level":"info","ts":1597670042.9888341,"logger":"tls.cache.maintenance","msg":"attempting certificate renewal","identifiers":["schc.local"],"remaining":-61353.988819}
{"level":"info","ts":1597670042.990061,"logger":"tls.renew","msg":"acquiring lock","identifier":"localhost"}
{"level":"info","ts":1597670042.990407,"logger":"tls.renew","msg":"acquiring lock","identifier":"schc.local"}
{"level":"info","ts":1597670042.990832,"logger":"tls.renew","msg":"lock acquired","identifier":"localhost"}
{"level":"info","ts":1597670042.991028,"logger":"tls.renew","msg":"lock acquired","identifier":"schc.local"}
{"level":"info","ts":1597670042.991918,"logger":"tls.renew","msg":"renewing certificate","identifier":"localhost","remaining":-61353.991916}
{"level":"info","ts":1597670042.991999,"logger":"tls.renew","msg":"renewing certificate","identifier":"schc.local","remaining":-61353.991992}
{"level":"info","ts":1597670042.9947891,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"localhost"}
{"level":"info","ts":1597670042.9948711,"logger":"tls.renew","msg":"releasing lock","identifier":"localhost"}
{"level":"info","ts":1597670042.9952068,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"schc.local"}
{"level":"info","ts":1597670042.9952378,"logger":"tls.renew","msg":"releasing lock","identifier":"schc.local"}
{"level":"info","ts":1597670042.995491,"logger":"tls","msg":"reloading managed certificate","identifiers":["localhost"]}
{"level":"info","ts":1597670042.9959738,"logger":"tls","msg":"reloading managed certificate","identifiers":["schc.local"]}
{"level":"warn","ts":1597670042.996657,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [localhost]: no OCSP server specified in certificate"}
{"level":"info","ts":1597670042.996725,"logger":"tls.cache","msg":"replaced certificate in cache","identifiers":["localhost"],"new_expiration":1597713242}
{"level":"warn","ts":1597670042.9972858,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [schc.local]: no OCSP server specified in certificate"}
{"level":"info","ts":1597670042.997333,"logger":"tls.cache","msg":"replaced certificate in cache","identifiers":["schc.local"],"new_expiration":1597713242}
2020/08/17 15:18:29 http: TLS handshake error from 127.0.0.1:63570: local error: tls: bad record MAC
2020/08/17 15:18:29 http: TLS handshake error from 127.0.0.1:63571: local error: tls: bad record MAC
2020/08/17 15:18:29 http: TLS handshake error from 127.0.0.1:63572: local error: tls: bad record MAC
5. What I already tried:
Switched from automated background TLS renewal to on_demand TLS.
6. Links to relevant resources:
Not applicable