Moving to a new server, Caddy still tries to update certificates

(Nicolas) #1

Hello,

I’m trying to move my sites to a new server and I’d like to start everything before changing the DNS records for my domain names. As I had done in the past, I moved the caddy folder from the old server to the new one, in order to have every certificates ready to go and launch Caddy on the new one before the transition.

But this time, I can’t make it work. When I launch Caddy using the command line, I have this error :

/usr/local/bin/caddy -log stdout -agree=true -email=mymail@gmail.com -conf=/etc/caddy/Caddyfile -root=/var/www 
Activating privacy features... 2019/06/10 10:12:29 [INFO][cache:0xc000084b40] Started certificate maintenance routine
2019/06/10 10:12:30 [INFO] [www.voiretmanger.fr] acme: Obtaining bundled SAN certificate
2019/06/10 10:12:31 [INFO] [www.voiretmanger.fr] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/QDxVs4GDNRR7mtfbV7wu9b4rjuq5cNwhpJ76qnAmoj4
2019/06/10 10:12:31 [INFO] [www.voiretmanger.fr] acme: use tls-alpn-01 solver
2019/06/10 10:12:31 [INFO] [www.voiretmanger.fr] acme: Trying to solve TLS-ALPN-01
2019/06/10 10:12:37 [INFO] Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/QDxVs4GDNRR7mtfbV7wu9b4rjuq5cNwhpJ76qnAmoj4
2019/06/10 10:12:37 [www.voiretmanger.fr] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[www.voiretmanger.fr] acme: error: 400 :: urn:ietf:params:acme:error:tls :: remote error: tls: internal error, url: 

It seems Caddy is trying to renew the certificates, and not use the existing one which should be valid (I rsynced the folder from the old server just minutes before).

Permissions should be right, here are the commands applied from the script I wrote and used : https://github.com/nicolinuxfr/config-server/blob/master/tools/post-install.sh#L39

What am I missing ?

Thanks for your help ! :slight_smile:

(Matthew Fay) #2

Hi @nicolinux, I note that you haven’t set CADDYPATH in the command you posted. Is it set in your environment properly when you run the command? Based on your install script, I’m guessing it should be set to /etc/ssl/caddy for Caddy to look in the right place for TLS assets (as opposed to ~/.caddy, the default).

https://caddyserver.com/docs/automatic-https#dot-caddy

(Nicolas) #3

:man_facepalming:

You’re right, it is set in the service I’m using but I forgot to set it in the command line.

The service gave me this error, I wanted to see what was happening, but my method was wrong :

Jun 10 10:28:42 localhost systemd[1]: Started Caddy HTTP/2 web server.
Jun 10 10:28:42 localhost caddy[6412]: Activating privacy features... 2019/06/10 10:28:42 [INFO][cache:0xc000082b40] Started certificate maintenance routine
Jun 10 10:28:42 localhost caddy[6412]: done.
Jun 10 10:28:42 localhost caddy[6412]: 2019/06/10 10:28:42 Listen: listen tcp :443: bind: permission denied
Jun 10 10:28:42 localhost systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Jun 10 10:28:42 localhost systemd[1]: caddy.service: Failed with result 'exit-code'.

Before you ask, I did apply the setcap command that should have taken care of the permission issue.

(Matthew Fay) #4

What’s in your unit file?

(Nicolas) #5

This : https://github.com/nicolinuxfr/config-server/blob/master/etc/systemd/system/caddy.service

(Matthew Fay) #6

Try uncommenting these three lines:

2 Likes
(Nicolas) #7

Good catch, it worked !

I don’t remember why I commented the lines in the first place, but good to know.

Thanks for your quick and efficient help, as always ! :+1:

1 Like
(Matthew Fay) #8

I think they’re commented by default in the official examples repo. Out of concern for compatibility, I believe they don’t work (or function differently?) for an older systemd version.

Glad I could help :smiley:

(Nicolas) #9

I changed from Ubuntu 16.04 to 18.04 during the transition, so maybe it’s the difference ?