1. The problem I’m having:
I’m using Caddy to manage multiple domains, with Vault as the storage backend. OCSP responses are refreshed and stored in Vault on demand, triggered by incoming traffic.
The issue is that for each domain, I receive around 10,000 requests per minute. When the OCSP response needs to be refreshed, all those incoming requests trigger an OCSP check. If a new response is retrieved from the CA, each of these requests attempts to store the updated response in Vault simultaneously.
This causes a huge spike in writes to Vault, which it cannot handle at that rate, resulting in timeouts.
Is anyone else experiencing this issue? Are there any known workarounds to prevent multiple requests from hammering Vault when refreshing the OCSP response?
2. Error messages and/or full log output:
{"level":"warn","ts":1754792141.8703964,"logger":"tls.on_demand","msg":"stapling OCSP","identifiers":["redacted"],"server_name":"redacted","error":"unable to write OCSP staple file for [redacted]: error writing secret to redacted-21237944: context deadline exceeded"}```
## 3. Caddy version:
v2.9.0 h1:rteY8N18LsQn+2KVk6R10Vg/AlNsID1N/Ek9JLjm2yE=
### a. System environment:
Ubuntu 20.04.6 LTS
### b. Command:
sudo systemctl start caddy
### d. My complete Caddy config:
```{
"admin": {
"listen": ":2019"
},
"logging": {
"logs": {
"default": {
"writer": {
"filename": "/var/log/caddy/global.log",
"output": "file"
},
"level": "DEBUG",
"exclude": [
"http.log.access.log0"
]
},
"log0": {
"writer": {
"filename": "/var/log/caddy/access.log",
"output": "file"
},
"include": [
"http.log.access.log0"
]
}
}
},
"storage": {
"module": "vault",
"addresses": ["redacted"],
"secrets_mount_path": "redacted",
"token_path": "/secret-path",
"max_retries": 1
},
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"handle": [
{
"handler": "reverse_proxy",
"transport": {
"protocol": "http",
"tls": {}
},
"upstreams": [
{
"dial": "redacted"
}
]
}
]
}
],
"tls_connection_policies": [
{
}
],
"logs": {
"default_logger_name": "log0"
},
"metrics": {}
},
"srv1": {
"listen": [
":80"
],
"logs": {
"default_logger_name": "log1"
}
},
"srv2": {
"listen": [
":32222"
],
"routes": [
{
"match": [
{
"path": [
"/_health"
]
}
],
"handle": [
{
"handler": "static_response",
"status_code": 200
}
]
}
],
"logs": {
"default_logger_name": "log1"
}
}
}
},
"tls": {
"disable_storage_check": true,
"automation": {
"policies": [
{
"issuers": [
{
"api_key": "redacted",
"module": "zerossl"
}
],
"on_demand": true
}
],
"on_demand": {
"ask": "redacted"
},
"ocsp_interval": "10m"
}
}
}
}
```