Ok, I deleted the .crt file and did a caddy reload. (I can waste a few of the 50 requests per week on that domain.) There’s nothing in the log about the exec:
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242979.6666946,"logger":"tls.obtain","msg":"lock acquired","identifier":"mqtt.webkr.de"}
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242979.6673455,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242979.6692238,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"mqtt.webkr.de"}
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242979.6696942,"logger":"events","msg":"event","name":"cert_obtaining","id":"c37d8308-aaba-40a9-a79c-f4460813d768","origin":"tls","data":{"identifier":"mqtt.webkr.de"}}
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242979.6707277,"logger":"tls.obtain","msg":"trying issuer 1/2","issuer":"acme-v02.api.letsencrypt.org-directory"}
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242979.6712348,"logger":"admin.api","msg":"load complete"}
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242979.6782882,"logger":"http","msg":"waiting on internal rate limiter","identifiers":["mqtt.webkr.de"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242979.6788213,"logger":"http","msg":"done waiting on internal rate limiter","identifiers":["mqtt.webkr.de"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal systemd[1]: Reloaded Caddy.
Jan 09 06:42:59 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242979.8095386,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
Jan 09 06:43:00 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242980.0951858,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.6.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 09 Jan 2023 05:43:00 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["5CA2NKwdlrj-A-FWByqwKOJ9knZNVp6kLNj9nLYxClpjRg4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 09 06:43:00 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242980.3962514,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["762064026"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["336"],"Content-Type":["application/json"],"Date":["Mon, 09 Jan 2023 05:43:00 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/762064026/157740686277"],"Replay-Nonce":["371CtMtNCMkg3aC-9BA2DNWn3LvAU0lkDkXGbzYmWFFWygQ"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":201}
Jan 09 06:43:00 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242980.5439649,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/authz-v3/193715674137","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["762064026"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["645"],"Content-Type":["application/json"],"Date":["Mon, 09 Jan 2023 05:43:00 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["1DFA7sNuGYBvg2uaFVpNEasfx9oxOIj5QD7UZruodWzs8II"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 09 06:43:00 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242980.544697,"logger":"http.acme_client","msg":"skipping challenge initiation because authorization is not pending","identifier":"mqtt.webkr.de","authz_status":"valid"}
Jan 09 06:43:00 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242980.5447576,"logger":"http.acme_client","msg":"authorization finalized","identifier":"mqtt.webkr.de","authz_status":"valid"}
Jan 09 06:43:00 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242980.5447865,"logger":"http.acme_client","msg":"validations succeeded; finalizing order","order":"https://acme-v02.api.letsencrypt.org/acme/order/762064026/157740686277"}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242981.163243,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/finalize/762064026/157740686277","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["762064026"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["440"],"Content-Type":["application/json"],"Date":["Mon, 09 Jan 2023 05:43:01 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Location":["https://acme-v02.api.letsencrypt.org/acme/order/762064026/157740686277"],"Replay-Nonce":["371CAJAmFxZq-9IS6x4hIEvYaeleK8smRhZGU9fFOEeSNMk"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242981.3030584,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/cert/04c8cb437964d5ff55f26e82d35a4ef2fdcc","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["5317"],"Content-Type":["application/pem-certificate-chain"],"Date":["Mon, 09 Jan 2023 05:43:01 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/04c8cb437964d5ff55f26e82d35a4ef2fdcc/1>;rel=\"alternate\""],"Replay-Nonce":["5CA2X_uEt66i3SMDKWv9h3sBV8eilVH3VVADwnkjVRRbvy4"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242981.4446695,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/cert/04c8cb437964d5ff55f26e82d35a4ef2fdcc/1","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.6.1 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["3393"],"Content-Type":["application/pem-certificate-chain"],"Date":["Mon, 09 Jan 2023 05:43:01 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\"","<https://acme-v02.api.letsencrypt.org/acme/cert/04c8cb437964d5ff55f26e82d35a4ef2fdcc/0>;rel=\"alternate\""],"Replay-Nonce":["371C5nUPmLxj_ZbUYRmGoHDeDJwJWRSIjNrjdJCVVh_5Mkc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242981.4448843,"logger":"http.acme_client","msg":"successfully downloaded available certificate chains","count":2,"first_url":"https://acme-v02.api.letsencrypt.org/acme/cert/04c8cb437964d5ff55f26e82d35a4ef2fdcc"}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242981.4456117,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"mqtt.webkr.de"}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242981.4456892,"logger":"events","msg":"event","name":"cert_obtained","id":"5e36df71-e02e-4358-9c5a-9278145926e0","origin":"tls","data":{"identifier":"mqtt.webkr.de","issuers":"acme-v02.api.letsencrypt.org-directory","renewal":false,"storage_key":"mqtt.webkr.de"}}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"info","ts":1673242981.4457185,"logger":"tls.obtain","msg":"releasing lock","identifier":"mqtt.webkr.de"}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242981.4464214,"logger":"tls","msg":"loading managed certificate","domain":"mqtt.webkr.de","expiration":1681015380,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242981.606882,"logger":"tls.cache","msg":"added certificate to cache","subjects":["mqtt.webkr.de"],"expiration":1681015380,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f83ed29bf9898a8e3425f6a68a45eea2cd6016bd14292385df32dd15f7e2288f","cache_size":15,"cache_capacity":10000}
Jan 09 06:43:01 Ubuntu-1604-xenial-64-minimal caddy[854]: {"level":"debug","ts":1673242981.6069868,"logger":"events","msg":"event","name":"cached_managed_cert","id":"4cba11e9-0ac6-4268-b097-2f3809c87a18","origin":"tls","data":{"sans":["mqtt.webkr.de"]}}
The script and all its parent folders are 755.