On demand tls config on Caddyfile eror on starting

Sahin_gulci · March 4, 2025, 12:59pm

1. The problem I’m having:

I am trying to enable on-demand config on caddyfile but can not start caddy service on ubuntu server (I did this on my previous job successfully but not working this way anymore) no docker, just “caddy start” command and gives error, I past caddyfile to this location “/etc/caddy/Caddyfile”

2. Error messages and/or full log output:

Mar 04 10:48:52 -blog caddy[4604]: HOME=/var/lib/caddy
Mar 04 10:48:52 -blog caddy[4604]: LOGNAME=caddy
Mar 04 10:48:52 -blog caddy[4604]: USER=caddy
Mar 04 10:48:52 -blog caddy[4604]: INVOCATION_ID=640c5886277949ffa1831db950705ff7
Mar 04 10:48:52 -blog caddy[4604]: JOURNAL_STREAM=8:36245
Mar 04 10:48:52 -blog caddy[4604]: SYSTEMD_EXEC_PID=4604
Mar 04 10:48:52 -blog caddy[4604]: {"level":"info","ts":1741085332.6511915,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
Mar 04 10:48:52 -blog caddy[4604]: {"level":"info","ts":1741085332.6536613,"msg":"adapted config to JSON","adapter":"caddyfile"}
Mar 04 10:48:52 -blog caddy[4604]: {"level":"info","ts":1741085332.6562235,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
Mar 04 10:48:52 -blog caddy[4604]: {"level":"info","ts":1741085332.6567702,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00031dd80"}
Mar 04 10:48:52 -blog caddy[4604]: {"level":"info","ts":1741085332.6569395,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00031dd80"}
Mar 04 10:48:52 -blog caddy[4604]: Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: on-demand TLS cannot be enabled without a permission module to prevent abuse; please refer to documentation for details
Mar 04 10:48:52 -blog systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE

3. Caddy version:

v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

4. How I installed and ran Caddy:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

a. System environment:

Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.5 LTS
Release:	22.04
Codename:	jammy

d. My complete Caddy config:

{
	on_demand_tls {
		ask    http://localhost:8080/check
	}
}

https:// {
   tls {
           on_demand
       }

    @test host blog.test.com test.com www.test.com
	handle @blog {
		# respond "blog.test.com"
        reverse_proxy localhost:8080
	}

}

Sahin_gulci · March 4, 2025, 2:20pm

I tried below config also but no luck same kind of error

{
	on_demand_tls {
		permission {
        	endpoint http://localhost:8080/check,
        	module http
        }
	}
}
```

```

Mar 04 10:48:52 sahin-blog caddy[4604]: Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: on-demand TLS cannot be enabled without a permission module to prevent abuse; please refer to documentation for details

```

Mohammed90 · March 5, 2025, 1:25am

Double-check your config file. That config works fine without issues.

Sahin_gulci · March 5, 2025, 7:59am

I did and I tried with docker and it had the same errors, I tried “caddy fmt --overwrite” too, but it is not working, I am not sure what else to do, guessing after making the permission module required for on-demand tls broke something on new versions

github.com/caddyserver/caddy

modules/caddytls/ondemand.go

eacd7720e


      
          
          // OnDemandConfig configures on-demand TLS, for obtaining
          // needed certificates at handshake-time. Because this
          // feature can easily be abused, Caddy must ask permission
          // to your application whether a particular domain is allowed
          // to have a certificate issued for it.
          type OnDemandConfig struct {
          	// Deprecated. WILL BE REMOVED SOON. Use 'permission' instead with the `http` module.
          	Ask string `json:"ask,omitempty"`
          
          	// REQUIRED. A module that will determine whether a
          	// certificate is allowed to be loaded from storage
          	// or obtained from an issuer on demand.
          	PermissionRaw json.RawMessage `json:"permission,omitempty" caddy:"namespace=tls.permission inline_key=module"`
          	permission    OnDemandPermission
          }
          
          // OnDemandPermission is a type that can give permission for
          // whether a certificate should be allowed to be obtained or
          // loaded from storage on-demand.
          // EXPERIMENTAL: This API is experimental and subject to change.

and where are the test cases to test these new features on Caddyfile , and did not find any documentation on how to use the permission option with HTTP endpoint correctly

Sahin_gulci · March 5, 2025, 12:27pm

removed latest caddy version and changed to 2.8.4 and not get any error regarding config file read, but get some other tls error regarding on-demand tls, can not fixed that error

Lastly, I removed on demand tls config completely and updated back to the latest version, this worked for me, but the on-demand config on the latest caddy version is problematic, needs attention

Mohammed90 · March 5, 2025, 12:54pm

As I said above, I cannot reproduce the complaint. Something is wrong with your environment.