If generating a certificate fails, e.g. a DNS challenge fails after tls.automation.policies.issuers.challenges.dns.provider.max_retries, is the domain then in a permanent state without an ssl certificate, or what would trigger Caddy to try again? Can we trigger a retry using the api (if the config hasn’t changed)?
Looking at the api docs I don’t see anything specific for this but did see the must-revalidate option - would this kind of reload cause caddy to re-try fetching missing certs?
If the new config is the same as the current one, no reload will occur. To force a reload, set Cache-Control: must-revalidate in the request headers.
max_retries isn’t a Caddy/CertMagic thing. I’m not sure where you got that from. It’s not here: JSON Config Structure - Caddy Documentation. What DNS provider plugin are you using?
Caddy will continually retry to issue a cert for up to 30 days, with exponential backoff, as per the docs here: Automatic HTTPS — Caddy Documentation
Right, so to clarify as Francis said, max_retries sounds like something specific to your DNS provider, given that psuedo-path in a JSON config structure (“… .dns.provider.max_retries”) – I’m also not quite sure what you’re asking or talking about since we don’t know which DNS provider you are referring to. It is likely a feature in a separate plugin that we don’t have anything to do with (other than making it available on our site for download).