PSA: Use Let's Encrypt's staging endpoint when you're experimenting

(Matt Holt) #1


While most Caddy users get up and running pretty quickly, quite a few of you run experimental setups or have to tinker with your infrastructure or configuration to get it just right in some cases.

When you’re running “disposable” Caddy instances or are trying to get just the right set up, be sure to use Let’s Encrypt’s staging endpoint or you may hit rate limits, making it impossible for Caddy to get a certificate for your hostname for up to a week.

Simply run Caddy with the -ca flag, specifying Let’s Encrypt’s staging endpoint. It issues fake certificates but the rate limits are negligible. (By default, Caddy will use their production endpoint which issues real certificates.)

For those wondering or if you’re looking for more information, this is documented at But again, most users won’t need to think/worry about this.

Have fun with Caddy! :slight_smile:

(Matt Holt) pinned #2

(Justin) #3

I am starting Caddy with staging Let’s Encrypt -ca= howerver it just seems to hang with:

Apr  4 23:41:34 ip-172-31-5-43 systemd[1]: Started Caddy HTTP/2 web server.
Apr  4 23:41:34 ip-172-31-5-43 caddy[7697]: Activating privacy features... 2019/04/04 23:41:34 [INFO][FileStorage:/etc/ssl/caddy] Started certificate maintenance routine

(Justin) #4

Weird. Deleting all the files in /etc/ssl/caddy/locks and restating Caddy fixed it. Not sure what the problem was.

(Matthew Fay) #5

Hi @nodesocket, I’ve seen this happen sometimes after Caddy is interrupted ungracefully during a specific stage of requisitioning certificates. Caddy uses file locks to facilitate certificate validation in fleet configurations. While a file lock is in place, the Caddy instance doing startup certificate maintenance assumes another instance is in the middle of an ACME challenge, so it waits.

(Matt Holt) #6

Yep, and to clarify, locks do expire after some time.

(Matthew Fay) #7

I’d wondered that! I figured it’d be the case that Caddy wouldn’t wait forever… Never been patient enough to find out or check the code, though. :sweat_smile:

(Matt Holt) #8

Yeah, locks expire after 2 hours.