1. The problem I’m having:
I have a domain hosting platform where we have thousands of domains hosted. Initially, when we started a server with Caddy, we did not enable persistence layer for all the certs. Now as the certs growing, we occasionally face trouble related to cert renew / authorization etc.
I am planning to add a persistence layer and run a new container. There is no straight forward way to attach persistence to a previously running container as we are using a managed service (AWS ECS > Fargate). After we reconfigure, all our previous certs will sink with the old container/task. I have tried several ways to get previous certs from the existing ECS container but it’s simply not possible.
Now I am thinking to run the caddy server with new configuration and let Caddy regenerate all the certs. The problem is, I will hit cert generation rate limit (300 certs / account / 3 hrs) from Let’s Encrypt almost instantly as the caddy server will try to generate a massive number of certificates at once. For this rate limit, after 300 successful certs, the rest of my domains will not get cert within the next 3 hours, resulting in a large number of domains being inaccessible for a couple of hours!
Is there any way I can run caddy server without any downtime for any domain for certificate regeneration?
2. Error messages and/or full log output:
{
"level": "error",
"ts": 1690368347.5156703,
"logger": "tls.obtain",
"msg": "could not get certificate from issuer",
"identifier": "www.#####.###",
"issuer": "acme-v02.api.letsencrypt.org-directory",
"error": "HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/"
}
3. Caddy version:
2.4.5
4. How I installed and ran Caddy:
a. System environment:
AWS Fargate, Linux, ECS
b. Command:
It's a Fargate container so I don't need to run any command. I just have provided my docker image made out of caddy:2.4.5
c. Service/unit/compose file:
FROM caddy:2.4.5
COPY Caddyfile /etc/caddy/Caddyfile
ENV SslValidation ${SslValidation}
ENV ViewerEndpoint ${ViewerEndpoint}
ENV SitemapEndpoint ${SitemapEndpoint}
ENV DashboardEndpoint ${DashboardEndpoint}
EXPOSE 80
EXPOSE 443
d. My complete Caddy config:
{
email my_mail@example.com
on_demand_tls {
ask {env.SslValidation}
}
}
:443 {
header Server "Server_name"
header -x-powered-by
@trailing_slash {
path_regexp no_slash (.+)\/$
}
@domain {
header_regexp domain host ^www\.(.+)$
}
redir @domain https://{http.regexp.domain.1}{uri}
redir @trailing_slash {re.no_slash.1} 308
tls {
on_demand
}
handle_path /dashboard {
reverse_proxy {env.DashboardEndpoint}
}
handle_path /dashboard/* {
reverse_proxy {env.DashboardEndpoint}
}
reverse_proxy {env.ViewerEndpoint}
}