Renew on-demand TLS certificates in Caddy

1. The problem I’m having:

We’re using Redis as a TLS storage and we need to re-issue some certificates from customers. The TLS certificate generated on-demand. I’ve deleted the certificates from Redis (all keys from a given domain), but Caddy is still serving the TLS certificate.
I assume it’s cached in memory?
Is there a way to clear Caddy’s cache without a restart?

I’ve tried caddy reload -c /etc/caddy/Caddyfile --force
it outputs: INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""} but it doesn’t re-issue the certificate.

2. Error messages and/or full log output:

n/a

3. Caddy version:

caddy:2.7.6-builder docker container.

4. How I installed and ran Caddy:

a. System environment:

Docker containers.
Docker

b. Command:

docker-compose up

c. Service/unit/compose file:

services:
  caddy:
    build:
      dockerfile: ./caddy/caddy.Dockerfile
    container_name: caddy
    environment:
      - REDIS_HOST=redis
      - REDIS_PORT=6379
      - REDIS_USERNAME=default
      - REDIS_PASSWORD=redis
      - HTTP_CHALLENGE_SERVER=http-challenge
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile

d. My complete Caddy config:

{
    cert_issuer zerossl {$ZEROSSL_API_KEY}
	on_demand_tls {
		ask http://{$HTTP_CHALLENGE_SERVER}/ask
	}
	storage redis {
		host {$REDIS_HOST}
		port {$REDIS_PORT}
		username {$REDIS_USERNAME}
		password {$REDIS_PASSWORD}
	}
	servers {
		metrics
	}
}

https://* {
	tls internal {
		on_demand
	}
    @www header_regexp nonwww Host ^(www\.)(.*)
	@no-www host www.{args.0}
	handle @www {
		redir https://{re.nonwww.2}{uri}
	}
	@non-www not header_regexp Host ^(www\.)(.*)
	handle @non-www {
		redir https://www.{host}{uri}
	}
    respond 404
}

5. Links to relevant resources:

Why do you need to reissue the certificates?

The only way to manually evict certs from Caddy’s cache currently is to restart the process. Reloads persist certs.

1 Like

You should have no reason to reissue the certificates. If they were revoked by the CA, Caddy would notice via the OCSP responder and reissue new ones on its own. Otherwise, they continue to be valid until they expire.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.