I’ve been using Caddy on Windows servers for a while now, but there is one thing that really bothers me and I don’t know if there is a way to solve it or not.
Typically when I set up a new site using something like Apache I will create the config files I need for a new virtual host, save them, reload the config files by restarting (because I can’t reload, a problem that Caddy also has), and then going and setting up anything I need to in DNS, usually A name records to tell a domain which IP Address to point at.
This works great because it means that even in cases where an IP change for a domain might take hours to propagate everywhere in the world I can be certain that by the time the changes have propagated that the Apache server is already up and running and ready to serve the website.
I can’t do this with Caddy.
I don’t understand exactly how Let’s Encrypt works, but from my basic understanding it needs your domain to be set up correctly in order to do some verification (or something like that?) to provide a certificate for the site.
The fact that Caddy does this all automatically for me is amazing and it’s made my life so much easier in that regard.
The problem this brings up though is that if I set up a config file in Caddy for a new site which either hasn’t had it’s DNS set up yet, or a new server IP happens to have not propagated yet then as soon as I restart the server I get the following messages in the log files:
Activating privacy features...2017/12/04 23:46:52 [www.example.com] failed to get certificate: acme: Error 400 - urn:acme:error:connection - DNS problem: NXDOMAIN looking up A for www.example.com
Error Detail:
Validation for www.example.com:80
Resolved to:
Used:
And then after a few of those messages I get this:
Activating privacy features...2017/12/04 23:46:54 [www.example.com] failed to get certificate: acme: Error 429 - urn:acme:error:rateLimited - Error creating new authz :: Too many failed authorizations recently.
This message then gets stuck in a loop and prevents every single other valid site from starting up.
Is there a way for Caddy to ignore sites that it can’t complete the configuration for on startup to avoid this issue? It seems a bit much for every single site to suffer down time because one domain’s new DNS settings hadn’t propagated yet.
I think that further complicating this issue is the fact that I have to use a Windows server. Caddy does provide a way to reload, rather than restart the server (I don’t know if that would solve my issue), but on Windows I can’t do it because it relies on a signal being sent to the process that doesn’t exist on Windows.
Is there not an API of some kind that Caddy could use to allow for universal access to the same controls across platforms? Apache has the same problem for me in that the reload command doesn’t work on Windows, so I have to restart that too, but the difference is that Apache can restart so fast that it makes no real difference despite serving hundreds of sites from it.
So in summary my questions are:
- Can I configure Caddy to ignore sites with configurations that can’t be verified for certificates?
- If not then why, and is it something that would be considered for a future version of Caddy?
- If there isn’t an API for reloading (instead of restarting) then is it possible to build one in the form of a plugin?
- If so then where should I start looking and what functions would I need to call?