Skip maintaining on-demand certs in the background renewal routine and let handshakes trigger maintenance

Pruthvi_Menpara · February 21, 2023, 2:00pm

We provide on-demand SSL certificates to our customers’ domains pointing to our caddy server.

For the first time, SSL certificates are generated by validating the ask endpoint.

Let’s say some of the customers’ domains have been pointed to another server(Not Caddy), Still, the renewal background job is trying to renew the certificate. It is skipping the ask endpoint.

In the ask endpoint, we have put the below checks:

Domain should be pointed to the caddy server.
Subscription of the customer.

Here are the logs generated on the caddy server:


caddy[768]: {"level":"error","ts":1676974515.3051982,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"p.gcse.co.uk","error":"no information found to solve challenge for identifier: p.gcse.co.uk"}

It seems like the ask endpoint is not getting hit on the renewal process.

How can the caddy server skip maintaining on-demand certs in the background renewal routine and let handshakes trigger maintenance instead?

Is there any way to invalidate SSL certificates failing(Not pointing to the caddy server) to solve the challenge for identifiers?

FYI: I am trying to implement the below solution.

Clean up Caddy Certificates - #10 by francislavoie

Please provide the solution to skip maintaining on-demand certs in the background renewal routine and let handshakes trigger maintenance instead.

Running caddy version v2.4.0 h1:yHnnbawH2G3ZBP2mAJF4XBLnJanqhULLP/wu01Qi9Io= connected with the local filesystem.

matt · February 21, 2023, 5:30pm

The ‘ask’ endpoint is consulted for renewals:

github.com

caddyserver/certmagic/blob/c0dc63288aceb406d9bd665fb739da38cdc1a773/handshake.go#L639


      
          		zap.Bool("revoked", revoked),
          	)
          
          
	// Renew and reload the certificate
          	renewAndReload := func(ctx context.Context, cancel context.CancelFunc) (Certificate, error) {
          		defer cancel()
          
          
		log.Info("attempting certificate renewal")
          
          
		// Make sure a certificate for this name should be obtained on-demand
          		err := cfg.checkIfCertShouldBeObtained(name)
          		if err != nil {
          			// if not, remove from cache (it will be deleted from storage later)
          			cfg.certCache.mu.Lock()
          			cfg.certCache.removeCertificate(currentCert)
          			cfg.certCache.mu.Unlock()
          			unblockWaiters()
          
          
			if log != nil {
          				log.Error("certificate should not be obtained", zap.Error(err))
          			}

If you see a log that says “attempting certificate renewal” without a corresponding request to your HTTP endpoint, then I’d be interested in seeing those two correlating logs. If the ‘ask’ endpoint isn’t being consulted, it could be a mistake in your Caddy configuration, or maybe a CA is still sending lingering challenge requests to your server. (We see this sometimes.)

Since this isn’t a question about coding, I’ve changed the category to Help. Next time, please fill out the Help category template as it provides information that is crucial for us helping you.

I’d also strongly recommend upgrading Caddy. v2.4 is quite an old version now and we have many improvements since then.