We provide on-demand SSL certificates to our customers’ domains pointing to our caddy server.
For the first time, SSL certificates are generated by validating the ask endpoint.
Let’s say some of the customers’ domains have been pointed to another server(Not Caddy), Still, the renewal background job is trying to renew the certificate. It is skipping the ask endpoint.
In the ask endpoint, we have put the below checks:
-
Domain should be pointed to the caddy server.
-
Subscription of the customer.
Here are the logs generated on the caddy server:
caddy[768]: {"level":"error","ts":1676974515.3051982,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"p.gcse.co.uk","error":"no information found to solve challenge for identifier: p.gcse.co.uk"}
It seems like the ask endpoint is not getting hit on the renewal process.
How can the caddy server skip maintaining on-demand certs in the background renewal routine and let handshakes trigger maintenance instead?
Is there any way to invalidate SSL certificates failing(Not pointing to the caddy server) to solve the challenge for identifiers?
FYI: I am trying to implement the below solution.
Clean up Caddy Certificates - #10 by francislavoie
Please provide the solution to skip maintaining on-demand certs in the background renewal routine and let handshakes trigger maintenance instead.
Running caddy version v2.4.0 h1:yHnnbawH2G3ZBP2mAJF4XBLnJanqhULLP/wu01Qi9Io= connected with the local filesystem.