Storing certificates in a NFS mount

In my current environment I run caddy as containers of a docker swarm with load balancing (docker swarm load balance requests to several instances of caddy). As a container’s storage is ephemeral, I can’t leave the /root/.caddy directory inside it, or else caddy would have to reissue certificates every time the container is restarted.

What I do is mounting /root/.caddy in a directory of the host, which is already shared by multiple containers (2 per host). To make things worse, this directory is actually a NFS mount which is shared with 3 other hosts. So, I have a /root/.caddy directory which is shared by 6 running caddy servers. My question is basically: What could go wrong?

If one certificate is near its expiration date, one of the caddy instances will renew it first. Will the others notice the file changed and reload the certificate or will every caddy instance also renew and overwrite the file?

If I start all 6 at the same time and they start issuing certificates for a new domain I added, will all of them issue the same certificate one over the other? How often are those certs loaded from disk?

And another semi unrelated question: Can the initial emission of certificates run in parallel instead of serially for each domain? I have a lot of domains, it takes some time.


Hey Guilherme - for now, I don’t recommend using managed TLS with assets shared with more than one Caddy instance. We’re working on this.

One thing you could do, though it’s not fully automatic, is to have just one instance manage the resources; for the others, pass them the paths to the certificates and keys in the Caddyfile like “old fashioned” TLS setups. Then every 2-3 months, SIGUSR1 the other Caddy instances so they reload the certificates.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.