We have an iot device that connects to caddy over TLS, which needs to always have a valid root certificate. It has valid certificates for the next 5-10 years (hopefully) but inevitably it will be forgotten about and when caddy automatically gets a new cert with a new root, the devices in the field won’t be able to connect.
In theory we should be using self-signed certs for this use case as we control client and server but it’s more convenient to just use caddy and letsencrypt.
So my question is, if we were to get in a mess where caddy automatically gets a new cert with a new root, could we temporarily use the old certificate to give us time to update the devices in the field?
I have looked around in the caddy container for old certificates and can’t find any, yet people have mentioned cleaning up old certificates. I am mounting the .caddy folder so current certs are retained but perhaps there is another folder for older certificates I’m not mounting?
My understanding is that caddy gets new certs every 60 days but they expire after 90 days so we would have 30 days of a valid cert to fix the problem, is this correct?
Caddy version is now: v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=
I can see that current certificates are now in /data/caddy/certificates, but where are old certificates? Obviously there won’t be any because it’s a new container with new mount, but where would they be in the future? I don’t know how to force caddy to get a new certificate so I can see what happens to old ones.
Sorry, I mean the certificate and key which caddy was using before a new one was re-issued. A new certificate is obtained from LetsEncrypt every 60 days, what happens to the old one which still has 30 days until expiry? Am I completely misunderstanding the process?
Caddy renews 90 day certs 30 days out. It reuses the private key for renewals. When a cert is renewed, the new one overwrites the old one because the old one is no longer needed.
Thanks, that makes sense. I believe if I did get into a situation where LetsEncrypt root changed and devices in the field weren’t trusting that root, I could probably use --prefered-chain with certbot to use the old root. Maybe.