1. Caddy version (
Caddy v1.0.3 (h1:i9gRhBgvc5ifchwWtSe7pDpsdS9+Q0Rw9oYQmYUTw1w=)
2. How I run Caddy:
a. System environment:
c. Service/unit/compose file:
d. My complete Caddyfile or JSON config:
3. The problem I’m having:
We have an iot device that connects to caddy over TLS, which needs to always have a valid root certificate. It has valid certificates for the next 5-10 years (hopefully) but inevitably it will be forgotten about and when caddy automatically gets a new cert with a new root, the devices in the field won’t be able to connect.
In theory we should be using self-signed certs for this use case as we control client and server but it’s more convenient to just use caddy and letsencrypt.
So my question is, if we were to get in a mess where caddy automatically gets a new cert with a new root, could we temporarily use the old certificate to give us time to update the devices in the field?
I have looked around in the caddy container for old certificates and can’t find any, yet people have mentioned cleaning up old certificates. I am mounting the .caddy folder so current certs are retained but perhaps there is another folder for older certificates I’m not mounting?
My understanding is that caddy gets new certs every 60 days but they expire after 90 days so we would have 30 days of a valid cert to fix the problem, is this correct?
Caddy v1 is now EOL and no longer supported. Please upgrade to Caddy v2.
The good news is we have an official docker image now: Docker Hub. Please make sure to review to documentation on that page for proper usage.
Updating your config should be simple. I assume the
CADDY_TLS env is an email?
root * /srv
And mount your static content to
Thanks, I have upgraded to caddy v2. My caddy config is as you’ve described and docker-compose is now:
Caddy version is now:
I can see that current certificates are now in /data/caddy/certificates, but where are old certificates? Obviously there won’t be any because it’s a new container with new mount, but where would they be in the future? I don’t know how to force caddy to get a new certificate so I can see what happens to old ones.
When you use a named volume, they get stored somewhere in
/var/lib/docker. You can use the Docker commands to find their real locations:
I don’t mean where are they on the host, I mean where are they in the container itself?
/data, as documented: Docker Hub
That only mentions current certificates, are previous certificates also stored there or just deleted?
I don’t understand what you mean by “previous certificates”. Caddy v1 and v2 are not compatible, Caddy v2 is a complete rewrite.
Sorry, I mean the certificate and key which caddy was using before a new one was re-issued. A new certificate is obtained from LetsEncrypt every 60 days, what happens to the old one which still has 30 days until expiry? Am I completely misunderstanding the process?
Caddy renews 90 day certs 30 days out. It reuses the private key for renewals. When a cert is renewed, the new one overwrites the old one because the old one is no longer needed.
Thanks, that makes sense. I believe if I did get into a situation where LetsEncrypt root changed and devices in the field weren’t trusting that root, I could probably use
--prefered-chain with certbot to use the old root. Maybe.
Why? Just configure the preferred chain in Caddy.
How? I searched for preferred chain in documentation and didn’t find anything, and I can’t see anything at tls (Caddyfile directive) — Caddy Documentation.
This topic was automatically closed after 30 days. New replies are no longer allowed.