Test of TLS email sending?

elsgaard · May 2, 2021, 7:56am

1. Caddy version (`caddy version`):

2.3.0

2. How I run Caddy:

systemd

a. System environment:

Centos 8

b. Command:

systemd

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

{

	email foo@bar.com

}

test.dreamwalkers.dk {


   reverse_proxy {
                    to 185.52.1.16:8080
                    to 81.4.109.218:8080
                    health_path /health
                    health_interval 1s
                    health_body "(OK)"
    }

    rewrite * /dreamwalkers/site{uri}
}

3. The problem I’m having:

Caddy works really great, but i want to make sure that i will receive an email in case there is any problems with certificate renewal. What is the best way to force an email to be sent to the configured email address ? Who sends the mail, is it Caddy or the CA like let’s encrypt ?

4. Error messages and/or full log output:

N/A

5. What I already tried:

I hoped that i would get an email when initially creating the certificates, it would be an good way to make sure that the email is correctly configured and email is recieved.

6. Links to relevant resources:

N/A

basil · May 2, 2021, 8:05am

The CA https://caddyserver.com/docs/caddyfile/options#email though it’s unclear atm in a multi-CA app like Caddy whether email sending is automatically enabled for all CAs. There’s a recent thread that raises this question Unexpected Let’s Encrypt expiration notice

elsgaard · May 2, 2021, 8:52am

OK, yes now i see that the email is used when registering with the CA. I would believe that email sending is enabled for all CAs. It would be nice to have the enabling of the notification email explicit in the caddy logs so that it is possible to see that the email was actually used when issueing the certificates. Also not sure if it is supported by the CAs, but to make it possible via Caddy to retrieve and maybe update the notification email in the CA. It seems that Certbot can do this.

If the email is changed in the Caddy config, will this have any effect in the CAs ?

francislavoie · May 2, 2021, 12:07pm

The expiration emails as far as I know is something exclusive to Let’s Encrypt Expiration Emails - Let's Encrypt. Caddy starts attempts to renew the certificates when there’s only 1/3 of its lifetime remaining (so 90 day certs means after 60 days, i.e. 30 days remaining) but Let’s Encrypt only sends the email when you get to20 days, 10 days and 1 day remaining. So during normal operation, you’ll never get an email unless you turn off Caddy or stop using the domain.

IMO you’re putting too high an importance on this email, it should just be an “if all else fails” notification. I recommend setting up your own tooling to warn you if either Caddy emits errors, or check your site yourself with a cron to make sure the certificate’s remaining lifetime hasn’t gotten too low (which should only happen if Caddy had errors in renewal).

If you change the email, it’ll only affect future certificate issuances, it won’t affect already issued certificates – the email would be sent to the old email address used at the time the certificate was issued.

elsgaard · May 2, 2021, 12:17pm

Got it, it all makes sense… thanks!

system · June 1, 2021, 7:57am

This topic was automatically closed after 30 days. New replies are no longer allowed.