1. Output of caddy version
: 2.5.0-alpine
2. How I run Caddy: docker container.
a. System environment: VM: Linux sles 15, Docker Server Version: 20.10.17-ce
c. Service/unit/compose file:
docker-compose
version: "3.7"
services:
caddy:
container_name: caddy
restart: always
build:
context: .
dockerfile: Dockerfile
volumes:
- "/opt/app/caddy/Caddyfile:/etc/caddy/Caddyfile"
- "/opt/app/caddy/data/caddy:/data"
- "/opt/app/caddy/config:/config"
ports:
- "80:80"
- "443:443"
networks:
- monitoring
networks:
monitoring:
external: true
Dockerfile
FROM caddy:2.5.0-alpine
d. My complete Caddy config:
{
email example@example.com
acme_ca https://acme.example.com:9001/acme/acme/directory
# ca_root /usr/local/share/ca-certificates/ca_bundle.crt
}
tsdb.example.com {
reverse_proxy prometheus:9090
basicauth /* {
admin HHGTZFKUkuszKhsuliMXZUMVl4d2YxLjljMS5abW5BLhsiezHzeKhksz78twbWd1bzlSbS5jQmhWd1F1
}
}
promtail.tsdb.example.com {
reverse_proxy promtail:9080
basicauth /* {
admin HHGTZFKUkuszKhsuliMXZUMVl4d2YxLjljMS5abW5BLhsiezHzeKhksz78twbWd1bzlSbS5jQmhWd1F1
}
}
telegraf.tsdb.example.com {
reverse_proxy telegraf:9274
basicauth /* {
admin HHGTZFKUkuszKhsuliMXZUMVl4d2YxLjljMS5abW5BLhsiezHzeKhksz78twbWd1bzlSbS5jQmhWd1F1
}
}
3. The problem I’m having:
The existing SSL certificates are not renewed automatically. What works is if I delete the data in /data/caddy and restart the container. New certificates are fetched, but they are probably not renewed either.
4. Error messages and/or full log output:
I have replaced the original domain with example.com. Do not be surprised.
caddy | {“level”:“info”,“ts”:1665040174.5194547,“logger”:“tls.cache.maintenance”,“msg”:“certificate expires soon; queuing for renewal”,“identifiers”:[“tsdb.example.com”],“remaining”:-76229.519453893}
caddy | {“level”:“info”,“ts”:1665040177.383626,“logger”:“tls.renew”,“msg”:“renewing certificate”,“identifier”:“tsdb.example.com”,“remaining”:-76232.383621365}
caddy | {“level”:“info”,“ts”:1665040177.3843272,“logger”:“tls.renew”,“msg”:“renewing certificate”,“identifier”:“telegraf.tsdb.example.com”,“remaining”:-76232.384324353}
caddy | {“level”:“info”,“ts”:1665040177.3836865,“logger”:“tls.renew”,“msg”:“renewing certificate”,“identifier”:“promtail.tsdb.example.com”,“remaining”:-76232.383682423}
caddy | {“level”:“error”,“ts”:1665040177.3929155,“logger”:“tls.renew”,“msg”:“could not get certificate from issuer”,“identifier”:“promtail.tsdb.example.com”,“issuer”:“ca.example.com:9001-acme-acme-directory”,“error”:“HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist”}
caddy | {“level”:“error”,“ts”:1665040177.3932571,“logger”:“tls.renew”,“msg”:“will retry”,“error”:“[promtail.tsdb.example.com] Renew: [promtail.tsdb.example.com] creating new order: attempt 1: https://ca.example.com:9001/acme/acme/new-order: HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist (ca=https://ca.example.com:9001/acme/acme/directory)”,“attempt”:7,“retrying_in”:1200,“elapsed”:2400.108618318,“max_duration”:2592000}
caddy | {“level”:“error”,“ts”:1665040177.3934355,“logger”:“tls.renew”,“msg”:“could not get certificate from issuer”,“identifier”:“tsdb.example.com”,“issuer”:“ca.example.com:9001-acme-acme-directory”,“error”:“HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist”}
caddy | {“level”:“error”,“ts”:1665040177.3935199,“logger”:“tls.renew”,“msg”:“will retry”,“error”:“[tsdb.example.com] Renew: [tsdb.example.com] creating new order: attempt 1: https://ca.example.com:9001/acme/acme/new-order: HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist (ca=https://ca.example.com:9001/acme/acme/directory)”,“attempt”:7,“retrying_in”:1200,“elapsed”:2400.107544121,“max_duration”:2592000}
caddy | {“level”:“error”,“ts”:1665040177.394868,“logger”:“tls.renew”,“msg”:“could not get certificate from issuer”,“identifier”:“telegraf.tsdb.example.com”,“issuer”:“ca.example.com:9001-acme-acme-directory”,“error”:“HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist”}
caddy | {“level”:“error”,“ts”:1665040177.3949003,“logger”:“tls.renew”,“msg”:“will retry”,“error”:“[telegraf.tsdb.example.com] Renew: [telegraf.tsdb.example.com] creating new order: attempt 1: https://ca.example.com:9001/acme/acme/new-order: HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist (ca=https://ca.example.com:9001/acme/acme/directory)”,“attempt”:7,“retrying_in”:1200,“elapsed”:2400.108504022,“max_duration”:2592000}
5. What I already tried:
Stop Caddy container, delete /data/caddy and /config/*. Restart Caddy container, then I get new certificates for 30 days, but this is not a solution.