The existing SSL certificates are not renewed automatically

1. Output of caddy version: 2.5.0-alpine

2. How I run Caddy: docker container.

a. System environment: VM: Linux sles 15, Docker Server Version: 20.10.17-ce

c. Service/unit/compose file:

docker-compose

version: "3.7"
services:
  caddy:
    container_name: caddy
    restart: always
    build:
     context: .
     dockerfile: Dockerfile
    volumes:
     - "/opt/app/caddy/Caddyfile:/etc/caddy/Caddyfile"
     - "/opt/app/caddy/data/caddy:/data"
     - "/opt/app/caddy/config:/config"
    ports:
     - "80:80"
     - "443:443"
    networks:
     - monitoring

networks:
    monitoring:
    external: true

Dockerfile

FROM caddy:2.5.0-alpine

d. My complete Caddy config:

{
  email     example@example.com
  acme_ca   https://acme.example.com:9001/acme/acme/directory
#  ca_root   /usr/local/share/ca-certificates/ca_bundle.crt
}

tsdb.example.com {
          reverse_proxy prometheus:9090
          basicauth /* {
            admin HHGTZFKUkuszKhsuliMXZUMVl4d2YxLjljMS5abW5BLhsiezHzeKhksz78twbWd1bzlSbS5jQmhWd1F1
          }
          }
promtail.tsdb.example.com {
          reverse_proxy promtail:9080
          basicauth /* {
            admin HHGTZFKUkuszKhsuliMXZUMVl4d2YxLjljMS5abW5BLhsiezHzeKhksz78twbWd1bzlSbS5jQmhWd1F1
          }
          }
telegraf.tsdb.example.com {
          reverse_proxy telegraf:9274
          basicauth /* {
            admin HHGTZFKUkuszKhsuliMXZUMVl4d2YxLjljMS5abW5BLhsiezHzeKhksz78twbWd1bzlSbS5jQmhWd1F1
          }
          }

3. The problem I’m having:

The existing SSL certificates are not renewed automatically. What works is if I delete the data in /data/caddy and restart the container. New certificates are fetched, but they are probably not renewed either.

4. Error messages and/or full log output:

I have replaced the original domain with example.com. Do not be surprised. :slight_smile:

caddy | {“level”:“info”,“ts”:1665040174.5194547,“logger”:“tls.cache.maintenance”,“msg”:“certificate expires soon; queuing for renewal”,“identifiers”:[“tsdb.example.com”],“remaining”:-76229.519453893}
caddy | {“level”:“info”,“ts”:1665040177.383626,“logger”:“tls.renew”,“msg”:“renewing certificate”,“identifier”:“tsdb.example.com”,“remaining”:-76232.383621365}
caddy | {“level”:“info”,“ts”:1665040177.3843272,“logger”:“tls.renew”,“msg”:“renewing certificate”,“identifier”:“telegraf.tsdb.example.com”,“remaining”:-76232.384324353}
caddy | {“level”:“info”,“ts”:1665040177.3836865,“logger”:“tls.renew”,“msg”:“renewing certificate”,“identifier”:“promtail.tsdb.example.com”,“remaining”:-76232.383682423}
caddy | {“level”:“error”,“ts”:1665040177.3929155,“logger”:“tls.renew”,“msg”:“could not get certificate from issuer”,“identifier”:“promtail.tsdb.example.com”,“issuer”:“ca.example.com:9001-acme-acme-directory”,“error”:“HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist”}
caddy | {“level”:“error”,“ts”:1665040177.3932571,“logger”:“tls.renew”,“msg”:“will retry”,“error”:“[promtail.tsdb.example.com] Renew: [promtail.tsdb.example.com] creating new order: attempt 1: https://ca.example.com:9001/acme/acme/new-order: HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist (ca=https://ca.example.com:9001/acme/acme/directory)”,“attempt”:7,“retrying_in”:1200,“elapsed”:2400.108618318,“max_duration”:2592000}
caddy | {“level”:“error”,“ts”:1665040177.3934355,“logger”:“tls.renew”,“msg”:“could not get certificate from issuer”,“identifier”:“tsdb.example.com”,“issuer”:“ca.example.com:9001-acme-acme-directory”,“error”:“HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist”}
caddy | {“level”:“error”,“ts”:1665040177.3935199,“logger”:“tls.renew”,“msg”:“will retry”,“error”:“[tsdb.example.com] Renew: [tsdb.example.com] creating new order: attempt 1: https://ca.example.com:9001/acme/acme/new-order: HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist (ca=https://ca.example.com:9001/acme/acme/directory)”,“attempt”:7,“retrying_in”:1200,“elapsed”:2400.107544121,“max_duration”:2592000}
caddy | {“level”:“error”,“ts”:1665040177.394868,“logger”:“tls.renew”,“msg”:“could not get certificate from issuer”,“identifier”:“telegraf.tsdb.example.com”,“issuer”:“ca.example.com:9001-acme-acme-directory”,“error”:“HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist”}
caddy | {“level”:“error”,“ts”:1665040177.3949003,“logger”:“tls.renew”,“msg”:“will retry”,“error”:“[telegraf.tsdb.example.com] Renew: [telegraf.tsdb.example.com] creating new order: attempt 1: https://ca.example.com:9001/acme/acme/new-order: HTTP 0 urn:ietf:params:acme:error:accountDoesNotExist - Account does not exist (ca=https://ca.example.com:9001/acme/acme/directory)”,“attempt”:7,“retrying_in”:1200,“elapsed”:2400.108504022,“max_duration”:2592000}

5. What I already tried:

Stop Caddy container, delete /data/caddy and /config/*. Restart Caddy container, then I get new certificates for 30 days, but this is not a solution.

Please upgrade to v2.6.1

That doesn’t seem like an issue with Caddy. The ACME server you’re connecting to doesn’t seem to remember the account Caddy used originally.

This topic was automatically closed after 30 days. New replies are no longer allowed.