From reading the documentation it’s not clear how often (beyond once) the Ask url is queried to determine whether to auto download a certificate. My guess is only once per domain unless the process is restarted?
The ask endpoint is queried only when a certificate is needed and is not already available. Even if the process is stopped and started again, as long as the certificate was already obtained and is stored on disk and disk wasn’t wiped out (e.g. destroying the container), then it won’t have to ask again.
Thanks for the quick response. I’m more interested in knowing when the ask url returns false, when if ever would it be asked again?
Good question. Yes, it can be, because there’s no reason to believe, necessarily, that just because a name wasn’t authorized before means it will never be authorized later. So it will ask multiple times in that case.
On every request to the domain? Every n hours? Just trying to make it clear in my mind how often that url would be hit when it returns false.
Only when clients initiate a TLS handshake with that SNI value. Once a connection is established, future requests over that connection will not invoke the ask endpoint.
Thanks for the clarification. So just for anyone else who wonders about how this works in the future, anytime a client initiates a tls handshake the ask url is pulled to determine if an auto tls cert should be issued.
anytime a client initiates a tls handshake
Well, it’s more nuanced than that:
Anytime a client initiates a TLS handshake for a server name which Caddy does not yet have a certificate for, either in memory or in storage, and for which matches that site definition in the Caddyfile where on-demand TLS is enabled.
Is a more accurate summary.
The ask endpoint, if configured, overrides any of Caddy’s internal rate-limiting on the matter. I should probably document that, if it’s not clear already.
1 Like
I think clarifying the docs to indicate the max_certs doesn’t apply and that the url will be polled based on your more exact summary would be helpful. More precise docs is always good!
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.