Tls with a custom file certificate

1. Caddy version (caddy version):

v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=

2. How I run Caddy:

docker compose

a. System environment:

Debian 11.3 with docker 20.10.17

b. Command:

caddy run --config /etc/caddy/Caddyfile --adapter caddyfile --watch

c. Service/unit/compose file:

  caddy:
    image: caddy:2-alpine
    command: ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile", "--watch"]
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./data-custom/caddy/Caddyfile:/etc/caddy/Caddyfile
      - ./data/ssl:/mycerts/:ro
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - my-network

d. My complete Caddyfile or JSON config:

sub.somedomain.com{
	tls /mycerts/cert.pem /mycerts/key.pem

	respond "all good"
}

6. Links to relevant resources:


Sorry about not filling all the template, but this is more a question than an issue.

Everything is working really well, no problems at all, my questions are:

  1. External changes will trigger a certificate reload?
    If the files (cert.pem or key.pem) are changed externally (by the host or by another container), will that certificate being used to serve sub.somedomain.com be reloaded automatically by caddy?
    (I have no idea about this, so far in my tests, no, not even caddy reload)

  2. Is this certificate (served by the file) subject to automatically renewal by the caddy?
    If the certificate it is about to expire, will caddy detect this and replace the certificate or it will continue serving the expired certificate?
    (I think not. The volume is ro, but pretend it is not)

I hope I made myself clear enough.
Thanks for the help.

No, that’s too scary, so we only reload manual certs when you reload the config.

No, only if you don’t bring your own certificate.

Thanks!

Maybe we can mention that two points on the docs?
I think it won’t hurt.

PS: How can I reload the certificate if there is no changes at the config file?
I mean “force reload” it or something similar.

Cheers.

There’s a --force flag:

Pretty sure the docs already say that, no?

Seems I missed that…

Thanks you both.

[]'s

1 Like