V1: Certs not reloading on USR1

@matt according to my tests Caddy is not reloading cert changes on disk. I have Vault generating certs every 2 minutes (only for validations) and signaling caddy with SIGUSR1… it does not pick the new certs. Is that the intended behaviour? I had the assumption Caddy would reload the certs without downtime.

(Splicing into new topic)

Are the reloads successful, or is an error being logged and then Caddy is rolling back?

And what’s your Caddyfile?

(Also, and I know you’re tired of hearing this from me, but Caddy 2 should work way better in this situation! :upside_down_face:)

1 Like

Here’s my Caddyfile

:8443
request_id
tls /secrets/cert.crt /secrets/cert.key {
  clients /etc/pki/ca-trust/ca.chain.crt.pem
  insecure_disable_sni_matching
}
errors stderr

proxy / 127.0.0.1:2015 {
  transparent
}

The process itself reloads fine but not with the newer certificates. I know that because I start to get TLS handshake errors in the logs of my frontends that do mTLS with this node.

Caddy 2 will come next :smiley:

BTW, I use a couple modules in my builds:

_ "github.com/caddyserver/dnsproviders/route53"
_ "github.com/lucaslorentz/caddy-supervisor/httpplugin"
_ "github.com/pteich/caddy-tlsconsul"
_ "github.com/pyed/ipfilter" 

I’m just wondering how Caddy 2 handles it?

What do the logs show (the process log), before, during and after a reload?

IP filtering is mostly built into Caddy 2 as a request matcher. The Route53 DNS provider is yet to be implemented. The supervisor plugin may be in the process of being rewritten for Caddy 2, I’m not sure. And tlsconsul… should be able to work with Caddy 2, with just a few minor changes.

1 Like

Let me enable debug there and I’ll let you know

My apologies… I think I spoke too soon… The issue was in my scheduler placing the new certs in the wrong dir :man_facepalming:

I re-validated the reload and it works as expected! :smiley:

Switching back to the v2 topic for a moment…

  • Once we get Certmagic working with DynamoDB, we won’t need tlsconsul anymore
  • ipfiltering :ok:
  • Route53 DNS provider is a must have for us :frowning_face:
  • supervisor is a great addition but not a hard requirement

I’ll try to help as much as I can to get those in v2, otherwise we are still stuck in v1.

For that, you can probably submit a pull request here https://github.com/caddyserver/tls.dns to make it available!

1 Like

Yay, thanks for double checking.

Fortunately, that is easy.

Although, lego’s current exported API makes it difficult to meet our requirements. I’m looking at alternatives. Still, you can submit a Route53 PR for now and it shouldn’t be too hard to change it later. I’m just not going down the rabbit hole of porting all 60+ providers yet until I stabilize the DNS provider plugins, which will take time.

1 Like

I really appreciate the work being done in Caddy and all the features and awesomeness it brings to the table. I’ll surely get more involved and even not being a Golang expert I think I can put down some effort on my end to help get these features out there.

1 Like

Route53 DNS provider is coming in a PR tomorrow :smiley:

Built and ran in my environment, works like a charm.

2 Likes