V2 Caddy Not Generating Certificate After Initial Creation

Robert_Crawford · January 24, 2020, 8:15pm

1. My Caddy version (`caddy -version`):

v2.0.0-beta.13 h1:QL0JAepFvLVtOatABqniuDRQ4HmtvWuuSWZW24qVVtk=

2. How I run Caddy:

a. System environment:

CentOS 7, SystemD

b. Command:

Runs As Service

c. Service/unit/compose file:

This service file requires the following:

#
# 1) Group named caddy:
#      $ groupadd --system caddy
#
# 2) User named caddy, with a writeable home folder:
#      $ useradd --system \
#           --gid caddy \
#           --create-home \
#           --home-dir /var/lib/caddy \
#           --shell /usr/sbin/nologin \
#           --comment "Caddy web server" \
#           caddy
#
# 3) Caddyfile at /etc/caddy/Caddyfile that is
#    readable by the caddy user
#

[Unit]
Description=Caddy Web Server
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile --resume --environ
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile:

131-OVR-01.stfd13.org {
        reverse_proxy 10.0.8.3:443 {
        transport http {
                tls
                tls_insecure_skip_verify
                }
        }
}
portal.stfd13.org{
        reverse_proxy 10.0.0.46:443
        transport http {
                tls
                tls_insecure_skip_verify
                }
        }
}
gis.stfd13.org {
        reverse_proxy 10.0.0.47:443
        transport http {
                tls
                tls_insecure_skip_verify
                }
        }
}
wazuh.stfd13.org {
        reverse_proxy 10.0.0.13:5601
        transport http {
                tls
                tls_insecure_skip_verify
                }
        }
}

3. The problem I’m having:

Not generating another certificate after website was added

4. Error messages and/or full log output:

 ● caddy.service - Caddy Web Server
   Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-01-24 15:03:13 EST; 10min ago
     Docs: https://caddyserver.com/docs/
  Process: 1930 ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile (code=exited, status=1/FAILURE)
 Main PID: 2087 (caddy)
   CGroup: /system.slice/caddy.service
           └─2087 /usr/bin/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile --resume --environ

Jan 24 15:03:16 caddy.stfd13.org caddy[2087]: 2020/01/24 15:03:16 http: TLS handshake error from 170.249.187.86:55340: no certificate available for 'portal.stfd13.org'
Jan 24 15:03:16 caddy.stfd13.org caddy[2087]: 2020/01/24 15:03:16 http: TLS handshake error from 170.249.187.86:55341: no certificate available for 'portal.stfd13.org'
Jan 24 15:03:16 caddy.stfd13.org caddy[2087]: 2020/01/24 15:03:16 http: TLS handshake error from 170.249.187.86:55342: no certificate available for 'portal.stfd13.org'
Jan 24 15:03:16 caddy.stfd13.org caddy[2087]: 2020/01/24 15:03:16 http: TLS handshake error from 170.249.187.86:55343: no certificate available for 'portal.stfd13.org'
Jan 24 15:03:16 caddy.stfd13.org caddy[2087]: 2020/01/24 15:03:16 http: TLS handshake error from 170.249.187.86:55344: no certificate available for 'portal.stfd13.org'
Jan 24 15:03:16 caddy.stfd13.org caddy[2087]: 2020/01/24 15:03:16 http: TLS handshake error from 170.249.187.86:55345: no certificate available for 'portal.stfd13.org'
Jan 24 15:03:16 caddy.stfd13.org caddy[2087]: 2020/01/24 15:03:16 http: TLS handshake error from 170.249.187.86:55348: no certificate available for 'portal.stfd13.org'
Jan 24 15:03:16 caddy.stfd13.org caddy[2087]: 2020/01/24 15:03:16 http: TLS handshake error from 170.249.187.86:55347: no certificate available for 'portal.stfd13.org'
Jan 24 15:13:48 caddy.stfd13.org caddy[2087]: 2020/01/24 15:13:48 http: TLS handshake error from 170.249.187.86:55764: no certificate available for 'wazuh.stfd13.org'
Jan 24 15:13:48 caddy.stfd13.org caddy[2087]: 2020/01/24 15:13:48 http: TLS handshake error from 170.249.187.86:55765: no certificate available for 'wazuh.stfd13.org'

5. What I already tried:

Restaring Service & Rebooting

6. Links to relevant resources:

Mohammed90 · January 25, 2020, 10:49am

Hi Robert! Welcome to the Caddy community.

Can you share what your initial Caddyfile looked like, how the config change was made, and how was Caddy notified of the update (i.e. what was the command used)? I see many possible scenarios and would like to know which one took place.

balloon · January 26, 2020, 12:24pm

Some of the (subdomain).stfd13.org listed in the Caddyfile appear to have recently issued a certificate:

If you remember recently changing settings around tls, be careful.

Mohammed90 · January 28, 2020, 7:59pm

Hey @Robert_Crawford, were you able to resolve your issue? From the top of my head, I’m thinking if you modified the Caddyfile instead of POSTing the new config, you need to issue a reload so Caddy re-reads the config file. If you POST the new config, it will automatically write the new config as per the XDG_DATA spec.

matt · February 3, 2020, 6:02am

I am also interested in this.

system · May 3, 2020, 6:02am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.