Verifying dynamic TLS certificate renewal

1. Caddy version (caddy version):

v2.2.0 h1:sMUFqTbVIRlmA8NkFnNt9l7s0e+0gw+7GPIrhty905A=

(Built using xcaddy to add dynamo DB storage support)

2. How I run Caddy:

Not relevant, but:

We have 2 Caddy machines each configured to use DynamoDB for storage so we can have clustered Dynamic TLS support, which we use to offer custom domains to customers of our SaaS application.

Each Caddy is configured as a simple reverse proxy to a local node app

a. System environment:

AWS Linux 2

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

{
    email foo@example.com

    on_demand_tls {
        ask http://localhost:8081
    }

    storage dynamodb caddy {
        aws_region us-east-1
    }
}

:443

reverse_proxy 127.0.0.1:8080

tls {
    on_demand
}

3. The problem I’m having:

We are using Dynamic TLS so that Caddy auto-generates LetsEncrypt certs for various domains.

I just want to know what operational checks we can put in place to verify renewals are working ok.

Does Caddy renew X days ahead of the expiry date? Or does it just auto-renew on demand as it sees an expired certificate?

If the former, then we could at least write a periodic check to verify certs for some well known domains are never less than ~X days from expiry. If the latter, then I guess we just have to keep an eye on log files, right?

Related Q: is there any way to trigger renewal process on demand? Would be nice to see it work at least once before we go live

Thanks!

Caddy begins to attempt renewals 30 days before expiry (or 60 days after issuance, because LE certs are 90 day). You can find this value in certmagic, basically it starts trying to renew once within the last 1/3 of the cert’s lifetime: certmagic/maintain.go at e7f9729bad6ca5c5948769826a2705e2ae633f42 · caddyserver/certmagic · GitHub It also uses exponential backoff if it can’t renew the first time, over the next 30 days.

Yeah, you could do this. A safe threshold would be something like never 1/4 of the lifetime away from expiry, I guess, if you want to use fractions (in case the default lifetime from LE ever changes - it could become shorter, for better security and lessened trust requirements).

Not really - but Caddy will trigger the certificate management routine immediately on startup, and iirc every 5 minutes thereafter.

1 Like

Perfect. Thanks for the details

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.