1. Caddy version (caddy version
):
v2.2.0 h1:sMUFqTbVIRlmA8NkFnNt9l7s0e+0gw+7GPIrhty905A=
(Built using xcaddy to add dynamo DB storage support)
2. How I run Caddy:
Not relevant, but:
We have 2 Caddy machines each configured to use DynamoDB for storage so we can have clustered Dynamic TLS support, which we use to offer custom domains to customers of our SaaS application.
Each Caddy is configured as a simple reverse proxy to a local node app
a. System environment:
AWS Linux 2
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
{
email foo@example.com
on_demand_tls {
ask http://localhost:8081
}
storage dynamodb caddy {
aws_region us-east-1
}
}
:443
reverse_proxy 127.0.0.1:8080
tls {
on_demand
}
3. The problem I’m having:
We are using Dynamic TLS so that Caddy auto-generates LetsEncrypt certs for various domains.
I just want to know what operational checks we can put in place to verify renewals are working ok.
Does Caddy renew X days ahead of the expiry date? Or does it just auto-renew on demand as it sees an expired certificate?
If the former, then we could at least write a periodic check to verify certs for some well known domains are never less than ~X days from expiry. If the latter, then I guess we just have to keep an eye on log files, right?
Related Q: is there any way to trigger renewal process on demand? Would be nice to see it work at least once before we go live
Thanks!