fix(certs): automatically refresh tls certificates with on_demand_tls #28
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is intended to fix issue #27. The bug was that while "on demand" TLS issuing (including automatic certificate renewal) was enabled for the local CA, it wasn't actually turned on. The fix is to turn on the automatic certificate renewal.
Once that was turned on, Caddy started showing a warning regarding a missing
on_demand_tls
global configuration block, so I updated the config to include that, too.The warning looks like:
I tested that this PR solves the problem by:
tls.issuer.lifetime = 10s
, so that the certs generated for each site would expire after 10 seconds. (The default period is12h
.)localias
did not automatically renew the certificate.tls.on_demand
configuration statement to turn on automatic certificate renewal.localias
would automatically renew the certificate when the next request was made to the website.For Caddy docs that helped me figure this out, see:
Click here to see example logs proving automatic certificate renewal