fix(certs): automatically refresh tls certificates with on_demand_tls #28
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is intended to fix issue #27. The bug was that while "on demand" TLS issuing (including automatic certificate renewal) was enabled for the local CA, it wasn't actually turned on. The fix is to turn on the automatic certificate renewal.
Once that was turned on, Caddy started showing a warning regarding a missing
on_demand_tlsglobal configuration block, so I updated the config to include that, too.The warning looks like:
I tested that this PR solves the problem by:
tls.issuer.lifetime = 10s, so that the certs generated for each site would expire after 10 seconds. (The default period is12h.)localiasdid not automatically renew the certificate.tls.on_demandconfiguration statement to turn on automatic certificate renewal.localiaswould automatically renew the certificate when the next request was made to the website.For Caddy docs that helped me figure this out, see:
Click here to see example logs proving automatic certificate renewal
2024/04/03 19:25:08.861 INFO tls finished cleaning storage units 2024/04/03 19:26:05.217 INFO tls.on_demand attempting certificate renewal {"server_name": "expiry.test", "subjects": ["expiry.test"], "expiration": "2024/04/03 19:24:58.000", "remaining": -67.217564, "revoked": false} 2024/04/03 19:26:05.223 INFO tls.renew acquiring lock {"identifier": "expiry.test"} 2024/04/03 19:26:05.246 INFO tls.renew lock acquired {"identifier": "expiry.test"} 2024/04/03 19:26:05.246 INFO tls.renew renewing certificate {"identifier": "expiry.test", "remaining": -67.24655} 2024/04/03 19:26:05.249 INFO tls.renew certificate renewed successfully {"identifier": "expiry.test"} 2024/04/03 19:26:05.249 INFO tls.renew releasing lock {"identifier": "expiry.test"} 2024/04/03 19:26:05.250 INFO tls.cache replaced certificate in cache {"subjects": ["expiry.test"], "new_expiration": "2024/04/03 19:26:16.000"} 2024/04/03 19:26:13.149 INFO tls.on_demand attempting certificate renewal {"server_name": "expiry.test", "subjects": ["expiry.test"], "expiration": "2024/04/03 19:26:16.000", "remaining": 2.850843, "revoked": false} 2024/04/03 19:26:13.154 INFO tls.renew acquiring lock {"identifier": "expiry.test"} 2024/04/03 19:26:13.179 INFO tls.renew lock acquired {"identifier": "expiry.test"} 2024/04/03 19:26:13.180 INFO tls.renew renewing certificate {"identifier": "expiry.test", "remaining": 2.819957} 2024/04/03 19:26:13.181 INFO tls.renew certificate renewed successfully {"identifier": "expiry.test"} 2024/04/03 19:26:13.181 INFO tls.renew releasing lock {"identifier": "expiry.test"} 2024/04/03 19:26:13.181 INFO tls.cache replaced certificate in cache {"subjects": ["expiry.test"], "new_expiration": "2024/04/03 19:26:24.000"} 2024/04/03 19:26:45.121 INFO tls.on_demand attempting certificate renewal {"server_name": "expiry.test", "subjects": ["expiry.test"], "expiration": "2024/04/03 19:26:24.000", "remaining": -21.12137, "revoked": false} 2024/04/03 19:26:45.122 INFO tls.renew acquiring lock {"identifier": "expiry.test"} 2024/04/03 19:26:45.146 INFO tls.renew lock acquired {"identifier": "expiry.test"} 2024/04/03 19:26:45.147 INFO tls.renew renewing certificate {"identifier": "expiry.test", "remaining": -21.147127} 2024/04/03 19:26:45.154 INFO tls.renew certificate renewed successfully {"identifier": "expiry.test"} 2024/04/03 19:26:45.154 INFO tls.renew releasing lock {"identifier": "expiry.test"} 2024/04/03 19:26:45.155 INFO tls.cache replaced certificate in cache {"subjects": ["expiry.test"], "new_expiration": "2024/04/03 19:26:56.000"} 2024/04/03 19:26:55.618 INFO tls.on_demand attempting certificate renewal {"server_name": "expiry.test", "subjects": ["expiry.test"], "expiration": "2024/04/03 19:26:56.000", "remaining": 0.381874, "revoked": false} 2024/04/03 19:26:55.619 INFO tls.renew acquiring lock {"identifier": "expiry.test"} 2024/04/03 19:26:55.641 INFO tls.renew lock acquired {"identifier": "expiry.test"} 2024/04/03 19:26:55.641 INFO tls.renew renewing certificate {"identifier": "expiry.test", "remaining": 0.358275} 2024/04/03 19:26:55.650 INFO tls.renew certificate renewed successfully {"identifier": "expiry.test"} 2024/04/03 19:26:55.650 INFO tls.renew releasing lock {"identifier": "expiry.test"} 2024/04/03 19:26:55.653 INFO tls.cache replaced certificate in cache {"subjects": ["expiry.test"], "new_expiration": "2024/04/03 19:27:06.000"}