Today I gained a little more knowledge about Caddy, and I thought I’d share in case someone is having the same issue.
I’ve been biting my nails worrying about Caddy updating certificates. Everything I had read told me not to sweat it. That Caddy had my back and wouldn’t let any certs expire. Well, two did, today. So I set about today, after I got all my chores done, to see if I could figure out wtf.
Long story short, I had a inconsistency in the format of my Caddy file. It didn’t affect the function of the file to the extent that it would not provide the certificate in daily use, but apparently I confused Caddy enough so that it couldn’t determine when certs were expiring, and reissue the cert.
If you run the following:
caddy reload --config /etc/caddy/Caddyfile
And you get something like this:
2025/04/09 21:49:03.376 WARN Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies{"adapter": "caddyfile", "file": "/etc/caddy/Caddyfile", "line": 1}
It’s a warning that something is askew. Not to worry tho, you can fix it thusly:
Make a backup assuming etc/caddy/Caddyfile is where your Caddyfile is:
cp /etc/caddy/Caddyfile /etc/caddy/Caddyfile.bak
Next we’ll ask Caddy nicely to please reformat in an acceptible form:
sudo caddy fmt --overwrite /etc/caddy/Caddyfile
Trust but verify:
caddy validate --config /etc/caddy/Caddyfile
Now run:
caddy reload --config /etc/caddy/Caddyfile
You should be golden at this point.
Cheers
If you’re using git to version Caddy configuration, you can use a pre-commit hook to test it, ensuring that you’ll never have invalid configuration. That’s what I do.
caddy validateThere’s some extra command args that may be necessary but that should be an adequate first step.
Did you have a mistake in your caddyfile? Or, what led to this? I’m using caddy as well and could be good to know, though I don’t recall seeing that warning.
Indeed I did. I had apparently screwed up the formatting of a couple of the entries. The associated apps worked on a daily basis, the certificate was visible, but apparently the improper formatting was enough to confuse Caddy when it came to renewing the cert. Looking at the backup Caddyfile verses the newly formatted Caddyfile, I had a couple braces out of whack.
ETA: what led to all of this was that two certs expired today, and everything I had previously read said that Caddy wouldn’t let that happen. Well it won’t if I don’t fatfinger the format next time
I have switched production to Caddy before V2 and haven’t looked back ever since. During my Apache era, always had to keep a eye on stuff and deal when things decided to break With caddy? I just throw the config and it just works without complaining at all
I did some bad formatting during my initial setup of caddy. Having the formater is really handy.
Well, I had a time wrapping my old head around Caddy. It took me an embarrassingly long time to get it, and one day the clouds cleared, and the sun shone through, and it made sense. I had no clue about the formater, but you can bet I’ve made some notes so I don’t do that shit again. LOL
Cool. You got lucky. This is covered in the docs and is normal behavior.
The problems arise when this exchange doesn’t happen without issue though.
My ingress firewall blocks the cert renewal challenge requests because they always come from countries that I blanket block, which requires me to keep an eye on it and disable blocking on certain countries to allow the renewals to happen, then re-enable blocking… Let’s Encrypt (somewhat understandably) doesn’t publish the list of IPs that they will use for the challenge requests, so I’m not sure if there’s a better solution. Anyone dealt with this?
Use the DNS challenge instead? You’ll need a DNS provider with an API though
Huh, I didn’t know about this option. I’ll check it out. Thanks!
