Today I gained a little more knowledge about Caddy, and I thought I’d share in case someone is having the same issue.
I’ve been biting my nails worrying about Caddy updating certificates. Everything I had read told me not to sweat it. That Caddy had my back and wouldn’t let any certs expire. Well, two did, today. So I set about today, after I got all my chores done, to see if I could figure out wtf.
Long story short, I had a inconsistency in the format of my Caddy file. It didn’t affect the function of the file to the extent that it would not provide the certificate in daily use, but apparently I confused Caddy enough so that it couldn’t determine when certs were expiring, and reissue the cert.
If you run the following:
caddy reload --config /etc/caddy/Caddyfile
And you get something like this:
2025/04/09 21:49:03.376 WARN Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies{"adapter": "caddyfile", "file": "/etc/caddy/Caddyfile", "line": 1}
It’s a warning that something is askew. Not to worry tho, you can fix it thusly:
Make a backup assuming etc/caddy/Caddyfile is where your Caddyfile is:
cp /etc/caddy/Caddyfile /etc/caddy/Caddyfile.bak
Next we’ll ask Caddy nicely to please reformat in an acceptible form:
sudo caddy fmt --overwrite /etc/caddy/Caddyfile
Trust but verify:
caddy validate --config /etc/caddy/Caddyfile
Now run:
caddy reload --config /etc/caddy/Caddyfile
You should be golden at this point.
Cheers
If you’re using git to version Caddy configuration, you can use a pre-commit hook to test it, ensuring that you’ll never have invalid configuration. That’s what I do.
caddy validateThere’s some extra command args that may be necessary but that should be an adequate first step.
I have switched production to Caddy before V2 and haven’t looked back ever since. During my Apache era, always had to keep a eye on stuff and deal when things decided to break With caddy? I just throw the config and it just works without complaining at all
I did some bad formatting during my initial setup of caddy. Having the formater is really handy.
Well, I had a time wrapping my old head around Caddy. It took me an embarrassingly long time to get it, and one day the clouds cleared, and the sun shone through, and it made sense. I had no clue about the formater, but you can bet I’ve made some notes so I don’t do that shit again. LOL
My ingress firewall blocks the cert renewal challenge requests because they always come from countries that I blanket block, which requires me to keep an eye on it and disable blocking on certain countries to allow the renewals to happen, then re-enable blocking… Let’s Encrypt (somewhat understandably) doesn’t publish the list of IPs that they will use for the challenge requests, so I’m not sure if there’s a better solution. Anyone dealt with this?
Use the DNS challenge instead? You’ll need a DNS provider with an API though
Huh, I didn’t know about this option. I’ll check it out. Thanks!
Wait. I got the format warning in caddy, so does this mean it could contain substantial error? I gotta check
Don’t forget to make a backup before any changes.
Better yet, track your configs in version control do you can easily roll it back and back it up, all at the same time.
Cool. You got lucky. This is covered in the docs and is normal behavior.
The problems arise when this exchange doesn’t happen without issue though.