Today I gained a little more knowledge about Caddy, and I thought I’d share in case someone is having the same issue.

I’ve been biting my nails worrying about Caddy updating certificates. Everything I had read told me not to sweat it. That Caddy had my back and wouldn’t let any certs expire. Well, two did, today. So I set about today, after I got all my chores done, to see if I could figure out wtf.

Long story short, I had a inconsistency in the format of my Caddy file. It didn’t affect the function of the file to the extent that it would not provide the certificate in daily use, but apparently I confused Caddy enough so that it couldn’t determine when certs were expiring, and reissue the cert.

If you run the following:

caddy reload --config /etc/caddy/Caddyfile

And you get something like this:

2025/04/09 21:49:03.376 WARN    Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies{"adapter": "caddyfile", "file": "/etc/caddy/Caddyfile", "line": 1}

It’s a warning that something is askew. Not to worry tho, you can fix it thusly:

Make a backup assuming etc/caddy/Caddyfile is where your Caddyfile is:

cp /etc/caddy/Caddyfile /etc/caddy/Caddyfile.bak

Next we’ll ask Caddy nicely to please reformat in an acceptible form:

sudo caddy fmt --overwrite /etc/caddy/Caddyfile

Trust but verify:

caddy validate --config /etc/caddy/Caddyfile

Now run:

caddy reload --config /etc/caddy/Caddyfile

You should be golden at this point.

Cheers

  • Oisteink@feddit.nlEnglish
    23·
    4 days ago

    That depends on what your error is. It’s not a magic process, it just tries to help you with formatting. The validate is the magic, it helps you spot errors as you make them.

    • irmadlad@lemmy.worldOPEnglish
      51·
      4 days ago

      Absolutely, and now I know a little more about the process.

      It’s been a good day 'tater.

  • excess0680@lemmy.worldEnglish
    16·
    4 days ago

    If you’re using git to version Caddy configuration, you can use a pre-commit hook to test it, ensuring that you’ll never have invalid configuration. That’s what I do.

    caddy validate

    There’s some extra command args that may be necessary but that should be an adequate first step.

  • Akatsuki Levi@lemmy.worldEnglish
    7·
    4 days ago

    I have switched production to Caddy before V2 and haven’t looked back ever since. During my Apache era, always had to keep a eye on stuff and deal when things decided to break With caddy? I just throw the config and it just works without complaining at all

  • couch1potato@lemmy.dbzer0.comEnglish
    8·
    4 days ago

    Did you have a mistake in your caddyfile? Or, what led to this? I’m using caddy as well and could be good to know, though I don’t recall seeing that warning.

    • irmadlad@lemmy.worldOPEnglish
      3·
      4 days ago

      Indeed I did. I had apparently screwed up the formatting of a couple of the entries. The associated apps worked on a daily basis, the certificate was visible, but apparently the improper formatting was enough to confuse Caddy when it came to renewing the cert. Looking at the backup Caddyfile verses the newly formatted Caddyfile, I had a couple braces out of whack.

      ETA: what led to all of this was that two certs expired today, and everything I had previously read said that Caddy wouldn’t let that happen. Well it won’t if I don’t fatfinger the format next time

  • uranibaba@lemmy.worldEnglish
    7·
    4 days ago

    I did some bad formatting during my initial setup of caddy. Having the formater is really handy.

    • irmadlad@lemmy.worldOPEnglish
      5·
      4 days ago

      Well, I had a time wrapping my old head around Caddy. It took me an embarrassingly long time to get it, and one day the clouds cleared, and the sun shone through, and it made sense. I had no clue about the formater, but you can bet I’ve made some notes so I don’t do that shit again. LOL

  • Xanza@lemm.eeEnglish
    4·
    4 days ago

    I like to use a justfile to do this all in one fell swoop;

    default:
  just --list

caddy-refresh:
  caddy fmt --overwrite ~/.caddy
  caddy validate --config /etc/caddy/Caddyfile -a caddyfile
caddy-reload: caddy-refresh
  doas docker exec -it caddy caddy reload --config /etc/caddy/Caddyfile

    ~/.caddy is my caddyfile, which is system linked to /etc/caddy/Caddyfile. Doing it this way ensures there are no permission issues, and you don’t need sudo to edit your caddyfile. So you simply nvim ~/.caddy, make your changes, and then run just caddy-reload, which runs caddy-refresh before reloading the caddy config via docker.

    Works great, and only involves one command.

  • InvertedParallax@lemm.eeEnglish
    5·
    4 days ago

    Been using nginx, probably should change just because my mail uses letsencyrot while my http uses bought certs.

    Letsencrypt has gone far enough that we can just rely on it now apparently.

    • 4am@lemm.eeEnglish
      4·
      4 days ago

      The orange menace apparently just defunded it so we’ll see

  • tuckerm@feddit.onlineEnglish
    5·
    4 days ago

    Thank you! I’ve been ignoring that error, assuming that it was just about indentation.

    Also I appreciate your use of the word “thusly” immediately after the word “tho.”

        • irmadlad@lemmy.worldOPEnglish
          41·
          4 days ago

          As you were, Mr Milchick

          Is this related to 'Severance"? Had to look it up. I apologize, I do not watch TV of any sort. It’s not a religious thing, and it’s not that I think that fact makes me better than everyone else, but I really have no interest in stuff on TV. I do read a lot. I can better digest the material if I can read it. However, it has to be online. If you gave me a traditional book of a topic I was keenly interested in, I’d never crack the binding. Give it to me digitally where I can read it on any of my devices, and I’ll read it cover to cover. Yeah…I’m a weird old curmudgeon.

          • Droolio@feddit.ukEnglish
            2·
            3 days ago

            Do ignore me then, I assumed you might know the reference and only I mean’t it in good humour. :) (Without spoiling anything - in the unlikely event you might some day watch it - Mr Milchick is a character that uses ‘big words’. Your choice of words struck a chord.) I will say though, you’re seriously missing out. The cinematography alone is brilliant and the acting exceptional.

            • irmadlad@lemmy.worldOPEnglish
              1·
              3 days ago

              Naw man, it’s cool. I get references, but they kind of have to be old school stuff Richard Pryor, Blazing Saddles, Young Frankenstein, that kind of stuff. I’m just a weird old man. LOL

      • Deebster@infosec.pubEnglish
        3·
        4 days ago

        I think it’s more that using tho instead of though is quite casual, but then you use thusly, which is rather formal. The change of register is surprising/funny.

        Like if someone wrote “Indeed, it is most unexpected lol”.

  • someacnt@sh.itjust.worksEnglish
    4·
    4 days ago

    Wait. I got the format warning in caddy, so does this mean it could contain substantial error? I gotta check

  • effward@lemmy.worldEnglish
    2·
    4 days ago

    My ingress firewall blocks the cert renewal challenge requests because they always come from countries that I blanket block, which requires me to keep an eye on it and disable blocking on certain countries to allow the renewals to happen, then re-enable blocking… Let’s Encrypt (somewhat understandably) doesn’t publish the list of IPs that they will use for the challenge requests, so I’m not sure if there’s a better solution. Anyone dealt with this?

      • 4am@lemm.eeEnglish
        1·
        4 days ago

        Does Caddy use certbot to do the renewal? A long time ago DNS was a pain but now it seems like a lot of providers are supported.

  • just_another_person@lemmy.worldEnglish
    11·
    4 days ago

    Cool. You got lucky. This is covered in the docs and is normal behavior.

    The problems arise when this exchange doesn’t happen without issue though.