always tries to provide certificate when started

[ciokan]

I'm using docker-compose to start my project in production. I added a volume for Caddy to store the certificates and I can see them inside the directory but Caddy, at every docker-compose up command keeps trying to provide certificates.

 caddy:
    image: abiosoft/caddy
    container_name: caddy
    restart: unless-stopped
    depends_on:
      - backend
    environment:
      - PORT=8000
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./Caddyfile:/etc/Caddyfile
      - ./.caddy:/root/.caddy

This is the contents of my Caddyfile:

static.mydomain.com {
    root /static
    gzip
    tls user@gmail.com
}

mydomain.com {
    proxy / backend:8000 {
        transparent
    }

    header / {
        # Don't show Caddy/Gunicorn as server header.
        -Server

        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS (do not use if only testing)
        # Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

        # Only send Referer header to same origin.
        # Django CSRF protection is incompatible with referrer policy set to none.
        Referrer-Policy "same-origin"

        # Enable cross-site filter (XSS) and tell browser to block detected attacks.
        X-XSS-Protection "1; mode=block"

        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"

        # Enable a strict content security policy.
        # Edit this if you need external sources on your site.
        # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
        # Content-Security-Policy "connect-src 'self'; default-src 'none'; form-action 'self'; frame-ancestors 'none';;"

        # Don't allow resources to load within a frame/iframe.
        # This is handled with frame-ancestors 'none' in the content security policy. But not yet supported by older browsers.
        X-Frame-Options "DENY"
    }

    # The email address to use to generate a certificate with Letsencrypt.
    tls user@gmail.com
}

The first time I brought everything up it provisioned the certificates immediately and it worked. I just don't know why it's constantly trying to get certificates even though the same volume is attached. Any ideaS?

[justinmartin]

I am having this same issue.

It also doesn't seem to be using the email listed with tls for me. Are you seeing that as well?

[abiosoft]

What version are you running, do you experience this with previous versions? It may be happening because of license agreement.

[ciokan]

version? it's the latest image published I suppose:

caddy:
    image: abiosoft/caddy
    container_name: caddy

@justinmartin I didn't notice any other thing. It may be the case yes but now I'm limited by letsencrypt and can't make new requests.

[justinmartin]

I rolled back to 0.11.1 and it started correctly without any errors.

I was seeing this error message on 0.11.2

Activating privacy features...

Your sites will be served over HTTPS automatically using Let's Encrypt.
By continuing, you agree to the Let's Encrypt Subscriber Agreement at:
  https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Please enter your email address to signify agreement and to be notified
in case of issues. You can leave it blank, but we don't recommend it.
  Email address: 2019/01/22 17:28:54 registration error: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/, url:
exit status 1

[ciokan]

0.11.1 works - thank you.

[neezer]

I'm experiencing the same error with 0.11.2: my docker-compose.yml is very similar to the one posted above. I'm currently locked out due to the rate limit, but I'm noticing that the errors returned by LE are account registration related rather than certificate related... things were working great earlier today then bam:

Error 429 - urn:itef:params:acme:error:rateLimited - Error creating new account :: too many registrations for this IP

The email address remained constant in my Caddyfile, but I was cycling docker-compose up/down a few times (the heavy stuff I used the staging server). Checking out the link it seems that the rate limit for account creation is 10 times within 3 hours.

I too have - ./.caddy:/root/.caddy in volumes as per the README, so I assumed that's all I needed to make sure that the certs/registration remained the same throughout restarts.

I tried downgrading to 0.11.1 but I'm getting the same errors. This was working earlier today with 0.11.2 and no changes other than a few up/down cycles.

[korbinianthiel]

Same issue here. I'm also stuck in the rate limit of LE.

[guimochila]

Im experiencing the same issue. Caddy try to get a new certificate every time the container restarts.

[mholt]

@ciokan @korbinianthiel @guimochila @justinmartin @abiosoft @neezer Would you all please try building Caddy (in Docker, whatever, doesn't matter to me) using this branch: https://github.com/mholt/caddy/pull/2452 -- and ensure that it works for you. A new release is imminent with these fixes, so report back ASAP. Thanks!

[elitan]

Had the same issue. Went from image: abiosoft/caddy to image: abiosoft/caddy:0.11.1 in my docker-compose.yaml and now it work.

[abiosoft]

This should be fixed with 0.11.3 update. Anyone can kindly re-open if that is not the case.