This PR is intended to fix issue #27. The bug was that while "on demand" TLS issuing (including automatic certificate renewal) was enabled for the local CA, it wasn't actually turned on. The fix is to turn on the automatic certificate renewal.
Once that was turned on, Caddy started showing a warning regarding a missing on_demand_tls global configuration block, so I updated the config to include that, too.
The warning looks like:
2024/04/03 19:25:08.859 WARN tls YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place {"docs": "https://caddyserver.com/docs/automatic-https#on-demand-tls"}
I tested that this PR solves the problem by:
Updating each entry to have tls.issuer.lifetime = 10s, so that the certs generated for each site would expire after 10 seconds. (The default period is 12h.)
Confirming that once the certificate expires, localias did not automatically renew the certificate.
Adding the tls.on_demand configuration statement to turn on automatic certificate renewal.
Confirming that with this new configuration option, localias would automatically renew the certificate when the next request was made to the website.
For Caddy docs that helped me figure this out, see:
This PR is intended to fix issue #27. The bug was that while "on demand" TLS issuing (including automatic certificate renewal) was enabled for the local CA, it wasn't actually turned on. The fix is to turn on the automatic certificate renewal.
Once that was turned on, Caddy started showing a warning regarding a missing
on_demand_tls
global configuration block, so I updated the config to include that, too.The warning looks like:
I tested that this PR solves the problem by:
tls.issuer.lifetime = 10s
, so that the certs generated for each site would expire after 10 seconds. (The default period is12h
.)localias
did not automatically renew the certificate.tls.on_demand
configuration statement to turn on automatic certificate renewal.localias
would automatically renew the certificate when the next request was made to the website.For Caddy docs that helped me figure this out, see:
Click here to see example logs proving automatic certificate renewal
```bash 2024/04/03 19:25:08.861 INFO tls finished cleaning storage units 2024/04/03 19:26:05.217 INFO tls.on_demand attempting certificate renewal {"server_name": "expiry.test", "subjects": ["expiry.test"], "expiration": "2024/04/03 19:24:58.000", "remaining": -67.217564, "revoked": false} 2024/04/03 19:26:05.223 INFO tls.renew acquiring lock {"identifier": "expiry.test"} 2024/04/03 19:26:05.246 INFO tls.renew lock acquired {"identifier": "expiry.test"} 2024/04/03 19:26:05.246 INFO tls.renew renewing certificate {"identifier": "expiry.test", "remaining": -67.24655} 2024/04/03 19:26:05.249 INFO tls.renew certificate renewed successfully {"identifier": "expiry.test"} 2024/04/03 19:26:05.249 INFO tls.renew releasing lock {"identifier": "expiry.test"} 2024/04/03 19:26:05.250 INFO tls.cache replaced certificate in cache {"subjects": ["expiry.test"], "new_expiration": "2024/04/03 19:26:16.000"} 2024/04/03 19:26:13.149 INFO tls.on_demand attempting certificate renewal {"server_name": "expiry.test", "subjects": ["expiry.test"], "expiration": "2024/04/03 19:26:16.000", "remaining": 2.850843, "revoked": false} 2024/04/03 19:26:13.154 INFO tls.renew acquiring lock {"identifier": "expiry.test"} 2024/04/03 19:26:13.179 INFO tls.renew lock acquired {"identifier": "expiry.test"} 2024/04/03 19:26:13.180 INFO tls.renew renewing certificate {"identifier": "expiry.test", "remaining": 2.819957} 2024/04/03 19:26:13.181 INFO tls.renew certificate renewed successfully {"identifier": "expiry.test"} 2024/04/03 19:26:13.181 INFO tls.renew releasing lock {"identifier": "expiry.test"} 2024/04/03 19:26:13.181 INFO tls.cache replaced certificate in cache {"subjects": ["expiry.test"], "new_expiration": "2024/04/03 19:26:24.000"} 2024/04/03 19:26:45.121 INFO tls.on_demand attempting certificate renewal {"server_name": "expiry.test", "subjects": ["expiry.test"], "expiration": "2024/04/03 19:26:24.000", "remaining": -21.12137, "revoked": false} 2024/04/03 19:26:45.122 INFO tls.renew acquiring lock {"identifier": "expiry.test"} 2024/04/03 19:26:45.146 INFO tls.renew lock acquired {"identifier": "expiry.test"} 2024/04/03 19:26:45.147 INFO tls.renew renewing certificate {"identifier": "expiry.test", "remaining": -21.147127} 2024/04/03 19:26:45.154 INFO tls.renew certificate renewed successfully {"identifier": "expiry.test"} 2024/04/03 19:26:45.154 INFO tls.renew releasing lock {"identifier": "expiry.test"} 2024/04/03 19:26:45.155 INFO tls.cache replaced certificate in cache {"subjects": ["expiry.test"], "new_expiration": "2024/04/03 19:26:56.000"} 2024/04/03 19:26:55.618 INFO tls.on_demand attempting certificate renewal {"server_name": "expiry.test", "subjects": ["expiry.test"], "expiration": "2024/04/03 19:26:56.000", "remaining": 0.381874, "revoked": false} 2024/04/03 19:26:55.619 INFO tls.renew acquiring lock {"identifier": "expiry.test"} 2024/04/03 19:26:55.641 INFO tls.renew lock acquired {"identifier": "expiry.test"} 2024/04/03 19:26:55.641 INFO tls.renew renewing certificate {"identifier": "expiry.test", "remaining": 0.358275} 2024/04/03 19:26:55.650 INFO tls.renew certificate renewed successfully {"identifier": "expiry.test"} 2024/04/03 19:26:55.650 INFO tls.renew releasing lock {"identifier": "expiry.test"} 2024/04/03 19:26:55.653 INFO tls.cache replaced certificate in cache {"subjects": ["expiry.test"], "new_expiration": "2024/04/03 19:27:06.000"} ```