this post was submitted on 09 Apr 2025
111 points (96.6% liked)

Selfhosted

45708 readers
495 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
111
TIL - Caddy (lemmy.world)
submitted 3 days ago* (last edited 3 days ago) by irmadlad@lemmy.world to c/selfhosted@lemmy.world
26 comments fedilink hide all child comments
 

Today I gained a little more knowledge about Caddy, and I thought I'd share in case someone is having the same issue.

I've been biting my nails worrying about Caddy updating certificates. Everything I had read told me not to sweat it. That Caddy had my back and wouldn't let any certs expire. Well, two did, today. So I set about today, after I got all my chores done, to see if I could figure out wtf.

Long story short, I had a inconsistency in the format of my Caddy file. It didn't affect the function of the file to the extent that it would not provide the certificate in daily use, but apparently I confused Caddy enough so that it couldn't determine when certs were expiring, and reissue the cert.

If you run the following:

caddy reload --config /etc/caddy/Caddyfile

And you get something like this:

2025/04/09 21:49:03.376 WARN    Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies{"adapter": "caddyfile", "file": "/etc/caddy/Caddyfile", "line": 1}

It's a warning that something is askew. Not to worry tho, you can fix it thusly:

Make a backup assuming etc/caddy/Caddyfile is where your Caddyfile is:

cp /etc/caddy/Caddyfile /etc/caddy/Caddyfile.bak

Next we'll ask Caddy nicely to please reformat in an acceptible form:

sudo caddy fmt --overwrite /etc/caddy/Caddyfile

Trust but verify:

caddy validate --config /etc/caddy/Caddyfile

Now run:

caddy reload --config /etc/caddy/Caddyfile

You should be golden at this point.

Cheers

top 26 comments
sorted by: hot top controversial new old
[–] Oisteink@feddit.nl 23 points 3 days ago (1 children)

That depends on what your error is. It’s not a magic process, it just tries to help you with formatting. The validate is the magic, it helps you spot errors as you make them.

[–] irmadlad@lemmy.world 4 points 3 days ago

Absolutely, and now I know a little more about the process.

It's been a good day 'tater.

[–] excess0680@lemmy.world 16 points 3 days ago* (last edited 3 days ago)

If you’re using git to version Caddy configuration, you can use a pre-commit hook to test it, ensuring that you’ll never have invalid configuration. That’s what I do.

caddy validate

There’s some extra command args that may be necessary but that should be an adequate first step.

[–] AkatsukiLevi@lemmy.world 7 points 3 days ago

I have switched production to Caddy before V2 and haven't looked back ever since. During my Apache era, always had to keep a eye on stuff and deal when things decided to break With caddy? I just throw the config and it just works without complaining at all

[–] couch1potato@lemmy.dbzer0.com 8 points 3 days ago (1 children)

Did you have a mistake in your caddyfile? Or, what led to this? I'm using caddy as well and could be good to know, though I don't recall seeing that warning.

[–] irmadlad@lemmy.world 3 points 3 days ago* (last edited 3 days ago)

Indeed I did. I had apparently screwed up the formatting of a couple of the entries. The associated apps worked on a daily basis, the certificate was visible, but apparently the improper formatting was enough to confuse Caddy when it came to renewing the cert. Looking at the backup Caddyfile verses the newly formatted Caddyfile, I had a couple braces out of whack.

ETA: what led to all of this was that two certs expired today, and everything I had previously read said that Caddy wouldn't let that happen. Well it won't if I don't fatfinger the format next time

[–] Xanza@lemm.ee 4 points 3 days ago

I like to use a justfile to do this all in one fell swoop;

default:
  just --list

caddy-refresh:
  caddy fmt --overwrite ~/.caddy
  caddy validate --config /etc/caddy/Caddyfile -a caddyfile
caddy-reload: caddy-refresh
  doas docker exec -it caddy caddy reload --config /etc/caddy/Caddyfile

~/.caddy is my caddyfile, which is system linked to /etc/caddy/Caddyfile. Doing it this way ensures there are no permission issues, and you don't need sudo to edit your caddyfile. So you simply nvim ~/.caddy, make your changes, and then run just caddy-reload, which runs caddy-refresh before reloading the caddy config via docker.

Works great, and only involves one command.

[–] uranibaba@lemmy.world 7 points 3 days ago (1 children)

I did some bad formatting during my initial setup of caddy. Having the formater is really handy.

[–] irmadlad@lemmy.world 5 points 3 days ago

Well, I had a time wrapping my old head around Caddy. It took me an embarrassingly long time to get it, and one day the clouds cleared, and the sun shone through, and it made sense. I had no clue about the formater, but you can bet I've made some notes so I don't do that shit again. LOL

[–] InvertedParallax@lemm.ee 5 points 3 days ago (1 children)

Been using nginx, probably should change just because my mail uses letsencyrot while my http uses bought certs.

Letsencrypt has gone far enough that we can just rely on it now apparently.

[–] 4am@lemm.ee 4 points 3 days ago

The orange menace apparently just defunded it so we’ll see

[–] tuckerm@feddit.online 5 points 3 days ago (1 children)

Thank you! I've been ignoring that error, assuming that it was just about indentation.

Also I appreciate your use of the word "thusly" immediately after the word "tho."

[–] irmadlad@lemmy.world 4 points 3 days ago (2 children)

...did I commit a grammatical faux pas?

[–] droolio@feddit.uk 7 points 3 days ago (1 children)

As you were, Mr Milchick.

[–] irmadlad@lemmy.world 3 points 3 days ago (1 children)

As you were, Mr Milchick

Is this related to 'Severance"? Had to look it up. I apologize, I do not watch TV of any sort. It's not a religious thing, and it's not that I think that fact makes me better than everyone else, but I really have no interest in stuff on TV. I do read a lot. I can better digest the material if I can read it. However, it has to be online. If you gave me a traditional book of a topic I was keenly interested in, I'd never crack the binding. Give it to me digitally where I can read it on any of my devices, and I'll read it cover to cover. Yeah....I'm a weird old curmudgeon.

[–] droolio@feddit.uk 2 points 2 days ago (1 children)

Do ignore me then, I assumed you might know the reference and only I mean't it in good humour. :) (Without spoiling anything - in the unlikely event you might some day watch it - Mr Milchick is a character that uses 'big words'. Your choice of words struck a chord.) I will say though, you're seriously missing out. The cinematography alone is brilliant and the acting exceptional.

[–] irmadlad@lemmy.world 1 points 2 days ago

Naw man, it's cool. I get references, but they kind of have to be old school stuff Richard Pryor, Blazing Saddles, Young Frankenstein, that kind of stuff. I'm just a weird old man. LOL

[–] Deebster@infosec.pub 3 points 3 days ago

I think it's more that using tho instead of though is quite casual, but then you use thusly, which is rather formal. The change of register is surprising/funny.

Like if someone wrote "Indeed, it is most unexpected lol".

[–] someacnt@sh.itjust.works 4 points 3 days ago (1 children)

Wait. I got the format warning in caddy, so does this mean it could contain substantial error? I gotta check

[–] irmadlad@lemmy.world 2 points 3 days ago (1 children)

Don't forget to make a backup before any changes.

[–] sugar_in_your_tea@sh.itjust.works 2 points 3 days ago

Better yet, track your configs in version control do you can easily roll it back and back it up, all at the same time.

[–] effward@lemmy.world 2 points 3 days ago (1 children)

My ingress firewall blocks the cert renewal challenge requests because they always come from countries that I blanket block, which requires me to keep an eye on it and disable blocking on certain countries to allow the renewals to happen, then re-enable blocking.. Let's Encrypt (somewhat understandably) doesn't publish the list of IPs that they will use for the challenge requests, so I'm not sure if there's a better solution. Anyone dealt with this?

[–] forbiddenlake@lemmy.world 9 points 3 days ago (2 children)

Use the DNS challenge instead? You'll need a DNS provider with an API though

[–] 4am@lemm.ee 1 points 3 days ago

Does Caddy use certbot to do the renewal? A long time ago DNS was a pain but now it seems like a lot of providers are supported.

[–] effward@lemmy.world 1 points 3 days ago

Huh, I didn't know about this option. I'll check it out. Thanks!

[–] just_another_person@lemmy.world 0 points 3 days ago

Cool. You got lucky. This is covered in the docs and is normal behavior.

The problems arise when this exchange doesn't happen without issue though.