Introducing Caddy 2 – The Ultimate Server with Automatic HTTPS
Advanced TLS automation
Caddy was the first server to fully automate public certificate management—so we’ve been doing this longer than anyone. With more than 5 million certificates under management, Caddy has set the gold standard for other servers to live up to:
- Async management. Certificate automation never blocks the main thread of the web server.
- Gentle retries. Failed validation attempts are retried with exponential backoff for up to 1 month. They don’t count against normal rate limits; Caddy uses staging/test endpoints during retries.
- OCSP stapling and caching. Caddy staples OCSP to all qualifying certificates and keeps them conservatively fresh. It even caches them to disk in case of extended OCSP responder outages.
- Auto-replace after revocation. If the latest OCSP staple indicates a revocation, Caddy automatically replaces the revoked certificate with a new one.
- Storage pre-checks. Before attempting costly or valuable ACME transactions, Caddy checks to ensure its storage space is sufficient and writeable.
- Internal throttling and job scheduling. Give Caddy a million certs to manage: no problem, it will gracefully manage them as fast as it can without hammering the CA or duplicating jobs over a long period of time.
- TLS session ticket key rotation. Caddy automatically rotates TLS 1.2 session ticket keys for better privacy. It can even do this across a cluster!
- Fleet coordination. All Caddy instances configured for the same storage backend will automatically share certificate and coordinate management in its cluster.
In 2018, several popular sites went down for many users of mainstream clients because crucial OCSP infrastructure had an extended outage. Only Caddy staples and caches OCSP responses by default, so all Caddy sites were unaffected.
More recently in 2020, a mass certificate revocation event left many sysadmins scrambling to renew their certificates ahead of schedule. Caddy automatically renews certificates that get revoked, and all Caddy sites were unaffected.
Companies have deployed Caddy in front of their site just hours before important audits—potentially saving their compliance status—because of Caddy’s safe defaults and “batteries included” approach.
Recommended by experts
“TLS must be enabled by default … and the Caddy web server is a good and usable example.” —Krombholz et al., USENIX 2017
“Caddy is impressive. This is what we want, setting up a secure website.” —Josh Aas, Executive Director, Let’s Encrypt
“No popular server software does [session ticket key rotation], with the exception of Caddy.” —Springall et al., ACM IMC 2016