Caddy Let's Encrypt certificate not updating anymore

Running Vaultwarden with Caddy in docker containers.
Ran fine now for 2 years. But now the Let’s Encrypt certificate will not renew itself.
Set all ports open to and from internet to test.
Maybe this is since that last update of the Vaultwarden docker to 1.36 but not sure.
Websocket Check is now sometimes true and sometimes false?
Did not do any change in the last years.

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.36.0
  • Web-vault version: v2026.4.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.51.3
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: false (X-Forwarded-For)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: false
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN

Config:

{
  "_duo_akey": "***",
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://***************",
  "domain_origin": "*****://***************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": true,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "ORG Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": 2048,
  "org_creation_users": "**************",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "********",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**************",
  "smtp_from_name": "*****************",
  "smtp_host": "******************",
  "smtp_password": "***",
  "smtp_port": 5506,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*************************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": 1024,
  "user_send_limit": 1024,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

docker-compose.yaml

services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
labels:
caddy: <ourname.org.com>
caddy.reverse_proxy: “{{upstreams}}”
restart: always
environment:

  • WEBSOCKET_ENABLED=true
  • SIGNUPS_ALLOWED=false
  • INVITATIONS_ALLOWED=true
  • ADMIN_TOKEN=****************************
  • DOMAIN=https://<ourname.org.com>
    volumes:
  • vaultwarden_data:/data
    networks:
  • vaultwarden_network
    depends_on:
  • caddy

caddy:
image: lucaslorentz/caddy-docker-proxy:ci-alpine
container_name: reverse-proxy
ports:

  • 80:80
  • 443:443
    environment:
  • CADDY_INGRESS_NETWORKS=vaultwarden_network
    networks:
  • vaultwarden_network
    volumes:
  • /var/run/docker.sock:/var/run/docker.sock
  • caddy_data:/data
    restart: unless-stopped

networks:
vaultwarden_network:
external: true
volumes:
vaultwarden_data: {}
caddy_data: {}

Got crazy to find out what the issue was and it seems really simpel to fix (in this case).

When you have a Vaultwarden running internal then for security you maybe have blocked incoming ports but for Caddy to renew the Let’s Encrypt Certificate port 80 + 443 must be open from the internet to your server. This was already OK in place but always check.
When firewall ports are opened the Let’s Encrypt should renew itself within a small time window.

If that fails first check if ports are open from outside to natake.sioux.eu on an external system:
curl -I http://host.yourdomain.com
If that connection fails, probably the firewall is not opened for port 80 and 443 to natake.sioux.eu

Caddy is the reverse proxy which Vaultwarden uses at our Vaultwarden server where we have Vaultwarden running in a docker container.
Caddy is also a docker container with the name: reverse-proxy
Check logs last 100 lines: docker logs reverse-proxy --tail 100
See what is the error. For example "unable to acquire lock ‘issue_cert_’: decoding lockfile contents: invalid character ‘\x00’"
In this case a lock file seems the issue. To solve it:

docker exec -it reverse-proxy sh
cd /data/caddy/locks
ls -la
rm *.lock
exit
docker restart reverse-proxy
docker logs -f reverse-proxy

See if the certificate will update and check in a new browser.