A Caddy Cert Expired Because systemd-resolved Was Selectively Lying

Here's something that took longer to debug than it should have. The setup Running Caddy...

mercoledì 27 maggio 2026 New tab

355 words~2 min read

Here's something that took longer to debug than it should have.

The setup

Running Caddy as a reverse proxy on a systemd-based Linux machine. Cert renewal via ACME. Everything looks fine in the logs. Then one day the cert is expired and nobody noticed for two days.

The cause

systemd-resolved has a behavior where it returns SERVFAIL for specific DNS queries depending on the upstream resolver situation. It's not consistent. Some zones resolve fine. Some silently fail. Caddy's ACME client sends the challenge request, systemd-resolved reports a failure, and the renewal just... doesn't happen.

A Caddy Cert Expired Because systemd-resolved Was Selectively Lying

A Caddy Cert Expired Because systemd-resolved Was Selectively Lying

Other newsrooms on this story

Related reading

How an expired SSL cert took down our checkout for six hours (and what I should…

I Built a Next-Gen DNS Diagnostic CLI in Rust That Visualizes DNSSEC Trust…

Critical cPanel, WHM flaw probs exploited as 0-day, pros say

SSH Login Taking Forever? Check Your DNS Settings

When DNSSEC goes wrong: how we responded to the .de TLD outage

SSH Login Delays: The 10-Second Wait That Drives Us Crazy

Other newsrooms on this story

Related reading

How an expired SSL cert took down our checkout for six hours (and what I should…

I Built a Next-Gen DNS Diagnostic CLI in Rust That Visualizes DNSSEC Trust…

Critical cPanel, WHM flaw probs exploited as 0-day, pros say

SSH Login Taking Forever? Check Your DNS Settings

When DNSSEC goes wrong: how we responded to the .de TLD outage

SSH Login Delays: The 10-Second Wait That Drives Us Crazy