A Caddy Cert Expired Because systemd-resolved Was Selectively Broken
Summary
An in-depth, log-driven case study of a 42-hour certificate renewal outage caused by a broken systemd-resolved DNS path affecting a single zone. The piece explains how DoT to NextDNS, a staging CA fallback, and a delayed renewal backoff combined to produce an untrusted endpoint, and it documents the final fix and lessons on DNS health, alerting, and configuration drift.