Traefik – Why Renew with Expired Let’s Encrypt Certificate Path?

lets-encryptssl-certificateUbuntu

We run Ubuntu Server 20.04 LTS with a Traefik Docker container. Back in September when the Let's Encrypt DST Root CA X3 certificate expired we didn't really find much actual information on how to remedy this but eventually got it working again by updating Traefik to 2.5 and adding preferredChain: 'ISRG Root X1' to the configuration.

Last week the certificates got renewed and the invalid certificate path is back in. Deleting acme.json and restarting Traefik fixes it again.

There doesn't seem to be any Google results with similar issues recently, so I assume our fix is simply incomplete or incorrect. What is the proper way to get Let's Encrypt working again?

Best Answer

It was a bug in go-acme/lego that did not use preferredChain for renewals (see this Traefik pull request).

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

I have written a pair of how-tos for running Let's Encrypt SSL certs on CentOS: initial setup & cronning it.

And my per-domain (I use the file naming convention of z-<[sub-]domain-tld>.conf) Apache config files look like this:

<VirtualHost *:80>
ServerName domain.tld
Redirect permanent / https://domain.tld/
</VirtualHost>

<VirtualHost *:443>
    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ServerAdmin user@domain.tld

    SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>

</VirtualHost>

And my ssl.conf looks like this:

#SSL options for all sites
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
Mutex sysvsem default
SSLRandomSeed startup file:/dev/urandom  1024
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLCompression          off
SSLHonorCipherOrder     on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Using Let's Encrypt to get SSL certs (and get your site up to an "A" rating from SSL Labs) is pretty straight-forward - once you get past some of the arcana of the Apache configs and LE command-line arguments.

How to renew an expired let’s encrypt certificate

You can't renew a certificate for a hostname that does not have an address record in the DNS.

Host www.algebra.live not found: 3(NXDOMAIN)

You need to edit your DNS records and add the appropriate address records for this name.

In addition, your version of certbot appears to be trying to do the TLS-SNI-01 challenge, which isn't allowed anymore. You need to update certbot before trying again.

Best Answer

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

How to renew an expired let’s encrypt certificate

Related Topic