traefik: ACME cannot select preferred chain in v1.7 which generates broken certificates (expired root CA in chain)
Welcome!
- Yes, I’ve searched similar issues on GitHub and didn’t find any.
- Yes, I’ve searched similar issues on the Traefik community forum and didn’t find any.
What did you do?
I got a certificate with let’s encrypt using traefik 1.7
What did you see instead?
I can not select a “preferredChain” option which leads to broken SSL certificate generation. there is an expired root certificate in a part of the chain.
What version of Traefik are you using?
1.7
What is your environment & configuration?
# (paste your configuration here)
Add more configuration information here.
If applicable, please paste the log output in DEBUG level
No response
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 1
- Comments: 21 (8 by maintainers)
We did mark it as a P0 - we are working on it right now @tgerakitis
Looks like this also happens in v2.5.3
You can follow #8494
@tgerakitis we will create a release today
I did the second option, but only removing one cert from acme.json (just for testing) and restarting traefik.
It shouldnt, rigth? But shit happens (sorry for the expression). Our gitlab instance is behind traefik, was with old root certificate and since today workers were refusing to clone from the repo with:
fatal: unable to access 'https://<obscured>': SSL certificate problem: certificate has expiredBut after doing what you said, everything is working perfectly.
once the option is set, you can:
acme.jsonfile and restart Traefik (beware of the Let’s Encrypt rate limit https://letsencrypt.org/docs/rate-limits/)Note, there is no major security issue behind this problem.
In the v2 you can already set the preferredChain