I have configured traefik with Sectigo EAB to issue certificates, they are valid for 1 year, and now that it is 11 months, I have received an email from Sectigo about the certificate is going to expire but Traefik doesn't renew it unless I restart the container. I don't see any attempt to renew them neither.
I would assume your purchased the certs from Sectigo. Then you need to re-purchase again to prolong their validity.
Traefik will only create and renew free LetsEncrypt certificates.
not really, we have an account that allows us to request any cert automatically. Actually if I restart traefik, those certificates are pulled, or if I add a new service, then new certificate is requested and installed, the only thing failing is the renewal.
Cheers.
Traefik LetsEncrypt does not have a Sectigo provider (doc), so its probably not something standard.
Share your Traefik static and dynamic configuration and docker-compose.yml if used. For code use 3 backticks in front and after, or select it and press the </> button.
we use ACME protocol, Sectigo is just the certificate provider, as Let's encrypt or any other.
[certificatesResolvers.sectigo.acme]
email = "itsops@domain.com"
storage = "/certs/sectigo.json"
caServer = "https://acme.sectigo.com/v2/OV"
[certificatesResolvers.sectigo.acme.tlsChallenge]
[certificatesResolvers.sectigo.acme.eab]
kid = "xxxxxxxxxxxxxxxx"
hmacEncoded = "xxxxxxxxxxxxxxxxxxx"
It seems you only changed the caServer and added EAB (doc), strange to see no renewal after 90 days.
certificatesDuration
Optional, Default=2160
The certificatesDuration option defines the certificates' duration in hours. It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
According to Internet, Sectigo has no free offering:
Sectigo offers commercial certificates, and their cost depends on the type and level of the certificate. Prices start from $125/year.
Maybe your registered credit card expired.
Thanks for your help! But listen, I have it working, if my cert is about to expire and I restart traefik (recreate the pod) it works fine, if I add a new service (via an annotation on kubernetes ingress) it also works, so it has nothing to with with pricing or anything similar. So ACME seems properly configured but only automatic renewals aren't working (because restarting the server with ready to be renewed domains it works, so I get new certificates properly installed)
About Sectigo, yes, it is not free, although for scientific institutions it is included in their subscription.
Hi,
Any ideas? I have received how I can debug it? I have just received some emails because my certificates are about to expire. If I restart traefik they will all be renewed without issues, but I expect this to happen without restart automatically.
Cheers.
looks like certificates are starting to renew themselves....
Hey @titansmc, did you need to do anything to get things to auto-renew? I'm in the same situation as you (Sectigo certs issued to an edu institution) and my reading of the docs is that the cert should renew at 30 days prior to the 90 day default value of "certificatesduration". It's been well past that so I was searching for when Traefik actually renews and came across this post.
Sectigo is selling official TLS certs with 1 year duration. It’s not LetsEncrypt, which gives you free certs with 3 month duration automatically.
You need to get new cert manually (purchase new one), update the Traefik dynamic config file, which loads them.
Sectigo is giving us accounts that we can use exactly as let;s encrypt (ACME protocol) with the advantage that we don't need any of the DNS/Web challenges to be available, we just authenticate to Sectigo, and those certificates are valid for a year.
So yes, we use Traefik ACME integration with sectigo, with a config like:
[certificatesResolvers.sectigo.acme]
email = "aaaa@domain.de"
storage = "/certs/sectigo.json"
caServer = "https://acme.sectigo.com/v2/OV"
[certificatesResolvers.sectigo.acme.tlsChallenge]
[certificatesResolvers.sectigo.acme.eab]
kid = "xxxxxxxxxx"
hmacEncoded = "xxxxxxxxxxxxxxxxxxxxxxx
I didn't do anything to trigger the renewal...although I don't think the json file where certs are stored is properly cleaned up....
I am attempting to get this to work with my institution, but it is not sending the cert to Traefik, instead emailing me the cert as if I was using the Incommon/Sectigo web console. The Traefik logs show authenticating to Sectigo and timing out when attempting to get the cert. It does this every time I restart Traefik and attempt to access the website.
Everything but the cert in the JSON ACME file appears to be correct, the cert is null.
Did this ever happen to you?
ETA: Are you using v3 Traefik? I am on v2.
How about you share your full Traefik static and dynamic config, and docker-compose.yml if used?
I am on v2 and I also receive the emails once they are requested by traefik.
Missatge de bluepuma77 via Traefik Labs Community Forum <notifications@containo.discoursemail.com> del dia dl., 20 de maig 2024 a les 23:17:
Can you add some context? You want Traefik to use the certresolver to automatically create TLS certificates? Or you get TLS certificates via email and want to use them with Traefik?
Share your full Traefik static and dynamic config, and docker-compose.yml if used.
### Traefik Docker Compose YML file
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik
# command:
# - "--certificatesresolvers.sectigo=true"
# - "--certificatesresolvers.sectigo.acme.caserver=https://acme.sectigo.com/v2/InCommonRSAOV"
# - "--certificatesresolvers.sectigo.acme.storage=/shared_files/sectigo_acme.json"
# - "--certificatesresolvers.sectigo.acme.eab.hmacencoded=${EAB_HMAC_KEY_BASE64_ENCODED}"
# - "--certificatesresolvers.sectigo.acme.eab.kid=${EAB_KID}"
environment:
HTTP_PROXY: http://webproxyaws.university.net:3128/
HTTPS_PROXY: http://webproxyaws.university.net:3128/
NO_PROXY: authelia,127.0.0.1,localhost,.university.edu,169.254.169.254,.university.net,.amazonaws.com,172.16.0.0/12,.docker.local
# TRAEFIK_CERTIFICATESRESOLVERS_SECTIGO: true
# TRAEFIK_CERTIFICATESRESOLVERS_SECTIGO_ACME_CASERVER: https://acme.sectigo.com/v2/InCommonRSAOV
# TRAEFIK_CERTIFICATESRESOLVERS_SECTIGO_ACME_STORAGE: /shared_files/sectigo_acme.json
# TRAEFIK_CERTIFICATESRESOLVERS_SECTIGO_ACME_EAB_KID: $EAB_KID
# TRAEFIK_CERTIFICATESRESOLVERS_SECTIGO_ACME_EMAIL: solomonhd@university.edu
# TRAEFIK_CERTIFICATESRESOLVERS_SECTIGO_ACME_EAB_HMACENCODED: $EAB_HMAC_KEY_BASE64_ENCODED
ports:
- "80:80"
- "443:443"
volumes:
- ./traefik.yml:/etc/traefik/traefik.yml
- shared_files:/shared_files
- /var/run/docker.sock:/var/run/docker.sock:ro
labels:
traefik.enable: true
traefik.http.routers.api.rule: Host(`${ENV_PREFIX:-}traefik.int.university.edu`)
traefik.http.routers.api.entrypoints: websecure
traefik.http.routers.api.tls: true
traefik.http.routers.api.service: api@internal
traefik.http.services.traefik.loadbalancer.server.port: 8080
traefik.http.middlewares.traefik-redirect-https.redirectscheme.scheme: https
traefik.http.routers.traefik-http.middlewares: traefik-redirect-https
traefik.http.routers.traefik-http.rule: Host(`${ENV_PREFIX:-}traefik.int.university.edu`)
traefik.http.routers.traefik-http.entrypoints: web
traefik.http.routers.api.middlewares: authelia@docker
traefik.http.middlewares.authelia.forwardAuth.address: http://authelia:9091/api/verify?rd=https%3A%2F%2Fdev-cloudbeaver.int.university.edu%2F
traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader: true
traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
restart: unless-stopped
volumes:
shared_files:
external: true
networks:
default:
name: general
external: true
# Traefik.yml static config:
global:
checkNewVersion: true
sendAnonymousUsage: false # true by default
# (Optional) Log information
# ---
log:
level: DEBUG # DEBUG, INFO, WARNING, ERROR, CRITICAL
# format: common # common, json, logfmt
# filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
# accesslog:
# format: common # common, json, logfmt
# filePath: /var/log/traefik/access.log
# (Optional) Enable API and Dashboard
# ---
api:
dashboard: true # true by default
insecure: true # Don't do this in production!
# Entry Points configuration
# ---
entryPoints:
web:
address: :80
http:
encodeQuerySemicolons: true
proxyProtocol:
insecure: false
trustedIPs:
- 10.0.0.0/0
- 172.16.0.0/16
forwardedHeaders:
insecure: false
trustedIPs:
- 10.0.0.0/0
- 172.16.0.0/16
websecure:
address: :443
http:
encodeQuerySemicolons: true
proxyProtocol:
insecure: false
trustedIPs:
- 10.0.0.0/0
- 172.16.0.0/16
forwardedHeaders:
insecure: false
trustedIPs:
- 10.0.0.0/0
- 172.16.0.0/16
# (Optional) Redirect to HTTPS
# ---
# http:
# redirections:
# entryPoint:
# to: websecure
# scheme: https
# Overwrite Default Certificates
tls:
stores:
default:
defaultCertificate:
certFile: /shared_files/certs/cert.pem
keyFile: /shared_files/certs/cert-key.pem
# Disable TLS version 1.0 and 1.1
options:
default:
minVersion: VersionTLS12
certificatesResolvers:
sectigo:
acme:
caServer: https://acme.sectigo.com/v2/InCommonRSAOV
tlsChallenge: {}
certificatesDuration: 8160
eab:
kid: '{{ env "EAB_KID" }}'
hmacEncoded: '{{ env "EAB_HMAC_KEY_BASE64_ENCODED" }}'
storage: /shared_files/sectigo_acme.json
email: solomonhd@university.edu
providers:
docker:
exposedByDefault: false # Default is true
network: general
# watch: true
file:
# watch for dynamic configuration changes
directory: /etc/traefik
watch: true
#Website I'm testing with docker compose file
x-environment: &environment
HTTP_PROXY: http://webproxyaws.university.net:3128/
HTTPS_PROXY: http://webproxyaws.university.net:3128/
NO_PROXY: authelia,127.0.0.1,localhost,.university.edu,169.254.169.254,.university.net,.amazonaws.com,172.16.0.0/12,.docker.local
ENCRYPTION_KEY: 6c1fe4e407b8911c104518103505b218
AUTH_SECRET: 5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
POSTGRES_PASSWORD: infisical
POSTGRES_USER: infisical
POSTGRES_DB: infisical
DB_CONNECTION_URI: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@infisical-db:5432/${POSTGRES_DB}
# Redis
REDIS_URL: redis://infisical-dev-redis:6379
# Website URL
# Required
SITE_URL: https://${ENV_PREFIX:-}infisical.int.university.edu
x-traefik_labels: &traefik_labels
traefik.enable: true
## Minio Web console
traefik.http.routers.infisical-https.rule: Host(`${ENV_PREFIX:-}infisical.int.university.edu`)
traefik.http.routers.infisical-https.entrypoints: websecure
traefik.http.routers.infisical-https.service: infisical-https
traefik.http.services.infisical-https.loadbalancer.server.port: 8080
traefik.http.routers.infisical-https.tls: true
traefik.http.routers.infisical-https.tls.certresolver: sectigo
# traefik.http.routers.infisical-https.tls.domains[0].main: ${ENV_PREFIX:-}infisical.int.university.edu
## Redirect HTTP to HTTPS
traefik.http.middlewares.infisical-redirect-https.redirectscheme.scheme: https
traefik.http.routers.infisical-http.middlewares: infisical-redirect-https
traefik.http.routers.infisical-http.rule: Host(`${ENV_PREFIX:-}infisical.int.university.edu`)
traefik.http.routers.infisical-http.entrypoints: web
traefik.http.routers.infisical-http.service: infisical-https
services:
db-migration:
container_name: infisical-db-migration
depends_on:
db:
condition: service_healthy
image: infisical/infisical:latest-postgres
environment: *environment
command: npm run migration:latest
pull_policy: always
backend:
container_name: infisical-backend
labels: *traefik_labels
restart: unless-stopped
depends_on:
db:
condition: service_healthy
redis:
condition: service_started
db-migration:
condition: service_completed_successfully
image: infisical/infisical:latest-postgres
pull_policy: always
environment:
<<:
- *environment
NODE_ENV: production
redis:
image: redis
container_name: infisical-dev-redis
environment:
<<:
- *environment
ALLOW_EMPTY_PASSWORD: "yes"
ports:
- 6379:6379
volumes:
- redis_data:/data
db:
container_name: infisical-db
image: postgres:14-alpine
restart: always
environment: *environment
volumes:
- pg_data:/var/lib/postgresql/data
healthcheck:
test: "pg_isready --username=${POSTGRES_USER} && psql --username=${POSTGRES_USER} --list"
interval: 5s
timeout: 10s
retries: 10
volumes:
pg_data:
driver: local
redis_data:
driver: local
networks:
default:
name: $NETWORK
external: true
@bluepuma77 My previous post has all my configs. Please ignore the env substitution in the traefik.yml file I didn't realize that was not allowed. I am manually adding these values into Traefik container until I have a chance to switch to Env Var static config in the Traefik docker compose.
I want Traefik to generate the TLS cert. I setup Traefik certresolver for a personal project using Step CA and Let's Encrypt and both work fine, Traefik generates a cert when visiting the certresolver configured website, like I have for dev-infisical in this example.
Sectigo/Incommon CA is not doing that, it leaves the cert value as null in the acme.json and emails me the cert for the website.
ETA: I have tested Sectigo/Incommon with Certbot and it generates a cert on the computer, same as Let's Encrypt. The functionality exists.
@titansmc So you never got this to fully work? You're manually adding the emailed cert to the acme.json file?
@bluepuma77 @titansmc Any updates? 
ETA: I'm rate limited 
I can't make any new posts in this thread
@titansmc Is Sectigo and Traefik ACME working fully for you meaning the cert is going into the acme.json file automatically? Or it the cert just being emailed to you like what is happening to me.