Renewal of the certificates using ACME doesn't happen automatically

titansmc · October 9, 2023, 10:12am

I have configured traefik with Sectigo EAB to issue certificates, they are valid for 1 year, and now that it is 11 months, I have received an email from Sectigo about the certificate is going to expire but Traefik doesn't renew it unless I restart the container. I don't see any attempt to renew them neither.

bluepuma77 · October 9, 2023, 10:24am

I would assume your purchased the certs from Sectigo. Then you need to re-purchase again to prolong their validity.

Traefik will only create and renew free LetsEncrypt certificates.

titansmc · October 9, 2023, 10:38am

not really, we have an account that allows us to request any cert automatically. Actually if I restart traefik, those certificates are pulled, or if I add a new service, then new certificate is requested and installed, the only thing failing is the renewal.
Cheers.

bluepuma77 · October 9, 2023, 12:59pm

Traefik LetsEncrypt does not have a Sectigo provider (doc), so its probably not something standard.

Share your Traefik static and dynamic configuration and docker-compose.yml if used. For code use 3 backticks in front and after, or select it and press the </> button.

titansmc · October 9, 2023, 1:13pm

we use ACME protocol, Sectigo is just the certificate provider, as Let's encrypt or any other.

    [certificatesResolvers.sectigo.acme]
      email = "itsops@domain.com"
      storage = "/certs/sectigo.json"
      caServer = "https://acme.sectigo.com/v2/OV"
      [certificatesResolvers.sectigo.acme.tlsChallenge]
      [certificatesResolvers.sectigo.acme.eab]
        kid = "xxxxxxxxxxxxxxxx"
        hmacEncoded = "xxxxxxxxxxxxxxxxxxx"

bluepuma77 · October 9, 2023, 2:35pm

It seems you only changed the caServer and added EAB (doc), strange to see no renewal after 90 days.

certificatesDuration

Optional, Default=2160

The certificatesDuration option defines the certificates' duration in hours. It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.

According to Internet, Sectigo has no free offering:

Sectigo offers commercial certificates, and their cost depends on the type and level of the certificate. Prices start from $125/year.

Maybe your registered credit card expired.

titansmc · October 9, 2023, 3:06pm

Thanks for your help! But listen, I have it working, if my cert is about to expire and I restart traefik (recreate the pod) it works fine, if I add a new service (via an annotation on kubernetes ingress) it also works, so it has nothing to with with pricing or anything similar. So ACME seems properly configured but only automatic renewals aren't working (because restarting the server with ready to be renewed domains it works, so I get new certificates properly installed)

About Sectigo, yes, it is not free, although for scientific institutions it is included in their subscription.

titansmc · October 26, 2023, 8:57am

Hi,
Any ideas? I have received how I can debug it? I have just received some emails because my certificates are about to expire. If I restart traefik they will all be renewed without issues, but I expect this to happen without restart automatically.
Cheers.

titansmc · October 26, 2023, 9:56am

looks like certificates are starting to renew themselves....

epicmegagame · March 23, 2024, 12:38am

Hey @titansmc, did you need to do anything to get things to auto-renew? I'm in the same situation as you (Sectigo certs issued to an edu institution) and my reading of the docs is that the cert should renew at 30 days prior to the 90 day default value of "certificatesduration". It's been well past that so I was searching for when Traefik actually renews and came across this post.

bluepuma77 · March 23, 2024, 6:59am

Sectigo is selling official TLS certs with 1 year duration. It’s not LetsEncrypt, which gives you free certs with 3 month duration automatically.

You need to get new cert manually (purchase new one), update the Traefik dynamic config file, which loads them.

titansmc · March 26, 2024, 10:09am

Sectigo is giving us accounts that we can use exactly as let;s encrypt (ACME protocol) with the advantage that we don't need any of the DNS/Web challenges to be available, we just authenticate to Sectigo, and those certificates are valid for a year.
So yes, we use Traefik ACME integration with sectigo, with a config like:

    [certificatesResolvers.sectigo.acme]
      email = "aaaa@domain.de"
      storage = "/certs/sectigo.json"
      caServer = "https://acme.sectigo.com/v2/OV"
      [certificatesResolvers.sectigo.acme.tlsChallenge]
      [certificatesResolvers.sectigo.acme.eab]
        kid = "xxxxxxxxxx"
        hmacEncoded = "xxxxxxxxxxxxxxxxxxxxxxx

titansmc · March 26, 2024, 10:12am

I didn't do anything to trigger the renewal...although I don't think the json file where certs are stored is properly cleaned up....

Topic		Replies	Views
Expired certificate not renewed using ACME protocol - [Solved] Traefik v2 letsencrypt-acme	1	604	January 20, 2022
Automatic Renewal of Let's Encrypt certificates Traefik v2 letsencrypt-acme	5	3862	February 26, 2024
Let's Encrypt Certificate not automatically renewed Traefik v3 (latest) letsencrypt-acme	4	364	December 3, 2023
Trouble with Let's Encrypt renewal Traefik v2 letsencrypt-acme	9	2335	April 26, 2021
Renew Let's encrypt certificate Traefik v1 docker , letsencrypt-acme	3	1561	March 4, 2020

Renewal of the certificates using ACME doesn't happen automatically

Related Topics