I have configured traefik with Sectigo EAB to issue certificates, they are valid for 1 year, and now that it is 11 months, I have received an email from Sectigo about the certificate is going to expire but Traefik doesn't renew it unless I restart the container. I don't see any attempt to renew them neither.
I would assume your purchased the certs from Sectigo. Then you need to re-purchase again to prolong their validity.
Traefik will only create and renew free LetsEncrypt certificates.
not really, we have an account that allows us to request any cert automatically. Actually if I restart traefik, those certificates are pulled, or if I add a new service, then new certificate is requested and installed, the only thing failing is the renewal.
Traefik LetsEncrypt does not have a Sectigo provider (doc), so its probably not something standard.
Share your Traefik static and dynamic configuration and
docker-compose.yml if used. For code use 3 backticks in front and after, or select it and press the
we use ACME protocol, Sectigo is just the certificate provider, as Let's encrypt or any other.
[certificatesResolvers.sectigo.acme] email = "email@example.com" storage = "/certs/sectigo.json" caServer = "https://acme.sectigo.com/v2/OV" [certificatesResolvers.sectigo.acme.tlsChallenge] [certificatesResolvers.sectigo.acme.eab] kid = "xxxxxxxxxxxxxxxx" hmacEncoded = "xxxxxxxxxxxxxxxxxxx"
It seems you only changed the
caServer and added EAB (doc), strange to see no renewal after 90 days.
The certificatesDuration option defines the certificates' duration in hours. It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
According to Internet, Sectigo has no free offering:
Sectigo offers commercial certificates, and their cost depends on the type and level of the certificate. Prices start from $125/year.
Maybe your registered credit card expired.
Thanks for your help! But listen, I have it working, if my cert is about to expire and I restart traefik (recreate the pod) it works fine, if I add a new service (via an annotation on kubernetes ingress) it also works, so it has nothing to with with pricing or anything similar. So ACME seems properly configured but only automatic renewals aren't working (because restarting the server with ready to be renewed domains it works, so I get new certificates properly installed)
About Sectigo, yes, it is not free, although for scientific institutions it is included in their subscription.
Any ideas? I have received how I can debug it? I have just received some emails because my certificates are about to expire. If I restart traefik they will all be renewed without issues, but I expect this to happen without restart automatically.
looks like certificates are starting to renew themselves....