Traefik serving Let's Encrypt Legacy Chain instead of Let's Encrypt Modern Chain

czuk · September 30, 2021, 9:59am

I'm sure most folks have heard about the expired DST Root CA X3 certificate by now. I see (using chainchecker.certifytheweb.com) that my v2.2.11 Traefik instance is serving the Let's Encrypt Legacy Chain which includes the expired cert rather than the Let's Encrypt Modern Chain which does not.

This is causing some problems with other services. How can I configure Traefik to use the Modern Chain instead? TIA

Edit - just updated to v2.5.3 and same issue

Edit - Just found the preferredChain option - will investigate this for now, please jump in if you know the answer though.

Edit - So I set preferredChain to "ISRG Root X1" and restarted but it is still serving the chain with the expired X3 cert

trogie · September 30, 2021, 11:33am

Same problem with up to date traefik docker with curl/guzzlehttp applications... Browsers have no problem.

cail · October 5, 2021, 12:04am

We have the same problem, just upgraded to 2.5.3, applied the CLI option and forced a cert renewal and it is still serving up the old chain.

cail · October 5, 2021, 12:07am

I can see this was apparently fixed in 2.4, could it have regressed?

cail · October 5, 2021, 12:17am

{"level":"debug","msg":"legolog: [INFO] lego has been configured to prefer certificate chains with issuer \"'ISRG Root X1'\", but no chain from the CA matched this issuer. Using the default certificate chain instead.","time":"2021-10-04T04:52:53Z"}

OK. So I've got the configuration wrong?

From our helm install invocation:

          --set="additionalArguments={--entrypoints.web.http.redirections.entryPoint.to=websecure,--entrypoints.web.http.redirections.entryPoint.scheme=https,--certificatesresolvers.le.acme.email=REDACTED,--certificatesresolvers.le.acme.storage=/data/acme.json,--certificatesresolvers.le.acme.httpchallenge=true,--certificatesresolvers.le.acme.httpchallenge.entrypoint=web,--certificatesresolvers.le.acme.caserver=${{ env.TR_ACME_CA_SERVER }},--certificatesresolvers.le.acme.preferredChain='ISRG Root X1'}" \

So the single quotes are probably no good here?

EnforcerC · October 14, 2021, 5:22pm

Same problem here. Did you guys get this to work? If you did can you spread the knowledge

rdxmb · October 25, 2021, 2:33pm

I do this with kubectl yaml and my configuration looks like this:

# -----  snip
- args:
  - --certificatesResolvers.internal.acme.preferredChain=ISRG Root X1
# -----  snip

this works.

EnforcerC · October 27, 2021, 4:34pm

Why on earth guide/doc has quotation marks if you don't need them
But thx this helped...

rdxmb · October 28, 2021, 3:40pm

docs: remove quotes in certificatesresolvers CLI examples by rdxmb · Pull Request #8544 · traefik/traefik · GitHub

IdeaSystems · February 1, 2022, 1:27pm

Hi!
In which yaml file should I put this configuration? In the Traefk deployment file?

Topic		Replies	Views
Is it possible to add Let's Encrypt preferredChain support in v1.7 Traefik v1 letsencrypt-acme	5	1137	October 13, 2021
Trouble with Let's Encrypt renewal Traefik v2 letsencrypt-acme	9	2593	April 26, 2021
Let's Encrypt certificates not renewing Traefik v3 (latest) docker , letsencrypt-acme	5	477	October 21, 2024
Traefik v2.8 letsencrypt renewal fails Traefik v2 docker , letsencrypt-acme	5	979	October 27, 2022
Upgrade from 2.3 to 2.4.5 and LetsEncrypt stopped working Traefik v2 docker	2	819	March 8, 2021

Traefik serving Let's Encrypt Legacy Chain instead of Let's Encrypt Modern Chain

Related topics