Traefik serving Let's Encrypt Legacy Chain instead of Let's Encrypt Modern Chain

I'm sure most folks have heard about the expired DST Root CA X3 certificate by now. I see (using chainchecker.certifytheweb.com) that my v2.2.11 Traefik instance is serving the Let's Encrypt Legacy Chain which includes the expired cert rather than the Let's Encrypt Modern Chain which does not.

This is causing some problems with other services. How can I configure Traefik to use the Modern Chain instead? TIA

Edit - just updated to v2.5.3 and same issue

Edit - Just found the preferredChain option - will investigate this for now, please jump in if you know the answer though.

Edit - So I set preferredChain to "ISRG Root X1" and restarted but it is still serving the chain with the expired X3 cert

1 Like

Same problem with up to date traefik docker with curl/guzzlehttp applications... Browsers have no problem.

We have the same problem, just upgraded to 2.5.3, applied the CLI option and forced a cert renewal and it is still serving up the old chain.

I can see this was apparently fixed in 2.4, could it have regressed?

{"level":"debug","msg":"legolog: [INFO] lego has been configured to prefer certificate chains with issuer \"'ISRG Root X1'\", but no chain from the CA matched this issuer. Using the default certificate chain instead.","time":"2021-10-04T04:52:53Z"}

OK. So I've got the configuration wrong?

From our helm install invocation:

          --set="additionalArguments={--entrypoints.web.http.redirections.entryPoint.to=websecure,--entrypoints.web.http.redirections.entryPoint.scheme=https,--certificatesresolvers.le.acme.email=REDACTED,--certificatesresolvers.le.acme.storage=/data/acme.json,--certificatesresolvers.le.acme.httpchallenge=true,--certificatesresolvers.le.acme.httpchallenge.entrypoint=web,--certificatesresolvers.le.acme.caserver=${{ env.TR_ACME_CA_SERVER }},--certificatesresolvers.le.acme.preferredChain='ISRG Root X1'}" \

So the single quotes are probably no good here?

Same problem here. Did you guys get this to work? If you did can you spread the knowledge :slight_smile:

I do this with kubectl yaml and my configuration looks like this:

# -----  snip
- args:
  - --certificatesResolvers.internal.acme.preferredChain=ISRG Root X1
# -----  snip

this works.

Why on earth guide/doc has quotation marks if you don't need them :confused:
But thx this helped...

1 Like

docs: remove quotes in certificatesresolvers CLI examples by rdxmb · Pull Request #8544 · traefik/traefik · GitHub :wink: