Why does Traefik renew with the expired Let's Encrypt certificate path?

ssl-certificate ubuntu lets-encrypt

We run Ubuntu Server 20.04 LTS with a Traefik Docker container. Back in September when the Let's Encrypt DST Root CA X3 certificate expired we didn't really find much actual information on how to remedy this but eventually got it working again by updating Traefik to 2.5 and adding preferredChain: 'ISRG Root X1' to the configuration.

Last week the certificates got renewed and the invalid certificate path is back in. Deleting acme.json and restarting Traefik fixes it again.

There doesn't seem to be any Google results with similar issues recently, so I assume our fix is simply incomplete or incorrect. What is the proper way to get Let's Encrypt working again?


It was a bug in go-acme/lego that did not use preferredChain for renewals (see this Traefik pull request).

Related

PowerDNS & Log4j
Apache 2.4 - how to use multiple files in files directive?
Trying to set up Exchange 2013 server to migrate from Exchange 2010
Only getting 100 Mbit in Hyper V Guest from 1 Gigabit network connection
How to tell compromised network users that their network is compromised [closed]
How to set flux to deploy latest image tag for every build?
Is it possible to repair a ZFS snapshot by re-sending it?
Existence of switch disturbs network: cable is fine straight to laptop but not through a switch
Alternative ways to get past 32 rpz zone limit in BIND? ...without running BIND a thousand times
Questions about Debian OpenDLAP configuration
Unhide /etc dir but NOT using 'AppleShowAllFiles'. Possible?
TextEdit saves changes to file without prompting when you duplicate