Why does Traefik renew with the expired Let's Encrypt certificate path?
We run Ubuntu Server 20.04 LTS with a Traefik Docker container. Back in September when the Let's Encrypt DST Root CA X3 certificate expired we didn't really find much actual information on how to remedy this but eventually got it working again by updating Traefik to 2.5 and adding preferredChain: 'ISRG Root X1'
to the configuration.
Last week the certificates got renewed and the invalid certificate path is back in. Deleting acme.json
and restarting Traefik fixes it again.
There doesn't seem to be any Google results with similar issues recently, so I assume our fix is simply incomplete or incorrect. What is the proper way to get Let's Encrypt working again?
It was a bug in go-acme/lego
that did not use preferredChain
for renewals (see this Traefik pull request).