Can you not do this via your Traefik dashboard?
I got this same email also for cpanel on 2 different dedicated servers in different countries on different hosts with the setigo certificates, emailing me about 10 x a day and haven’t found a fix, as well as many docker machines asking about the lets encrypt one, so happy someone asked, I will have to keep a close eye on this thread.
Not that I can see.
I believe the cure lies inside the docker-compose file that is inside the .docker folder @George refers to. In there we find:
'--certificatesresolvers.leresolver.acme.storage=/letsencrypt/acme.json'
That should contain an array of certificates, and the instructions state that removing that array, saving the file and re-deploying a new cert will be generated. Makes sense. I just haven’t spent enough time working with docker to know how to get to the remote /letsencrypt volume to make the change.
There’s a line that can be added to the docker-compose yml file that deals with ‘certificatesduration’. I’m just testing if setting it to a low number forces a refresh of a certificate that has a much longer expiry or whether it then just ignores it because it’s valid… will report back
Seems easier than trying to access the remote docker image and finding the acme.json file
1 Like
Not seeing any change to certificate so far, I’m afraid. Would really appreciate some support from the Wappler team as to the best way to access the acme.json file and restart traefik @george, @patrick, @Teodor
Certificates are hard cached in the web browser, so you need to ctrl+f5 refresh
You can also use some of the tools mentioned in:
To track the issuing
Thanks for the info @George. I should be more specific about the issue, perhaps.
Let’s Encrypt had to do an emergency revocation of certificates and gave just a couple days for admins to reissue certs. On January 28, the certificates will begin to fail for clients (who will not know to refresh a cache.)
There is no issue that will show up in the logs or debug as the current certs are valid…but again, they won’t be on the 28th.
Traefik responded to this event with instructions:
However, those of us on this thread have not yet figured out how to carry out these instructions.
Can you assist?
Thanks much!
Here is the email:
Hello,
Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):
REDACTED IDs
We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.
We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:
https://community.letsencrypt.org/t/170449
Thank you,
The Let's Encrypt Team
Well maybe you can try to ssh to the server from within Wappler and edit the acme file as per their instructions.
It should be just under the /letsencrypt folder.
Thanks, already tried that.
Connected to the web server terminal from wappler. Cannot see any /letencrypt folder. I’m assuming that is because it is a different volume?
The lets encrypt acme.json is indeed stored on a persistent volume.
If you SSH to the host server you should find it at:
/var/lib/docker/volumes/wappler-compose_letsencrypt/_data
So try making the suggested changes there and redeploy.
1 Like
Here’s something from Letsencrypt community around this:
OK so here goes (please backup! - I make no guarantees!)
SSH into the server and run:
sudo nano /var/lib/docker/volumes/wappler-compose_letsencrypt/_data/acme.json
move the cursor to the start of the certificates array and press SELECT while clicking your down arrow to select all the lines below until the end of the array (leave the Certificates key and square brackets out of your selection.
Use CTRL+k to cut the selection
You should be left with:
CTRL+o (letter o) to save (ENTER to confirm)
CTRL+x to exit nano
Next, head over to your Portainer address for the target and follow the 4 steps below
You will see an error for the restart - that is because while the certificates are being renewed, Portainer can’t refresh - wait a minute or so and refresh the page. Once the Portainer page reloads successfully, head over to your website and try a clear cache refresh (CTRL+SHIFT+R / CMD+SHIFT+R) and check your certificate expiry - should be 3 months from today
Just to bring @george’s suggestions into this post for a single solution:
9 Likes
Great that worked great!
You can also very easy make backup from the acme.json file before starting to edit it with:
cp acme.json acme.bak
After the saving of the acme.json file, when you need to restart you can also you can just go to the docker machine options in Wappler and hit the Apply again to Apply the Traefik options resulting in deploy of just Traefik and restart of it. If you do not want to go the Portainer way.
3 Likes
Does anyone know how to find all the docker machines that require this update, my email looks like this
Hello,
Please immediately renew your TLS certificate(s) that were issued from
Let's Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):
108509467 167205640 185327010 194841760 231114350 299874670 126746541 126857703
We've determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.
We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:
Those numbers mean very little to me, so just wondering how we figure out what domains are affected.
Not sure where, but there should be a list of domains that you can control+f to see if your domain is effected.
Not sure if it helps as you might have a ton of domains 
https://checkhost.unboundtest.com/
and the list: https://letsencrypt.org/caaproblem/
1 Like
Yeah, thats kind of the issue, i probably have at least a years worth of them, which could be 50, been a busy year.
EDIT: The 2 links help, thank you
1 Like
Good problem to have
Although frustrating now.
They recommend using this tool at the end of my second link for people with many domains: https://github.com/hannob/lecaa
I haven’t used /looked at it but hope it helps!
1 Like
Thanks for the location George. Serves me right for searching for letsencrypt with a leading slash! Will deploy this today.
worked as a charm! thanks guys!