Description
Rocketchat snap 3.18.2 is unable to force Caddy certificate refresh when certificate is revoked by issuer.
Server Setup Information
- Version of Rocket.Chat Server: 3.18.3
- Operating System: Ubuntu
- Deployment Method: snap
- Number of Running Instances: 1
Any additional Information
We are running Rocketchat via snap on release 3.18.3
We are using Caddy to register SSL cert via LetsEncrypt
Our certificate was impacted by recent LetsEncrypt exploit resulting in LetsEncrypt revoking our certificate.
See 2022.01.25 Issue with TLS-ALPN-01 Validation Method - Incidents - Let's Encrypt Community Support
To resolve this issue all we needed to do was request a new certificate from LetsEncrypt. This does not seem to be possible.
The following attempts were made to trigger a refresh - all failed.
- Restart all rocketchat services including caddy. Failed to refresh certificate.
- Disable HTTPS, restart all services, enable HTTPS, restart all services per instructions here. Failed to refresh certificate.
- Change HTTPS URL, restart all services, change HTTPS URL back to original URL, restart all services per instructions. Failed to refresh cert for the original URL.
- Search filesystem for revoked certificate. Failed to find it
To ultimately resolve this issue, I created a new domain, updated caddy with the new domain, and reloaded all services, then setup a DNS forward from the original domain the new domain.
Suffice to say this was hugely disruptive to our users. If only caddy was able to force request a new certificate. Is it possible?