Unable to force Caddy SSL certificate refresh

Description

Rocketchat snap 3.18.2 is unable to force Caddy certificate refresh when certificate is revoked by issuer.

Server Setup Information

  • Version of Rocket.Chat Server: 3.18.3
  • Operating System: Ubuntu
  • Deployment Method: snap
  • Number of Running Instances: 1

Any additional Information

We are running Rocketchat via snap on release 3.18.3
We are using Caddy to register SSL cert via LetsEncrypt
Our certificate was impacted by recent LetsEncrypt exploit resulting in LetsEncrypt revoking our certificate.
See 2022.01.25 Issue with TLS-ALPN-01 Validation Method - Incidents - Let's Encrypt Community Support

To resolve this issue all we needed to do was request a new certificate from LetsEncrypt. This does not seem to be possible.

The following attempts were made to trigger a refresh - all failed.

  1. Restart all rocketchat services including caddy. Failed to refresh certificate.
  2. Disable HTTPS, restart all services, enable HTTPS, restart all services per instructions here. Failed to refresh certificate.
  3. Change HTTPS URL, restart all services, change HTTPS URL back to original URL, restart all services per instructions. Failed to refresh cert for the original URL.
  4. Search filesystem for revoked certificate. Failed to find it

To ultimately resolve this issue, I created a new domain, updated caddy with the new domain, and reloaded all services, then setup a DNS forward from the original domain the new domain.

Suffice to say this was hugely disruptive to our users. If only caddy was able to force request a new certificate. Is it possible?

For anyone else who gets to this issue, one workaround:

snap stop rocketchat-server.rocketchat-caddy

# in /root/snap/rocketchat-server/current
mv .caddy .caddy.bak

snap start rocketchat-server.rocketchat-caddy

this appears to force caddy to renew the cert

4 Likes

Wow man! Thank you @jdv00 !

You save me!

Running Rocket 3.18.1

Hi! Where did you find .caddy? /root/snap/rocketchat-server/current does not have such a file.