ACME: revoke certificate on agreement update

[stongo]

Currently getting this error:
Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]"

Checking my acme.json the registration body has the older agreement. In this case, the certificate should be revoked and re-issued

[emilevauge]

Ouch. You are getting errors on renewing?

[raizyr]

it actually appears to be a fatal-error

traefik_1 | time="2016-08-01T19:44:32Z" level=fatal msg="Error creating TLS config acme: Error 400 - urn:acme:error:malformed - Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]"

[emilevauge]

@raizyr @stongo thanks for reporting it. This is a bad one...
I need to investigate on what is needed exactly here.
I cannot imagine we would have to revoke&re-issue all the existing certs.

[raizyr]

If it helps the troubleshooting, I have the acme cache on a docker volume and didn't see the error until I tried to stop and start a new container. The current cache file has:

"agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"

With debug logging on, the previous log message is

traefik_1 | time="2016-08-01T19:52:27Z" level=info msg="Loaded ACME config from storage /etc/traefik/acme/acme.json"

So it's getting past the loadAccount call in CreateConfig

[emilevauge]

It probably fails calling AgreeToTOS https://github.com/containous/traefik/blob/master/acme/acme.go#L277. I wonder if a call to client.Register() is needed again to manage this use case.

[mholt]

FYI, Let's Encrypt's new subscriber agreement went into effect today. Current one is always at https://acme-v01.api.letsencrypt.org/terms (just learned this today, https://community.letsencrypt.org/t/how-to-get-url-to-subscriber-agreement-before-registering/2566/2?u=mholt).

(Investigating to see if this problem affects Caddy users as well...)

[Caerbannog]

I have this fatal error when I start my containers now. Is there some way to get around it with traefik v1.0.1?

[emilevauge]

Here is a temporary workaround that allows traefik to start (waiting for a fix):

• backup your acme.json
• replace "agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" by "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" and "terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf" by "terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" your acme.json

Traefik should then start normally.

[emilevauge]

Fixed in #582. I will publish the v1.0.2 today.
Meanwhile, you can use the the docker image containous/traefik:pr-582.

[emilevauge]

Can someone confirm that containous/traefik:pr-582 fixes the issue ?

[raizyr]

I'll test it asap.

[raizyr]

@emilevauge containous/traefik:pr-582 does appear to work. With the old acme.json in place, I can start the container and the agreement gets updated to the new one. No errors. Thanks!

[emilevauge]

OK great, thanks @raizyr for testing :)