skip to Main Content

I’m running debian 9 in my docker container and today I was not able to update root certificate for Lets encrypt inside container. On host Ubuntu 20 everything worked without any my intervention, but on my debian container I was not able to get new root Lets Encrypt certificate, only recreation container from scratch helped. I tried update-ca-certificates --fresh, but it didn’t help. Any ideas?

Due this issue request from inside container towards https services with Lets Encrypt certificate failed with "SSL certificate problem: certificate has expired", because root certificate of Lets Encrypt expired today (September 30, 2021)

2

Answers


  1. Try first to remove the old certificate from your list in /etc/ca-certificates.conf:

    sed -i 's#mozilla/DST_Root_CA_X3.crt#!mozilla/DST_Root_CA_X3.crt#g' /etc/ca-certificates.conf
    update-ca-certificates --fresh
    
    Login or Signup to reply.
  2. Yesterday I also faced the same issue, but I’m sharing the hack things because it’s production env so I have to do that immediately and my docker images are in AWS ECR. So I decided to rebuild the image that TaskDefinition has.

    Just pull the docker images from ECR, create a new Dockerfile using that image

    From <acc.docker-image:tag>
    RUN sed -i 's/mozilla/DST_Root_CA_X3.crt/!mozilla/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
    RUN update-ca-certificates
    

    Build the new docker image and pushed to the ECR, created a new revision from the TaskDefinition, and updated the latest Image.

    Finally, I Updated the ECS Service with a new TaskDefintion, and my issue got resolved in 20mins.

    I’m not sure about your ENV, but this simple hack things will reduce the pain and you spend time to rebuild the base image for your application.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search