Urgent warning from Let's encrypt

Hello, I have received an urgent email from let’s encrypt:

Hello,

Please immediately renew your TLS certificate(s) that were issued from
Let’s Encrypt using the TLS-ALPN-01 validation method and the following
ACME registration (account) ID(s):

XXXXXXXXX

We’ve determined that an error made it possible for TLS-ALPN-01
challenges, completed before today, to not comply with certificate
issuance requirements. We have remediated this problem and will revoke
all unexpired certificates that used this validation method at 16:00 UTC
on 28 January 2022. Please renew your certificates now to ensure an
uninterrupted experience for your site visitors.

We apologize for any inconvenience this may cause. If you need support
in the renewal process, please comment on our forum post. Our staff and
community members are available to help:

Thank you,

The Let’s Encrypt Team

Link to their post: Questions about Renewing before TLS-ALPN-01 Revocations - Help - Let's Encrypt Community Support


How do we force the regeneration of the certificate? I am using docker.

I received the same email. I followed the link to the forum post at the bottom of the email and some people suggest deleting the acme.json file and others suggest to just empty the array within it. I’m not sure what route to take at this point in time.

It’s a bit scary to delete a file or empty it…

I have huge data in the n8n docker so I’m not sure what to do now…

I just deleted the acme.json file and took the rebooted but it didn’t go well. I’m now getting invalid cert / note secure. Luckily I took a snapshot

Maybe try to remove data inside?

Where is the file? How I can find it?

Also, how did you reboot the traefik?

Looks like it came good after a couple of minutes (maybe browser cache?). I have a valid cert with a “Valid from” date of todays date.

@yukyo I just gave the whole server a reboot but you can probably just take the docker container down.

The file is located in letsencrypt folder, for me its n8n/letsencrypt/acme.json

Could you please let me know how you did so I can replicate your steps?

Thank you

  1. Take a backup/snapshot (or I guess you could make a copy of the acme.json file)
  2. Locate the acme.json file and delete it (rm acme.json)
  3. Reboot the server
4 Likes

Looks mostly solid to me, I would probably just stop the containers, go to the letsencrypt volume (default would be /root/n8n/letsencrypt) and delete the contents then start up the containers again and it should sort itself out.

You may be able to access the traefik container and run a command as well but I can’t see any documentation on the traefik side for that.

It does take a minute or so for the Let’s Encrypt process to complete but it should be fine.

4 Likes

Hi @jon . I did and it was a complete disaster.

I have deleted the acme.json and docker-compose down and up and now can’t login n8n server anymore. I’m having SSL issue and can’t continue… this is great.

Can you guide me step by step and command by command, please? I did exactly that and had to rollback to snapshot.

Hi guys, I just finished my server setup and had also issues generating a SSL certificate with the default docker-compose file mentioned in the docs.

In the example docker-compose file Traefik with TLS challenge is used to create and renew let’s encrypt certificates and wasn’t working for me (in combination with Cloudflare proxy). I did some research and modified the Traefik setup to use the http challenge which solved the problem.

Have you checked the Traefik logs to see what it thinks is going on?

I followed the steps from @Matt_W and it seemed to work correctly.

However, I have 3 servers, and on two of them I had outdated docker images of Traefik. On these servers I received errors when it tried to renew the certificate.
Tip: update your traefik image before you automatically obtain a new certificate, after I did this all 3 servers were working as expected.

1 Like

Not sure why it went wrong a couple of times and had to roll back to snapshot…

I have updated n8n to the last version first, stopped the docker-compose, and then deleted the file. Rebooted the machine and started docker-compose again. Then after a couple of F5, the SSL got renewed.

Thanks @Matt_W @jon .

1 Like

Hi. I got the same message from Let’s Encrypt and cannot access n8n with Firefox (but Edge is still ok). Here’s what I did:

  1. docker-compose down - to stop running n8n
  2. Remove the acme.json file inside n8n / letsencrypt
  3. docker-compose up -d - to start n8n again

After this, Firefox start asking to trust the self-signed certificate again, and just accept it and everything is good to go. Hope this help!