Force Refresh Rocket.Chat Snap SSL Certificate via Caddy
I use Rocket.Chat installed via Snap on a Ubuntu VPS instance. The instance automatically manages its own SSL certificate via Caddy, using Let's Encrypt as the certificate issuer.
It has been working well for a few years, however today I opened up the web interface and was greeted by this error:
Fortunately I remembered the following email from Let's Encrypt, which I had completely ignored at the time:
Please immediately renew your TLS certificate(s) that were issued from Let's Encrypt using the TLS-ALPN-01 validation method and the following ACME registration (account) ID(s):
We've determined that an error made it possible for TLS-ALPN-01 challenges, completed before today, to not comply with certificate issuance requirements. We have remediated this problem and will revoke all unexpired certificates that used this validation method at 16:00 UTC on 28 January 2022. Please renew your certificates now to ensure an uninterrupted experience for your site visitors.
I tried the lazy thing first, but no amount of restarting Rocket.Chat or Caddy worked (it looks like Caddy doesn't check whether the SSL cert is revoked, only expired). I instead had to go to where the SSL certificates are stored by Caddy (I dropped into a root shell with
sudo su - first):
$ cd /root/snap/rocketchat-server/current/.caddy
And then renamed the
acme folder, which contains the SSL certificate + key:
$ cd mv acme acme.old
Finally, I restarted caddy:
systemctl restart snap.rocketchat-server.rocketchat-caddy.service
Success! Caddy re-created the
acme folder with a brand new SSL cert. There may be a more formal way to do this with Caddy itself, though this method worked for me when I was trying to get things back running again.