Force Refresh Rocket.Chat Snap SSL Certificate via Caddy

Posted January 29th, 2022 in cloud-software

I use Rocket.Chat installed via Snap on a Ubuntu VPS instance. The instance automatically manages its own SSL certificate via Caddy, using Let's Encrypt as the certificate issuer.

It has been working well for a few years, however today I opened up the web interface and was greeted by this error:

SEC_ERROR_REVOKED_CERTIFICATE

Fortunately I remembered the following email from Let's Encrypt, which I had completely ignored at the time:

Please immediately renew your TLS certificate(s) that were issued from Let's Encrypt using the TLS-ALPN-01 validation method and the following ACME registration (account) ID(s):

We've determined that an error made it possible for TLS-ALPN-01 challenges, completed before today, to not comply with certificate issuance requirements. We have remediated this problem and will revoke all unexpired certificates that used this validation method at 16:00 UTC on 28 January 2022. Please renew your certificates now to ensure an uninterrupted experience for your site visitors.

Whoops 😳

I tried the lazy thing first, but no amount of restarting Rocket.Chat or Caddy worked (it looks like Caddy doesn't check whether the SSL cert is revoked, only expired). I instead had to go to where the SSL certificates are stored by Caddy (I dropped into a root shell with sudo su - first):

$ cd /root/snap/rocketchat-server/current/.caddy

And then renamed the acme folder, which contains the SSL certificate + key:

$ cd mv acme acme.old

Finally, I restarted caddy:

systemctl restart snap.rocketchat-server.rocketchat-caddy.service

Success! Caddy re-created the acme folder with a brand new SSL cert. There may be a more formal way to do this with Caddy itself, though this method worked for me when I was trying to get things back running again.

Tagged certificate caddy ssl let's encrypt rocket chat error renew tls-alpn-01

Comments

Please click here to load comments.