I'm running debian 9 in my docker container and today I was not able to update root certificate for Lets encrypt inside container. On host Ubuntu 20 everything worked without any my intervention, but on my debian container I was not able to get new root Lets Encrypt certificate, only recreation container from scratch helped. I tried update-ca-certificates --fresh, but it didn't help. Any ideas?

Due this issue request from inside container towards https services with Lets Encrypt certificate failed with "SSL certificate problem: certificate has expired", because root certificate of Lets Encrypt expired today (September 30, 2021)

CodePudding user response：

Try first to remove the old certificate from your list in /etc/ca-certificates.conf:

sed -i 's#mozilla\/DST_Root_CA_X3.crt#!mozilla\/DST_Root_CA_X3.crt#g' /etc/ca-certificates.conf
update-ca-certificates --fresh

CodePudding user response：

Yesterday I also faced the same issue, but I'm sharing the hack things because it's production env so I have to do that immediately and my docker images are in AWS ECR. So I decided to rebuild the image that TaskDefinition has.

Just pull the docker images from ECR, create a new Dockerfile using that image

From <acc.docker-image:tag>
RUN sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
RUN update-ca-certificates

Build the new docker image and pushed to the ECR, created a new revision from the TaskDefinition, and updated the latest Image.

Finally, I Updated the ECS Service with a new TaskDefintion, and my issue got resolved in 20mins.

I'm not sure about your ENV, but this simple hack things will reduce the pain and you spend time to rebuild the base image for your application.