Support disabling private key reuse in certificate renewal

[OrkhanAlikhanov]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

We are getting urn:ietf:params:acme:error:badCSR :: Encountered errors validating CSR; errors=[CSR_PUBLIC_KEY_REUSE_NOT_ALLOWED] error while traefik tries to renew certs. Basically acme provider refuses to do renewal due to key reuse. Looking at the code, it seems like there is no option to avoid that:

traefik/pkg/provider/acme/provider.go

Lines 820 to 824 in 3fd5c74

	renewedCert, err := client.Certificate.Renew(certificate.Resource{
	Domain: cert.Domain.Main,
	PrivateKey: cert.Key,
	Certificate: cert.Certificate.Certificate,
	}, true, ocspMustStaple, p.PreferredChain)

I think there should be an option to control this.

[nmengin]

Hello @OrkhanAlikhanov,

Thanks for reaching out.

Could you provide a minimal reproducible case (for instance, full Kubernetes manifest to reproduce the issue)?
In the meantime, if any community member can help us find verified steps to reproduce, we would love the help.

[OrkhanAlikhanov]

Thanks! This is actually not a bug but a feature request. I believe there should be a way to control private key reuse. Similar feature was implemented in caddyserver/certmagic#237 recently.

cc: @ldez

[ldez]

even if it's not a bug, I'm interested in a more detailed use case when the error occurs.

[OrkhanAlikhanov]

Company's internal ACME declines renewing the certificate as traefik uses the same private key for the getting the new certificate.

[ldez]

what is the interest of not reusing private keys if you are using an internal ACME implementation?

[OrkhanAlikhanov]

Well the internal ACME implementation is out of our team's control. I guess as a security precaution they don't allow private key reuse.

[ldez]

I don't understand the security advantages when using an internal ACME server 🤔

In all cases, it's something related to lego and not really to traefik itself.

[OrkhanAlikhanov]

Just to add to the discussion:

cert-manager.io has rotationPolicy setting. From their docs:

Some issuers, like the built-in Venafi issuer, may disallow re-using private keys. If this is the case, you must explicitly configure the rotationPolicy: Always setting for each of your Certificate objects accordingly.

[OrkhanAlikhanov]

I don't understand the security advantages when using an internal ACME server 🤔

@ldez It turned out that ACME server also issues public facing certificates, so it makes sense to prevent private key reuse from our ACME team's perspective.

In all cases, it's something related to lego and not really to traefik itself.

@ldez I didn't understand how it's related to lego, from the code I see that traefik instructs lego to renew the certificate using its old private key and lego just attempts that. Shouldn't we update traefik so that it does not reuse old private key when renewing? Just like cert-manager.io's rotationPolicy setting.

I've returned back to this issue because every quarter, I manually remove old certificates from acme.json and restart traefik so that it issues certificates again without reusing private keys.