New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support disabling private key reuse in certificate renewal #10103
Comments
Hello @OrkhanAlikhanov, Thanks for reaching out. Could you provide a minimal reproducible case (for instance, full Kubernetes manifest to reproduce the issue)? |
Thanks! This is actually not a bug but a feature request. I believe there should be a way to control private key reuse. Similar feature was implemented in caddyserver/certmagic#237 recently. cc: @ldez |
even if it's not a bug, I'm interested in a more detailed use case when the error occurs. |
Company's internal ACME declines renewing the certificate as traefik uses the same private key for the getting the new certificate. |
what is the interest of not reusing private keys if you are using an internal ACME implementation? |
Well the internal ACME implementation is out of our team's control. I guess as a security precaution they don't allow private key reuse. |
I don't understand the security advantages when using an internal ACME server 🤔 In all cases, it's something related to lego and not really to traefik itself. |
Just to add to the discussion:
|
@ldez It turned out that ACME server also issues public facing certificates, so it makes sense to prevent private key reuse from our ACME team's perspective.
@ldez I didn't understand how it's related to lego, from the code I see that traefik instructs lego to renew the certificate using its old private key and lego just attempts that. Shouldn't we update traefik so that it does not reuse old private key when renewing? Just like I've returned back to this issue because every quarter, I manually remove old certificates from |
Welcome!
What did you expect to see?
We are getting
urn:ietf:params:acme:error:badCSR :: Encountered errors validating CSR; errors=[CSR_PUBLIC_KEY_REUSE_NOT_ALLOWED]
error while traefik tries to renew certs. Basically acme provider refuses to do renewal due to key reuse. Looking at the code, it seems like there is no option to avoid that:traefik/pkg/provider/acme/provider.go
Lines 820 to 824 in 3fd5c74
I think there should be an option to control this.
The text was updated successfully, but these errors were encountered: