search

zodern / meteor-up

Production Quality Meteor Deployment to Anywhere
http://meteor-up.com/
MIT License
1.27k stars 280 forks source link

Let's Encrypt root certificate expiry #1272

Open wildhart opened 3 years ago

wildhart commented 3 years ago

As per https://letsencrypt.org/docs/certificate-compatibility/ some of my users on iOS 9 can no longer access my website.

It looks like my site is using the legacy keychain with the expired root:

image

Is there a way in mup to force let's encrypt to use the modern keychain?

wildhart commented 3 years ago

Looks like this would need to expose the certbot preferred-chain parameter as per https://github.com/electron/electron/issues/31212#issuecomment-931486784

sudo certbot certonly --nginx -d <domain> --preferred-chain "ISRG Root X1"

And also we'd need to be using an appropriate version of certbot which supports this parameter.

zodern commented 3 years ago

We probably need to update to version 2 of https://github.com/nginx-proxy/acme-companion