search

digitalocean / terraform-provider-digitalocean

Terraform DigitalOcean provider
https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs
Mozilla Public License 2.0
492 stars 260 forks source link

digitalocean_cdn custom domain certificate fails "invalid certificate issued by Cloudflare origin CA" #1135

Open SkeLLLa opened 2 months ago

SkeLLLa commented 2 months ago

Bug Report

Describe the bug

Trying to add custom domain to CDN resource on DO leads to an error: "invalid certificate issued by Cloudflare origin CA"

Affected Resource(s)

Expected Behavior

No error, cdn is enabled.

Actual Behavior

Certificate is added to DO successfully. But CDN creation failed with error: 422 invalid certificate issued by Cloudflare origin CA (type: invalid-cert, retryable: false): invalid certificate issued by Cloudflare origin CA

Steps to Reproduce

Terraform version Terraform: 1.7.2 DO Provider: 2.36.0

Debug Output

---[ REQUEST ]---------------------------------------
POST /v2/cdn/endpoints HTTP/1.1
Host: api.digitalocean.com
User-Agent: Terraform/1.7.2-dev godo/1.109.0
Content-Length: 173
Accept: application/json
Content-Type: application/json
Accept-Encoding: gzip

{
 "origin": "bucketname.ams3.digitaloceanspaces.com",
 "ttl": 0,
 "custom_domain": "cdn.custom_domain.com",
 "certificate_id": "9818a4d2-33c3-43fa-aff7-a40cdedbe1ae"
}

-----------------------------------------------------: timestamp="2024-04-08T00:16:32.410+0200"

---[ RESPONSE ]--------------------------------------
HTTP/2.0 422 Unprocessable Entity
Content-Length: 184
Cf-Cache-Status: DYNAMIC
Cf-Ray: 870d61f2a97d2d30-KBP
Content-Type: application/json; charset=utf-8
Date: Sun, 07 Apr 2024 22:16:42 GMT
Ratelimit-Limit: 5
Ratelimit-Remaining: 3
Ratelimit-Reset: 1712528202
Server: cloudflare
X-Request-Id: b025a649-ae04-41a3-be48-b45eea491ece
X-Response-From: service

{
 "id": "unprocessable_entity",
 "message": "invalid certificate issued by Cloudflare origin CA (type: invalid-cert, retryable: false): invalid certificate issued by Cloudflare origin CA"
}

-----------------------------------------------------: timestamp="2024-04-08T00:16:42.752+0200"

Additional context

See provider request ids and certificate id (those are not changed).

Important Factoids

References

Might be related to #1095, #1086.

SkeLLLa commented 2 months ago

After hundreds of retries I was able to setup the certificate manually through web UI and now terraform resource shows that it wants to change the cdn resource because

  ~ resource "digitalocean_cdn" "bucket_cdn" {
      ~ certificate_name = "needs-cloudflare-cert" -> "correct-cert-name"
        id               = "xxxxxxxx-xxxx-xxxx-8a9d-9e3af0e670c6"
        # (6 unchanged attributes hidden)
    }