Renewing certificate attached to load balancer

[inf0rmer]

Terraform Version

Terraform v0.11.7
+ provider.archive v1.0.3
+ provider.aws v1.22.0
+ provider.digitalocean v0.1.3
+ provider.github v1.1.0

Affected Resource(s)

Please list the resources as a list, for example:

• digitalocean_loadbalancer
• digitalocean_certificate

Terraform Configuration Files

resource "digitalocean_certificate" "certificate" {
  name             = "certificate"
  private_key      = "${file("keys/certificate.key")}"
  leaf_certificate = "${file("certs/certificate.crt")}"
}

resource "digitalocean_loadbalancer" "lb" {
  name   = "lb"
  region = "fra1"

  forwarding_rule {
    entry_port     = 80
    entry_protocol = "http"

    target_port     = 80
    target_protocol = "http"
  }

  forwarding_rule {
    entry_port     = 443
    entry_protocol = "https"

    target_port     = 80
    target_protocol = "http"

    certificate_id = "${digitalocean_certificate.certificate.id}"
  }

  healthcheck {
    port     = 80
    protocol = "http"
    path     = "/healthz"
  }

  redirect_http_to_https = true

  droplet_ids = ["${digitalocean_droplet.droplet01.id}", "${digitalocean_droplet.droplet02.id}"]
}

Expected Behavior

When uploading a new version of a certificate, the new certificate should replace the current one on the load balancer.

Actual Behavior

Error deleting Certificate: DELETE https://api.digitalocean.com/v2/certificates/UUID: 403 (request "REQUEST_ID") This certificate is being used by an active Load Balancer. You must make sure no Load Balancer is using it before deleting.

Steps to Reproduce

1. terraform apply

[TFaga]

To get around this issue, you need to set the create_before_destroy lifecycle property of the certificate to true. Like so:

resource "digitalocean_certificate" "certificate" {
  name             = "certificate"
  private_key      = "${file("certificate.key)}"
  leaf_certificate = "${file("certificate.crt")}"

  lifecycle {
    create_before_destroy = true 
  }
}

Do keep in mind that you will also need to change the name of the certificate when doing the update, as you cannot have multiple certificate with the same name. Even if only for a brief time between creating the new one, updating the load balancer and deleting the old one.

[RuslanZavacky]

@TFaga when create_before_destroy = true is set, DO API throws 422, as it complains, that name should be unique:

digitalocean_certificate.cert-dev: Error creating Certificate: POST https://api.digitalocean.com/v2/certificates: 422 (request "<uid>") name is not unique

[erkie]

@TFaga @RuslanZavacky even if you rename the certificate as mentioned by @TFaga this error appears:

found certificate <name> with the same SHA-1 fingerprint

[marcuslind90]

I'm experiencing this issue as well. I got create_before_destroy = true but its very often that I'm forced to create new certificates with new names due to this error. It makes the pipeline very flaky.

[schell]

I am also experiencing this. Quite a bummer.

[liemle3893]

Same problem here. In my case, I just need to update the leaf certificate. Note that my resouce name is changed and the lifecycle.create_before_destroy was set to true.

Error creating Certificate: POST https://api.digitalocean.com/v2/certificates: 422 (request "<>uuid") found certificate main-cert with the same SHA-1 fingerprint

[liarco]

I solved a similar problem thanks to a recent fix from @andrewsomething. You can find a code example in #578.

[NicolasCARPi]

@TFaga when create_before_destroy = true is set, DO API throws 422, as it complains, that name should be unique:

digitalocean_certificate.cert-dev: Error creating Certificate: POST https://api.digitalocean.com/v2/certificates: 422 (request "<uid>") name is not unique

And this is still an issue as of today. Adding a new domain to a letsencrypt cert will raise this error. The workaround is to change the name of the certificate block (e.g. cert01 -> cert02) so a new one is created. Change the name in the load balancer too and the new domain will properly be added.

Would be great if this could be fixed!