dnsimple_lets_encrypt_certificate defaults now to ECDSA signature algorithm, but RSA should be used for ESX

[ehaselwanter]

Hi there,

I need to able to order RSA type private keys for dnsimple_lets_encrypt_certificate. The API https://developer.dnsimple.com/v2/certificates/#issueRenewalLetsencryptCertificate states that is possible.

How can I either set the default to RSA or configure the Ressource to use RSA?

Terraform Version

❯ terraform -v
Terraform v1.3.7
on darwin_arm64

Affected Resource(s)

Please list the resources as a list, for example:

• dnsimple_lets_encrypt_certificate

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "dnsimple_lets_encrypt_certificate" "esx-1-dc1-cert" {
  domain_id  = "xzy"
  contact_id = var.dnsimple_contact_id
  auto_renew = true
  name       = dnsimple_zone_record.esx-1-dc1.name
}

Expected Behavior

creates a RSA private key

Actual Behavior

creates a ECDSA private key.

Important Factoids

the default changed and breaker the deployment

References

By default, a certificate uses ECDSA signature algorithm, but RSA can be used as well if your specific scenario required it.

[ehaselwanter]

btw. it is possible to update the cert with a renewal to the api and get working RSA certs

curl  -H "Authorization: Bearer $TF_VAR_dnsimple_token" \
      -H 'Accept: application/json' \
      -H 'Content-Type: application/json' \
      -X POST \
      -d '{"auto_renew":true,"signature_algorithm":"RSA"}' \
      https://api.dnsimple.com/v2/$TF_VAR_dnsimple_account/domains/the.domain/certificates/letsencrypt/123424/renewals

but quite as expected: this breaks subsequent terraform runs:

dnsimple_lets_encrypt_certificate.esx-3-dc1-cert: Refreshing state... [id=1422944]
dnsimple_lets_encrypt_certificate.esx-2-dc1-cert: Refreshing state... [id=1291760]
data.dnsimple_certificate.esx-3-dc1: Reading...
╷
│ Warning: Argument is deprecated
│ 
│   with dnsimple_lets_encrypt_certificate.esx-1-dc1-cert,
│   on main.tf line 33, in resource "dnsimple_lets_encrypt_certificate" "esx-1-dc1-cert":
│   33:   contact_id = var.dnsimple_contact_id
│ 
│ contact_id is deprecated and has no effect. The attribute will be removed
│ in the next major version.
│ 
│ (and 7 more similar warnings elsewhere)
╵
╷
│ Error: Plugin did not respond
│ 
│   with data.dnsimple_certificate.esx-3-dc1,
│   on outputs.tf line 1, in data "dnsimple_certificate" "esx-3-dc1":
│    1: data "dnsimple_certificate" "esx-3-dc1" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ReadDataSource call. The plugin logs may contain
│ more details.
╵

Stack trace from the terraform-provider-dnsimple_v0.15.0 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0xaca605]

goroutine 431 [running]:
github.com/terraform-providers/terraform-provider-dnsimple/dnsimple.dataSourceDNSimpleCertificateRead({0xd73a88, 0xc0007beba0}, 0x7f11ff489a68?, {0xb15f80?, 0xc000196d20})
        github.com/terraform-providers/terraform-provider-dnsimple/dnsimple/datasource_dnsimple_certificate.go:71 +0x345
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc000318c40, {0xd73ac0, 0xc00080eed0}, 0xd?, {0xb15f80, 0xc000196d20})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.17.0/helper/schema/resource.go:724 +0x12e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).ReadDataApply(0xc000318c40, {0xd73ac0, 0xc00080eed0}, 0xc000653500, {0xb15f80, 0xc000196d20})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.17.0/helper/schema/resource.go:943 +0x145
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadDataSource(0xc0004e52d8, {0xd73a18?, 0xc0002b7140?}, 0xc0001a1e20)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.17.0/helper/schema/grpc_provider.go:1179 +0x38f
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ReadDataSource(0xc0004403c0, {0xd73ac0?, 0xc00080e750?}, 0xc0001a4690)
        github.com/hashicorp/terraform-plugin-go@v0.9.1/tfprotov5/tf5server/server.go:657 +0x41d
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadDataSource_Handler({0xc1c320?, 0xc0004403c0}, {0xd73ac0, 0xc00080e750}, 0xc0007be780, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.9.1/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:421 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00032a8c0, {0xd77398, 0xc0002ba1a0}, 0xc00035cc60, 0xc0004ed830, 0x1212b70, 0x0)
        google.golang.org/grpc@v1.46.0/server.go:1283 +0xcfe
google.golang.org/grpc.(*Server).handleStream(0xc00032a8c0, {0xd77398, 0xc0002ba1a0}, 0xc00035cc60, 0x0)
        google.golang.org/grpc@v1.46.0/server.go:1620 +0xa2f
google.golang.org/grpc.(*Server).serveStreams.func1.2()
        google.golang.org/grpc@v1.46.0/server.go:922 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.46.0/server.go:920 +0x28a

Error: The terraform-provider-dnsimple_v0.15.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Operation failed: failed running terraform plan (exit 1)

[DXTimer]

@ehaselwanter thank you for reporting the issue. We've taken note and will work on extending the provider in the coming weeks.

[DXTimer]

The provider has been extended to support selecting which signature algorithm to use when issuing a let's encrypt certificate.

Now you can do:

resource "dnsimple_lets_encrypt_certificate" "esx-1-dc1-cert" {
  domain_id  = "xzy"
  auto_renew = true
  name       = dnsimple_zone_record.esx-1-dc1.name
  signature_algorithm = "RSA"
}

You can take a look at the resource documentation for an up to date information.

Closed by https://github.com/dnsimple/terraform-provider-dnsimple/pull/81