Closed oxc closed 1 year ago
@fraenki, I've tried to implement the idea I outlined in #40. This is completely untested, except for the facts, but I wanted to get your opinion early, because I changed a lot of internal workings.
I will test the changes tomorrow, looking forward to your feedback.
I've tested this no my setup and made some more minor adjustments. All my existing certificates are kept as-is without any modifications, and new ones are created correctly, even when specifying a custom resource name (and even if that resource name contains spaces and parenthesis 😊)
The crt resources are now collected based on their title, this allows us to fully get rid of the wildcard marker.
I don't like how you still have to make sure that your certificate names are globally unique across nodes. However, I don't see a good way to introduce automatic hostname scoping without breaking compatibility. Any ideas?
However, I don't see a good way to introduce automatic hostname scoping without breaking compatibility. Any ideas?
Unfortunately no. Maybe this is another feature that could be hidden behind an opt-in flag? Enabling the flag would break backwards compatibility, but allow the same cert on multiple nodes.
Merged, thanks!
Before, only one certificate could exist for a specific (main) domain across all nodes. This change allows using the $name of the resources to give the certificate a different identifier, and specify the domain(s) as $domain.
Fixes #40
This change replaces the usage of $domain as resource title for nearly everything. It uses the resource name also for child resources. If the name is different from the domain, it will specify a different
--cert-home
to acme.sh, which is only used by this particular certificate. For this to work, the CERT_NAME property has to be removed from the account config. The single facts for each certificate are replace by two structured facts that contain all resources. This makes it easier to use the unaltered resource names without having to escape characters. The acme_csrs fact is a hash from certificate name to csr content, the acme_certs fact is a hash from certificate name to a hash containing { crt, ca, cn }.For all certificates that don't explicitly set the
domain
property, as well as for single domain certificates, this should be fully compatible. However, for SAN certificates that specify thedomain
as well, this is currently a breaking change, as they will use new directory names (based on their $name, which is the full domain list). They should get fully regenerated, but the old files including the private key will be lost if not migrated at some point.