Closed wwkimball closed 2 years ago
I also noticed that the node's private key doesn't seem to be collected on the Puppet Server; I couldn't find it anywhere. This leads me to suspect your module doesn't cache the original private key. Without it, whenever a node is destroyed and rebuilt, an entirely new private key will be automatically created which will -- of course -- never match the previously-signed certificate that your module will serve up from the Puppet Server.
If this is the case, then please start caching the right private keys with their signed certificates. It is critical for a node to receive the correct pair. Your module could easily pass the matching pair back to the requesting node no matter how many times it gets rebuilt.
If this is the case, then please start caching the right private keys with their signed certificates.
They are not cached on purpose. In my opinion the whole point of this module is a clear separation of concerns.
That being said I still have no idea how to fix the mismatch that occurs when rebuilding nodes (except to manually remove everything, of course), so I'm open to suggestions.
Since nobody has come up with a solution for this problem, I've added an entry to the README.
Building a fresh node with your module using the DNS-01 mechanism with GoDaddy works mostly well. However, if we destroy a node that had already received its certificate, chain, and key files, we are unable to rebuild that node because we end up with a mismatched certificate/key pair. In my own testing, I was only able to rebuild an affected node by fully destroying both the affected node and the Puppet Server itself, then rebuilding them both! This is obviously not an ideal workaround.
Steps to reproduce:
There is no readily-identifiable way to resolve this error. I manually compared the private key and certificate files on the affected node and indeed, they are mismatched. I tried destroying the old certificate files from /etc/acme.sh/* directories on the Puppet Server for the affected node and repeating the request sequence in hope that your module would re-request fresh copies of the files from GoDaddy, but this had no effect; in fact, the certificate files are never recreated on the Puppet Server. This leaves me to suspect that you're caching the certificates in PuppetDB, which is cool except this needs to be clear in your documentation along with a direct means of flushing affected resources.
Please advise.