[docs] provider_configuration took me a while to do correctly

xeroc commented 2 years ago

Not a bug, but request for updated docs

It took me a while to get the provider_configuration setup correctly since I wasn't aware how to correctly provide a map of strings in the command line, and vault would accept a few other formats as well:

wrong:

provider_configuration="{\"HETZNER_API_KEY\"=\"$HETZNER_API_KEY\"}"
- provider_configuration="[\"HETZNER_API_KEY\"=\"$HETZNER_API_KEY\"]"
- - provider_configuration="\"HETZNER_API_KEY\"=\"$HETZNER_API_KEY\""

correct:

provider_configuration="HETZNER_API_KEY=$HETZNER_API_KEY"

Complete example:

vault write acme/accounts/example.com \
     contact=fabian@example.com \
     server_url=https://acme-staging-v02.api.letsencrypt.org/directory \
     terms_of_service_agreed=true \
     provider=hetzner \
     provider_configuration="HETZNER_API_KEY=$HETZNER_API_KEY" \
     dns_resolver='["ns1.first-ns.de", "robotns2.second-ns.de", "robotns3.second-ns.com"]' \

fuog commented 2 years ago

thanks but how would you do more than one K/v pair? provider_configuration="\"FOO\"=\"value1\", \"BAR\"=\"value2\""

does this :

Key                        Value
---                        -----
...
provider_configuration     map["FOO":"value1", "BAR"="value2"]
...

fuog commented 2 years ago

okay, i found out :+1:

correct would be using the provider_configuration multiple times ...

❯ vault write acme/accounts/someaccount \
>     contact=postmaster@somedomain.com \
>     server_url=https://acme-staging-v02.api.letsencrypt.org/directory \
>     terms_of_service_agreed=true \
>     provider=rfc2136 \
>     provider_configuration="RFC2136_NAMESERVER=1.2.3.4" \
>     provider_configuration="RFC2136_TSIG_KEY=lego" \
>     provider_configuration="RFC2136_TSIG_ALGORITHM=hmac-sha256." \
>     provider_configuration="RFC2136_TSIG_SECRET=YWJjZGVm...MTIzNDU=" \
>     -format=json

Now we have it correctly:

{
  "request_id": "5............972f4e18e",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "contact": "postmaster@somedomain.com",
    "dns_resolvers": [],
    "enable_http_01": false,
    "enable_tls_alpn_01": false,
    "ignore_dns_propagation": false,
    "key_type": "EC256",
    "provider": "rfc2136",
    "provider_configuration": {
      "RFC2136_NAMESERVER": "1.2.3.4",
      "RFC2136_TSIG_ALGORITHM": "hmac-sha256.",
      "RFC2136_TSIG_KEY": "lego",
      "RFC2136_TSIG_SECRET": "YWJjZGVm...MTIzNDU="
    },
    "registration_uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/74057744",
    "server_url": "https://acme-staging-v02.api.letsencrypt.org/directory",
    "terms_of_service_agreed": true
  },
  "warnings": null
}

fuog commented 2 years ago

strange for me the provider seams to be ignored :(

❯ vault write acme/certs/some-account common_name=some.domain.tld
Error writing data to acme/certs/some-account: Error making API request.
URL: PUT https://my-vault.somedomain.trld/v1/acme/certs/some-account
Code: 400. Errors:
* Failed to validate certificate signing request: error: one or more domains had a problem:
[some.domain.tld] [some.domain.tld] acme: error presenting token: rfc2136: failed to insert: DNS update failed: dns: no secrets defined

remilapeyre / vault-acme

[docs] provider_configuration took me a while to do correctly #33