shibayan / keyvault-acmebot

Automated ACME SSL/TLS certificates issuer for Azure Key Vault (App Service / Container Apps / App Gateway / Front Door / CDN / others)
Apache License 2.0
927 stars 239 forks source link

impossible to alter an existing certificate (or replace) #705

Open sandromastronardi opened 6 months ago

sandromastronardi commented 6 months ago

I want to add host names (wildcards *.api.tld.com) to a certificate api.tld.com

  1. I deleted the certificate
  2. I also deleted the pending certificate: https://github.com/shibayan/keyvault-acmebot/issues/69 as i always get this error when i remove a certificate.

but so far it broke my environment and I just cant get it to work again... The current state: creating a new certificate doesn't work (the vault cannot be purged)

I get this error now: image image image

Now my application is in a broken state... my certificate is gone, and i cannot replace it with a new one...

a way to replace a certificate from the UI would be nice, also a way to delete certificates the 'right' way as it now seems to be going wrong all the time when i delete one.

Environment (please complete the following information):

shibayan commented 6 months ago

Adding a new domain name to an already existing certificate results in an error. This is because Acmebot creates a certificate resource for Key Vault with the first domain name. Please try this by explicitly entering the name of the certificate from the advanced options when issuing the certificate.

leonardochaia commented 6 months ago

Hi @shibayan , I've just faced this issue.

First off, thanks for this project, I've been using it in production for a good couple of years now without any real issues.

I need to add one more SAN to a cert, so I:

  1. deleted the Certificate from key vault.
  2. Tried to generate a new one using the UI, got error Order includes different number of names than CSR specifies
  3. Removed the pending certificate as instructed here
  4. Tried to generate a new one using the UI, got error Pending certificate not found

Reading this issue, I ended up using the advanced options to change the Certificate resource name. However, is there a way to keep the original name?

Reason I'm asking is my kubernetes deployment is referencing the Key Vault Certificate by name, so now I need to change my deployment. No biggie, but I do need to do this a couple of times and was wondering if there's a way to keep the certificate name

sandromastronardi commented 6 months ago

Thanks, but I have the same issue as @leonardochaia as I have my templates use dns names, and i replace the dots with dashes to find the certificate name, if i will use another certificate name then i will have to change the templates, and do that like @leonardochaia each time i need to add a name to an existing certificate... it would be great if i could replace a certificate in full, with new names

shibayan commented 6 months ago

This is an operation not supported by the Acmebot dashboard, but since Acmebot uses the Key Vault Issuance Policy as is, SANs can be added or deleted by modifying the Issuance Policy from Azure Portal.

image

sandromastronardi commented 6 months ago

How should that work? i add a dns name there, but then how is it REALLY added? by doing a renew?

sandromastronardi commented 6 months ago

and how to fix if the certificate is already deleted, and there is a broken system?

shibayan commented 6 months ago

After modifying the Issuance Policy and running Renew, a new certificate should be issued with the SANs added. If you have deleted a file, it will be restored as long as soft delete is enabled and you have not purged it.

leonardochaia commented 6 months ago

After modifying the Issuance Policy and running Renew, a new certificate should be issued with the SANs added. If you have deleted a file, it will be restored as long as soft delete is enabled and you have not purged it.

Hi @shibayan , thank you for your replies. I propose this gets added to the wiki FAQ. Perhaps this issue can then become a feature request to eventually be able to edit the already issues certificates through the UI.

Thank you. Leo.

shibayan commented 6 months ago

Since we did not think there were that many use cases for adding SANs later, we will consider updating certificates in the next major version.

Added to FAQ https://github.com/shibayan/keyvault-acmebot/wiki/Frequently-Asked-Questions#adding-sans-to-an-existing-certificate

leonardochaia commented 6 months ago

Thank you @shibayan for your time and answers. I think it is acceptable as is, since like you said, use cases for this are slim, and now there's a documented workaround, however, being able to do it from the UI, or perhaps adding a link from the UI to the Azure Portal Key Vault Certificate would be helpful! I think this can be closed.

Regards, Leo

shibayan commented 6 months ago

Adding a link to the Key Vault certificate is a good idea. I would like to incorporate that. Thanks!