From time to time we are getting the following error when running terrafor destroy :
Error: acme: error: 401 :: POST :: https://acme.zerossl.com/v2/DV90/revokeCert :: urn:ietf:params:acme:error:unauthorized :: The account has been deactivated
We are working towards zerossl to create certificates.
Here is the configuration we are using to create the certificate:
backend.tf
Thanks @morangux, I think it might be okay to add 401 to the codes here. I'll add this on the next major maintenance sweep (which should be soon actually)!
From time to time we are getting the following error when running terrafor destroy : Error: acme: error: 401 :: POST :: https://acme.zerossl.com/v2/DV90/revokeCert :: urn:ietf:params:acme:error:unauthorized :: The account has been deactivated We are working towards zerossl to create certificates. Here is the configuration we are using to create the certificate: backend.tf
terraform { required_providers { acme = { source = "vancluever/acme" version = "2.20.2" } } }
data "aws_route53_zone" "k8" { name = var.base_domain }
resource "tls_private_key" "private_key" { algorithm = "RSA" }
resource "acme_registration" "reg" { account_key_pem = tls_private_key.private_key.private_key_pem email_address = "devops@run.ai"
external_account_binding { key_id = var.key_id hmac_base64 = var.hmac_base64 } }
resource "acme_certificate" "certificate" { account_key_pem = acme_registration.reg.account_key_pem common_name = "api.${var.cluster_name}.${var.base_domain}" subject_alternative_names = ["*.apps.${var.cluster_name}.${var.base_domain}"]
dns_challenge { provider = "route53" config = { AWS_HOSTED_ZONE_ID = data.aws_route53_zone.k8.zone_id AWS_ACCESS_KEY_ID = var.aws_access_key AWS_SECRET_ACCESS_KEY = var.aws_secret_key } } }
resource "kubernetes_secret_v1" "certificate" { metadata { name = "certificate" namespace = "openshift-ingress" }
data = { "tls.crt" = "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}" "tls.key" = acme_certificate.certificate.private_key_pem } depends_on = [acme_certificate.certificate] }
resource "kubernetes_config_map_v1" "custom_ca" { metadata { name = "custom-ca" namespace = "openshift-config" }
data = { "ca-bundle.crt" = "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}" } depends_on = [acme_certificate.certificate] }
resource "null_resource" "patch_ingress" { provisioner "local-exec" { command = <<EOF kubectl --kubeconfig ${path.root}/kube_config.yaml patch ingresscontroller default -n openshift-ingress-operator --type=merge -p '{"spec":{"defaultCertificate":{"name":"certificate"}}}' EOF } depends_on = [kubernetes_secret_v1.certificate] }
resource "null_resource" "patch_proxy" { provisioner "local-exec" { command = <<EOF kubectl --kubeconfig ${path.root}/kube_config.yaml patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"custom-ca"}}}' EOF } depends_on = [kubernetes_config_map_v1.custom_ca, null_resource.patch_ingress] }
resource "time_sleep" "wait" { depends_on = [null_resource.patch_ingress] create_duration = "600s" }