search

vancluever / terraform-provider-acme

Terraform ACME provider
https://registry.terraform.io/providers/vancluever/acme/latest
Mozilla Public License 2.0
226 stars 73 forks source link

Certificate is not regenerated if server_url was changed for 'provider' 'acme' #440

Closed EugenKon closed 1 month ago

EugenKon commented 1 month ago

I tested the solution with acme-staging. When I am done then I changed server_url and try to generate production ready certificate, but it was not generated, the old certificate still at AWS Certificate Manager

Terraform will perform the following actions:

  # module.private-cloud.acme_registration.certbot will be created
  + resource "acme_registration" "certbot" {
      + account_key_algorithm   = "ECDSA"
      + account_key_ecdsa_curve = "P384"
      + account_key_pem         = (sensitive value)
      + account_key_rsa_bits    = 4096
      + email_address           = "xxx"
      + id                      = (known after apply)
      + registration_url        = (known after apply)
    }

Configuration

terraform {
  required_providers {
    # 3rd party provider should be defined inside module
    acme = {
      source  = "vancluever/acme"
      version = "~> 2.26"
    }
  }
}

provider "acme" {
  # server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
}

data "aws_route53_zone" "base_domain" {
  name = var.domain_name
}

resource "tls_private_key" "acme" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P384"
}

resource "acme_registration" "certbot" {
  account_key_pem = tls_private_key.acme.private_key_pem
  email_address   = "xxx"
}

resource "acme_certificate" "ssl" {
  account_key_pem           = acme_registration.certbot.account_key_pem
  key_type                  = "P384"
  common_name               = data.aws_route53_zone.base_domain.name
  subject_alternative_names = ["*.${data.aws_route53_zone.base_domain.name}"]

  dns_challenge {
    provider = "route53"

    config = {
      AWS_HOSTED_ZONE_ID = data.aws_route53_zone.base_domain.zone_id
    }
  }

  depends_on = [acme_registration.certbot]
}

resource "aws_acm_certificate" "ssl" {
  certificate_body  = acme_certificate.ssl.certificate_pem
  private_key       = acme_certificate.ssl.private_key_pem
  certificate_chain = acme_certificate.ssl.issuer_pem
}
EugenKon commented 1 month ago

As workaround I changed key_type = "P256" back and forth.

module.private-cloud.acme_certificate.ssl: Destroying... [id=812a9203-e251-ca25-f9db-2e97259d48a2]
module.private-cloud.aws_db_parameter_group.postgres_v16: Modifying... [id=nomad-v16-ssl-autovacuum]
module.private-cloud.aws_db_parameter_group.postgres_v16: Modifications complete after 1s [id=nomad-v16-ssl-autovacuum]
╷
│ Error: acme: error: 404 :: POST :: https://acme-v02.api.letsencrypt.org/acme/revoke-cert :: urn:ietf:params:acme:error:malformed :: Certificate from unrecognized issuer
│

Because of error I just removed ssl from the state:

terraform state rm acme_certificate.ssl
vancluever commented 1 month ago

@EugenKon generally you need to start with a fresh state if you change the server URL. See https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/registration and the notes at the top for more details.

Thanks!