-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with reuse-key when updating domains #9731
Comments
I think the part here where it checks the curve in the configuration with the key in the lineage certbot/certbot/certbot/_internal/renewal.py Lines 367 to 368 in e6572e6
is not actually checking the correct thing in this specific situation. I think that code should check for whatever has been entered on the command line using Some little testing makes me think a simple extra check with |
That doesn't look like the case to me. I ran:
then
and the key was the same:
I think what you have described is how The way Therefore, you need to provide the full set of request parameters that you need, on the command line. In the case of Typically, you would want to use I'm not going to be able to review Osiris' PR, but this design was (iirc) completely intentional and in my opinion is not a bug, but it's possible there might be some way to improve the UX or documentation around it. I appreciate also that this is confusing as a user. |
Thanks for your responses and explanation.
But still
This creates an updated (or new certificate to be exact) with the additional domain, but uses the same private key - so it should be the same like
So it looks to me (and that would clarify the error message) that even if Best regards |
I agree this behavior seems annoying. With that said, we/I felt that there were many potential foot guns for people around I'm sure that's not what you wanted to hear, but Certbot is a well established project now with millions of people using it in all kinds of ways and for better or worse I'm much more worried about potentially breaking things for them than keeping some UX ugliness around. Hope that at least kind of makes sense. With that said:
|
Hi, it was just not clear to me and as soon as I understood it, it felt a bit strange because of the (for me) unexpected behavior. But it looks like I am the first one who has a problem with that, so be it, it was not my intention to force you into a change you don't feel comfortable with. But I would definitely appreciate an improved error message to make the issue more clear. Thanks so far. |
@bmw I think your "1" point in your post in the issue is what's bothering me: the current behaviour is not what was intended, which is also clear from the posted documents. (And a first issuance with a non-default setting was not in one of the scenarios listed in the spreadsheet from the looks of it, every scenario starts with the defaults and continues with non-default settings.) I'd like to argue currently Certbot is "broken" and requires fixing. And I'm not sure if the impact of fixing this is actually that big? If renewals are succeeding now, they also will succeed after this is fixed. I'm assuming Certbot will actually reuse the key after the added CLI checks are added in my PR? This is of course something that requires testing. |
I'm honestly not sure if that's true or not. It sure seems like that wasn't what I intended when I wrote that doc and that's what the code comment seems to suggest, but this feature was developed over months by multiple developers and multiple PRs. I think confidently concluding that requires further digging into the history here and even if that behavior is what we initially wanted, I don't think it's obvious that we can change it now without problems. We may be able to change it, but I'd encourage us to be very careful about doing so. This all may seem relatively straightforward, but this area was something that multiple members of the team found to be quite tricky to work on. We've also had bugs related to this kind of thing. Because of all that, I personally feel that doing anything other than changing the error message isn't worth the effort, but that's just my opinion. You are of course entitled to your own. |
This ticket feels like it sits in a quantum superposition until someone interacts with it to force a collapse of the wave function, so, here, take this otherwise superfluous comment |
Hi,
My operating system is (include version):
Debian 12
I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):
package manager (v2.1) and docker (v2.6) for testing this issue with the latest version.
I ran this command and it produced this output:
I created a certificate using a different elliptic curve than default:
certbot certonly --standalone --agree-tos --no-eff-email --email EMAIL --domain test1.example.com --key-type ecdsa --elliptic-curve secp384r1
Then I wanted to update the certificate by adding another domain but reuse the key:
certbot certonly --standalone --cert-name test1.example.com --domain test1.example.com,test2.example.com --reuse-key
The output the is:
Unable to change the --elliptic-curve of this certificate because --reuse-key is set. To stop reusing the private key, specify --no-reuse-key. To change the private key this one time and then reuse it in future, add --new-key.
Certbot's behavior differed from what I expected because:
I expect certbot to reuse the key. Furthermore the error message is IMHO a contradiction. It says I can't change the elliptic curve BECAUSE reuse-key is set. But certbot seems trying to use the default key settings here, which are different from my previously chosen settings for the key I want to reuse. When I explicitly add " --key-type ecdsa --elliptic-curve secp384r1" again.. a new key is created, so IMHO "--reuse-key" is ignored completely here.
Here is a Certbot log showing the issue (if available):
2023-07-12 09:36:31,543:DEBUG:certbot._internal.display.obj:Falling back to default True for the prompt:
You are updating certificate test1.example.com to include new domain(s):
You are also removing previously included domain(s):
(None)
Did you intend to make this change?
2023-07-12 09:36:31,543:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for test1.example.com
2023-07-12 09:36:31,556:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer <certbot._internal.cli.cli_utils._Default object at 0x7f40a7714ca0>
2023-07-12 09:36:31,556:DEBUG:certbot._internal.cli:Var reuse_key=True (set by user).
2023-07-12 09:36:31,557:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot', 'console_scripts', 'certbot')())
File "/opt/certbot/src/certbot/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1597, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 129, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 385, in renew_cert
_avoid_reuse_key_conflicts(config, lineage)
File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 372, in _avoid_reuse_key_conflicts
raise errors.Error(
certbot.errors.Error: Unable to change the --elliptic-curve of this certificate because --reuse-key is set. To stop reusing the private key, specify --no-reuse-key. To change the private key this one time and then reuse it in future, add --new-key.
Best regards
Daniel
The text was updated successfully, but these errors were encountered: