First PKI run fails to create ACME certificates

[yuvadm]

Using this config:

pki_acme: True
pki_realms:
  - name: 'test'
    acme: True
    acme_default_subdomains: []
    acme_subject: [ 'cn=test.example.com' ]
    acme_domains: [ 'test.example.com' ]
    domains: [ 'test.example.com' ]
    #acme_ca: 'le-staging'  # uncomment for staging tests

After the first debops run, the certificates created are not signed by LE.

Workaround is to manually delete /etc/pki/realms/test and then run debops service/pki again.

[drybjed]

Do you have debops.nginx role install and configure nginx on this host? Are you talking about configuring a new host from scratch, or an already configured host?

[yuvadm]

Yes I have an nginx role configured like so:

nginx_pki_realm: 'test'
nginx_webroot_create: False

I skip creating the webroot due to a separate nginx error and the fact that I don't really need it. This is a new host from scratch.

[drybjed]

Then I suppose the reason the ACME certificates aren't created right away is that the order of roles in the playbook is:

• debops.pki
• debops.nginx

When debops.pki is run the first time, debops.nginx did not configure the webserver yet. Did you try running the debops.pki a second time after the host is configured? You shouldn't need to remove the existing realm contents, role should detect the nginx being installed, request the ACME certificates and switch to them when they are received.

[yuvadm]

That makes sense, will try again next time. Mostly just wanted this issue here for posterity :) thanks!