Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

acme.cert: Fail to update certificate after adding aliases / missing --expand #48759

Closed
MyIgel opened this issue Jul 25, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@MyIgel
Copy link

commented Jul 25, 2018

Description of Issue/Question

When adding more aliases to a certificate the certbot command should be called with --expand.
(I haven't tested what happens after removing aliases but think that it could also be an issue)

Setup

First run

letsencrypt-domain.tld:
  acme.cert:
    - name: domain.tld

Second run

letsencrypt-domain.tld:
  acme.cert:
    - name: domain.tld
    - aliases:
      - sub.domain.tld
      - another.domain

Steps to Reproduce Issue

Create a certificate, then add aliases

Error

----------                                                                                                                                                                                                                                                                     
          ID: letsencrypt-domain.tld                                                                                                                                                                                                                                  
    Function: acme.cert                                                                                                                                                                                                                                                        
        Name: domain.tld                                                                                                                                                                                                                                              
      Result: False                                                                                                                                                                                                                                                            
     Comment: Certificate domain.tld renewal failed with:                                                                                                                                                                                                             
              Saving debug log to /var/log/letsencrypt/letsencrypt.log                                                                                                                                                                                                         
              Plugins selected: Authenticator webroot, Installer None                                                                                                                                                                                                          
              Missing command line flag or config entry for this setting:                                                                                                                                                                                                      
              You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/domain.tld.conf)                                                                                                                   
                                                                                                                                                                                                                                                                               
              It contains these names: domain.tld                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                               
              You requested these names for the new certificate: domain.tld, sub.domain.tld, another.domain.                                                                                                                                                                   
                                                                                                                                                                                                                                                                               
              Do you want to expand and replace this existing certificate with the new certificate?                                                                                                                                                                            
                                                                                                                                                                                                                                                                               
              (You can set this with the --expand flag)                                                                                                                                                                                                                        
     Started: 12:12:12.121212                                                                                                                                                                                                                                                  
    Duration: 1212.121 ms

Versions Report

root@salt:~# salt --versions-report
Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.5.3
      docker-py: Not Installed
          gitdb: 2.0.0
      gitpython: 2.1.1
          ioflo: Not Installed
         Jinja2: 2.9.4
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.13 (default, Nov 24 2017, 17:33:09)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: 2.0.1
        timelib: Not Installed
        Tornado: 4.4.3
            ZMQ: 4.2.1

System Versions:
           dist: debian 9.5
         locale: UTF-8
        machine: x86_64
        release: 4.9.0-6-amd64
         system: Linux
        version: debian 9.5
root@minion:~# salt-minion --versions-report
Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.5.3
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.9.4
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.13 (default, Nov 24 2017, 17:33:09)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.4.3
            ZMQ: 4.2.1

System Versions:
           dist: debian 9.5
         locale: UTF-8
        machine: x86_64
        release: 4.9.0-6-amd64
         system: Linux
        version: debian 9.5

@gtmanfred gtmanfred added the Feature label Jul 25, 2018

@gtmanfred gtmanfred added this to the Approved milestone Jul 25, 2018

@gtmanfred

This comment has been minimized.

Copy link
Contributor

commented Jul 25, 2018

Yup, looks like that is a problem.

I am marking this as a bug. since it seems like you have used certbot, any help getting this fixed would be greatly appreciated.

Thanks,
Daniel

@garethgreenaway

This comment has been minimized.

Copy link
Member

commented Jan 9, 2019

Closing this out, if the problem persists please comment & we'll re-open the issue or feel free to open a new issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.