-
Notifications
You must be signed in to change notification settings - Fork 27
Error 409 - urn:acme:error:malformed - Certificate already revoked #30
Comments
Hey @adamlc, this for sure sounds doable. Not too sure if it's possible to get the error code programmatically from lego but we can check for sure. Might be a bit till I can get to it - how hard is it possibly for you to manually remove this from your state in the meantime? |
Cool! I've actually managed to manually fix my state file for now, so no rush 👍 |
Awesome! Will fix this in a sweep of the other issues then 👍 |
To clear the issue do something similar to |
Attempting to revoke an already revoked certificate will result in the server responding with a status code of 409. This change, ensures that this scenario is handled gracefully. Resolves: vancluever#30
@vancluever I have had a fix in #35. This will check if the error is of type Verified it in a similar scenario I encountered similar to @adamlc |
@vancluever the patch mentioned above is available one month and I just had to fiddle around with the state file as I ran into the same issue. Can we get this merged, please? |
Revocation has been taking longer than it used to take on ACME, both on staging and production, and we had bug reports (#30, #32) and PRs (#35) that have been working to address this. Looking at lego, the library really does not have much in the way for support of timeouts or contexts, at least none that are exposed to the API at this point in time. Aside from the elegance drawbacks, I don't really see this as much of a large issue as the only process that really seems to have much in the way of issues is revocation and the OCSP poll that takes place after. This update sets things up so that we honor the destroy timeout that can be set in the standard "timeout" attribute in any Terraform resource. The default to this is the default 20 minutes, so in reality, (hopefully) this will never need to be changed again, but if need be, the avenue is there. Fixes #32.
In my certificates I have
create_before_destroy
set in the lifecycle settings. I do this because I always want a valid certificate to be active, if this isn't set then the cert is destroyed and then a new one created, which leaves a few mins with no active certificates.During the destroy process it timed out, which has left a deposed resource in my state file. When I try to do a plan it comes it as a destroy operation:
But when applying this plan it fails because the certificate has already been removed:
This has currently left me with a broken state file as I'm unable to apply the destroy. Would it be possible if a 409 status has been returned to carry on with the normal terraform function?
The text was updated successfully, but these errors were encountered: