a44f5acdf3
There is a bug, or misfeature, in acme.sh using dns manual mode where
it will not renew the certificate when new domains are added to an
existing certificate. It appears to generate the TXT record requests
correctly, but then when we renew the certificate it thinks it is not
time and skips it. This is filed upstream with [1] however we can
work around it, and generally be better anyway.
For each letsencrypt host, during certificate request we build up the
"acme_txt_required" key which is a list of TXT record tuples.
Currently we keep the challenge domain in the first entry, which is
not useful (all our hosts have the same challenge domain,
amce.opendev.org). Modify this to be the certificate key from the
host config. To be clear; when a host has
letsencrypt_certs:
hostname-cert-main:
hostname.opendev.org
altname.opendev.org
hostname-cert-secondary:
secondary.opendev.org
secondaryalt.opendev.org
acme_txt_required when renewing all certs will end up looking like:
[
(hostname-cert-main, <txt1>), (hostname-cert-main, <txt2>),
(hostname-cert-secondary, <txt3>), (hostname-cert-secondary, <txt3>>)
]
In the certificate creation path, we walk "acme_txt_required" and take
the unique 0-value entries; this gives us the list of keys in
"letsencrypt_certs" which were actually updated.
We can then force renewal for these certs, because we know they
changed in some way that requires reissuing them (within renewal time,
or new domains).
This isn't just a work-around, it is generically better too.
Previously if any cert on host required an update, we would try to
update them all. This would be a no-op; acme.sh would just skip doing
anything; but now we don't even have to call into the renewal if we
know nothing has changed.
[1] https://github.com/acmesh-official/acme.sh/issues/2763
Change-Id: I1e82c64217d46d7e1acc0111dff4db2f0062c42a
26 lines
983 B
YAML
26 lines
983 B
YAML
# NOTE(ianw): this var set for the host by the
|
|
# letsencrypt-request-certs role; running this when empty would be a
|
|
# no-op but we might as well skip it if we know this host hasn't
|
|
# requested anything to actually create/renew.
|
|
- name: Check for prerun state
|
|
fail:
|
|
msg: "acme_txt_required is not defined; was letsencrypt-request-certs run?"
|
|
when: acme_txt_required is not defined
|
|
|
|
# acme_txt_keys is a list of tuples
|
|
#
|
|
# (key from letsencrypt_certs, required TXT record)
|
|
#
|
|
# So in words, we walk acme_txt_required and keep a list of the unique
|
|
# 0-values of each entry. This is then the keys from
|
|
# letsencrypt_certs that actually had updates; these are the only ones
|
|
# we need to do a renewal for.
|
|
- name: Generate list of changed certificates
|
|
set_fact:
|
|
acme_txt_changed: '{{ acme_txt_required|map("first")|list|unique }}'
|
|
|
|
- name: Include ACME renewal
|
|
include_tasks: acme.yaml
|
|
loop: "{{ query('dict', letsencrypt_certs) }}"
|
|
when: item.key in acme_txt_changed
|