Lego fails on account changes #6

New Issue

Open

opened 2024-08-31 15:35:46 +00:00 by jadyn · 2 comments

jadyn commented 2024-08-31 15:35:46 +00:00

Member

Copy Link

The lego role / renew script fails when the account info changes but the instance name persists. I.e. when changing letsencrypt environments.

Maybe add some kind of logic / error handling?

The lego role / renew script fails when the account info changes but the instance name persists. I.e. when changing letsencrypt environments. Maybe add some kind of logic / error handling?

transcaffeine commented 2024-09-08 10:28:49 +00:00

Owner

Copy Link

Lego's filesystem structure is the cause for this here:

/opt/acme/domain.tld/
├── accounts
│   └── acme-v02.api.letsencrypt.org
│       └── mail-for-acme@example.com
│           ├── account.json
│           └── keys
│               └── mail-for-acme@example.com.key
├── certificates
│   ├── domain.tld.crt
│   ├── domain.tld.issuer.crt
│   ├── domain.tld.json
│   └── domain.tld.key
└── secrets
    └── rfc2136_tsig.key

due to the changing account (or acme_server for that matter), the ansible role needs to:

• Check if the lego_acme_server_url is the same (by checking if the folder exists in the filesystem)
• Check if the lego_acme_account_email is the same (by checking if the folder exists in the filesystem and has an account.json inside it

This should be checked in roles/lego/files/lego_run.sh#L14 and then switch the action to run (from renew).

Lego's filesystem structure is the cause for this here: ``` /opt/acme/domain.tld/ ├── accounts │   └── acme-v02.api.letsencrypt.org │   └── mail-for-acme@example.com │   ├── account.json │   └── keys │   └── mail-for-acme@example.com.key ├── certificates │   ├── domain.tld.crt │   ├── domain.tld.issuer.crt │   ├── domain.tld.json │   └── domain.tld.key └── secrets └── rfc2136_tsig.key ``` due to the changing `account` (or `acme_server` for that matter), the ansible role needs to: - [ ] Check if the `lego_acme_server_url` is the same (by checking if the folder exists in the filesystem) - [ ] Check if the `lego_acme_account_email` is the same (by checking if the folder exists in the filesystem and has an `account.json` inside it This should be checked in [`roles/lego/files/lego_run.sh#L14`](src/branch/main/roles/lego/files/lego_run.sh#L14) and then switch the action to `run` (from `renew`).

jadyn commented 2025-07-02 07:00:12 +00:00

Author

Member

Copy Link

It should also check whether the subject of the certificates actually contain all required certificates, in case it doesn't we should renew right away.

It should also check whether the subject of the certificates actually contain all required certificates, in case it doesn't we should renew right away.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

transcaffeine/acme-playbook

transcaffeine/openldap

lego/set-e-fix

transcaffeine/openssh

transcaffeine/hostname

transcaffeine/docker-redhat

transcaffeine/docker

transcaffeine/user

transcaffeine/restic-systemd-template-units

transcaffeine/base-use-find

transcaffeine/redis

transcaffeine/nscd-nslcd

transcaffeine/debian-proxmox

0.4.0

0.3.0

0.2.1

0.2.0

0.1.2

0.1.1

0.1.0

0.0.2

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

evlli jadyn jdreichmann leona transcaffeine

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: finallycoffee/base#6