finallycoffee/base
5
0
Fork 1
Code Issues 1 Pull Requests 3 Packages Projects Releases Wiki Activity

Lego fails on account changes #6

New Issue
Open
opened 2024-08-31 15:35:46 +00:00 by jadyn · 1 comment
jadyn commented 2024-08-31 15:35:46 +00:00
Member
Copy Link

The lego role / renew script fails when the account info changes but the instance name persists. I.e. when changing letsencrypt environments.

Maybe add some kind of logic / error handling?

The lego role / renew script fails when the account info changes but the instance name persists. I.e. when changing letsencrypt environments. Maybe add some kind of logic / error handling?
transcaffeine commented 2024-09-08 10:28:49 +00:00
Owner
Copy Link

Lego's filesystem structure is the cause for this here:

/opt/acme/domain.tld/
├── accounts
│   └── acme-v02.api.letsencrypt.org
│       └── mail-for-acme@example.com
│           ├── account.json
│           └── keys
│               └── mail-for-acme@example.com.key
├── certificates
│   ├── domain.tld.crt
│   ├── domain.tld.issuer.crt
│   ├── domain.tld.json
│   └── domain.tld.key
└── secrets
    └── rfc2136_tsig.key

due to the changing account (or acme_server for that matter), the ansible role needs to:

  • Check if the lego_acme_server_url is the same (by checking if the folder exists in the filesystem)
  • Check if the lego_acme_account_email is the same (by checking if the folder exists in the filesystem and has an account.json inside it

This should be checked in roles/lego/files/lego_run.sh#L14 and then switch the action to run (from renew).

Lego's filesystem structure is the cause for this here: ``` /opt/acme/domain.tld/ ├── accounts │   └── acme-v02.api.letsencrypt.org │   └── mail-for-acme@example.com │   ├── account.json │   └── keys │   └── mail-for-acme@example.com.key ├── certificates │   ├── domain.tld.crt │   ├── domain.tld.issuer.crt │   ├── domain.tld.json │   └── domain.tld.key └── secrets └── rfc2136_tsig.key ``` due to the changing `account` (or `acme_server` for that matter), the ansible role needs to: - [ ] Check if the `lego_acme_server_url` is the same (by checking if the folder exists in the filesystem) - [ ] Check if the `lego_acme_account_email` is the same (by checking if the folder exists in the filesystem and has an `account.json` inside it This should be checked in [`roles/lego/files/lego_run.sh#L14`](src/branch/main/roles/lego/files/lego_run.sh#L14) and then switch the action to `run` (from `renew`).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: finallycoffee/base#6
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?