terraform-provider-akamai icon indicating copy to clipboard operation
terraform-provider-akamai copied to clipboard

Published 20 hours ago verified publisher icon akamai

DXE-1469 cps_dv_enrollment dns_challenges are emptied after domain validation

Open chris-howard-deltatre opened this issue 2 years ago • 8 comments

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

Terraform v1.2.6
on darwin_amd64
+ provider registry.terraform.io/akamai/akamai v2.2.0

Affected Resource(s)

Please list the resources as a list, for example:

  • akamai_cps_dv_enrollment
  • akamai_cps_dv_validation

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

 # module.cdn.akamai_cps_dv_enrollment.this["###"] has changed
!   resource "akamai_cps_dv_enrollment" "this" {
!       dns_challenges                        = [
-           {
              - domain        = "###"
              - full_path     = "_acme-challenge.###"
              - response_body = "###TXTVALUE###"
            },
        ]
...

Expected Behavior

The akamai_cps_dv_enrollment resource should not empty the dns_challenges attribute after the domain validation has been satisfied. If users are creating domain records from dns_challenges which they intend to be checked by Akamai for certificate renewal, terraform will then destroy these records after the validation is complete. The challenges should remain in the state of the resource after domain validation has been completed

Actual Behavior

The dns_challenges attribute was emptied after the domain was validated.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply - The certificate enrollment is created through akamai_cps_dv_enrollment and the dns challenges are generated. Validation happens through the akamai_cps_dv_validation resource.
  2. After Validation: terraform apply - The dns_challenges attribute is emptied

chris-howard-deltatre avatar Aug 17 '22 03:08 chris-howard-deltatre

Hi, @chris-howard-deltatre Thank you for reporting the issue. We will take a look at it and get back to you shortly.

BR, Mateusz

majakubiec avatar Aug 17 '22 08:08 majakubiec

Hello, To better understand the issue can You please confirm what steps You performed:

  1. Create an enrolment using akamai_cps_dv_enrollment - in input configuration there is no dns_challenges block
  2. In terraform state for akamai_cps_dv_enrollment the dns_challenges block appear
  3. Running terraform apply on akamai_cps_dv_validation resource
  4. Running terraform apply on akamai_cps_dv_enrollment - here appears the incorrect behaviour that shows dns_challenges block disappear from state.

Is that correctly described what happened? Is there anything significant missing? Was there any significant time difference between running e.g. step 3 and 4?

Thanks and best regards, Wojciech

wzagrajcz avatar Aug 30 '22 08:08 wzagrajcz

Hi @wzagrajcz

The steps you have outlined correctly match the process I went through and the behaviour you have noted in step 4 is what I see also. There was no significant time difference between step 3 and 4 in my case, I ran the second apply just a few minutes after I could see the certificate validation was successful in the Akamai control centre portal.

Best Regards, Chris

chris-howard-deltatre avatar Sep 01 '22 06:09 chris-howard-deltatre

I too have the same issue where the dns_challenges attribute was emptied after the domain was validated. Is there any update regarding this issue?

BAu0002 avatar Sep 12 '22 09:09 BAu0002

Yep, confirming the same issue. It'd be great if it returned the challenges every time otherwise the resources dependent on these challenges(e.g. dns record) are destroyed.

bks7 avatar Sep 12 '22 11:09 bks7

Hi All,

Thank you for bringing this issue to our notice, I would like to confirm that we are working on it internally and will keep you all posted on the progress.

In the meantime, please don't hesitate to ask any further questions you have.

Regards, Piyush

kaush- avatar Sep 14 '22 07:09 kaush-

Hi,

Please note that other users depend on the behavior that challenges are emptied after validation. This change will break existing setups - ideally, please allow to keep the old behavior with some flag.

Thanks.

aci-payon-ops avatar Sep 26 '22 13:09 aci-payon-ops

Hello, We took this topic into deep investigation and we think that current behaviour is correct. The http_challenges and dns_challenges blocks are used to indicate that there are some pending challenges and at least one of them should be completed. After the challenges has been completed and the CPS system notices it (which can be speed up by running akamai_cps_dv_validation) the challenges blocks serve no purpose anymore and therefore they disappear. When the time will come for certificate to be renewed, the challenges block will be present again so they can be used to complete challenges. Can You please explain what scenario requires the challenges block to stay after domain validation?

Thanks and best reagards, Wojciech

wzagrajcz avatar Oct 07 '22 08:10 wzagrajcz

@wzagrajcz It's unfortunate that this behavior is considered as intended.

When the time will come for certificate to be renewed, the challenges block will be present again so they can be used to complete challenges.

The whole point for me to use LE and DNS validation is that their short-lived certificates are automatically renewed, because the DNS records are still there. With your current implementation, the dns_challenges are non-deterministic and can constantly change. This can easily lead to a scenario where all the validation records are removed, as the certificate has been issued, and is still valid. When the certificate then expires, it can't be renewed without manual intervention. To me that feels like it goes entirely against the LE concept.

But maybe I'm missing a point on how to use this correctly.

oliversalzburg avatar Apr 13 '23 18:04 oliversalzburg

DNS-01 tokens (and HTTP-01 tokens) have a finite lifetime measured in days to weeks. Once they expire, they cannot be used for the next renewal. This is why they are removed.

If you are interested in a more persistent solution, ask your Akamai account team about the "Default DV" certificate. With those new types of DV certificates (still issued by Let's Encrypt), Akamai hosts the DNS tokens and provides a CNAME target to you. E.g., for a hostname of example.com added to a property, Akamai provides instructions such as _acme-challenge.example.com CNAME ac.27269740d1d924236e4fac9d749b4e87.example.com.validate-akdv.net.

rajiv avatar Apr 14 '23 21:04 rajiv