debops
debops copied to clipboard
debops
debops pki cannot remove domain from acme_domains
when deploying the role pki to a server with the following variables defined
---
# Special PKI realm for host
pki_acme_contacts:
- 'mailto:[email protected]'
# Can also include different domains like 'mail.example.org'
# in the same realm.
pki_realms:
- name: '{{ ansible_fqdn }}'
acme: True
acme_default_subdomains: []
acme_ca: 'le-live-v2' #for production
# acme_ca: 'le-staging-v2'
acme_domains: [ 'cloud.server.tld', 'nextcloud.server.tld', 'git.server.tld' ]
and removing one of the acme_domains debops cannot remove the acme_domain from the pki realm on the server. This will cause the acme request to change, if for example a service got migrated to another server.
A workaround is to delete the realm entirely on the remote server and provision the pki role again.
Yes, this has unfortunately been a known problem for some time. I use the workaround you suggested. Work is being done on improving the role but it's quite a complicated one given all the reverse dependencies from other roles.
I should add that adding a domain to acme_domains also doesn't work.
The reason is that /usr/local/lib/pki/pki-realm doesn't seem to update /etc/pki/realms/<realm>/acme/openssl.conf (and /etc/pki/realms/<realm>/acme/request.pem) if it already exists.
A more lightweight workaround is to:
- Edit
/etc/pki/realms/<realm>/acme/openssl.confto add/removeDNS.*entries in the[ ext_req_san ]section - Move
/etc/pki/realms/<realm>/acme/request.pemand/etc/pki/realms/<realm>/acme/cert.pemout of the way - Run
/usr/local/lib/pki/pki-realm run --name=<realm>to generate a new cert
