terraform-provider-digitalocean
terraform-provider-digitalocean copied to clipboard
digitalocean
Renewing certificate attached to load balancer
Terraform Version
Terraform v0.11.7
+ provider.archive v1.0.3
+ provider.aws v1.22.0
+ provider.digitalocean v0.1.3
+ provider.github v1.1.0
Affected Resource(s)
Please list the resources as a list, for example:
- digitalocean_loadbalancer
- digitalocean_certificate
Terraform Configuration Files
resource "digitalocean_certificate" "certificate" {
name = "certificate"
private_key = "${file("keys/certificate.key")}"
leaf_certificate = "${file("certs/certificate.crt")}"
}
resource "digitalocean_loadbalancer" "lb" {
name = "lb"
region = "fra1"
forwarding_rule {
entry_port = 80
entry_protocol = "http"
target_port = 80
target_protocol = "http"
}
forwarding_rule {
entry_port = 443
entry_protocol = "https"
target_port = 80
target_protocol = "http"
certificate_id = "${digitalocean_certificate.certificate.id}"
}
healthcheck {
port = 80
protocol = "http"
path = "/healthz"
}
redirect_http_to_https = true
droplet_ids = ["${digitalocean_droplet.droplet01.id}", "${digitalocean_droplet.droplet02.id}"]
}
Expected Behavior
When uploading a new version of a certificate, the new certificate should replace the current one on the load balancer.
Actual Behavior
Error deleting Certificate: DELETE https://api.digitalocean.com/v2/certificates/UUID: 403 (request "REQUEST_ID") This certificate is being used by an active Load Balancer. You must make sure no Load Balancer is using it before deleting.
Steps to Reproduce
-
terraform apply
To get around this issue, you need to set the create_before_destroy lifecycle property of the certificate to true. Like so:
resource "digitalocean_certificate" "certificate" {
name = "certificate"
private_key = "${file("certificate.key)}"
leaf_certificate = "${file("certificate.crt")}"
lifecycle {
create_before_destroy = true
}
}
Do keep in mind that you will also need to change the name of the certificate when doing the update, as you cannot have multiple certificate with the same name. Even if only for a brief time between creating the new one, updating the load balancer and deleting the old one.
@TFaga when create_before_destroy = true is set, DO API throws 422, as it complains, that name should be unique:
digitalocean_certificate.cert-dev: Error creating Certificate: POST https://api.digitalocean.com/v2/certificates: 422 (request "<uid>") name is not unique
@TFaga @RuslanZavacky even if you rename the certificate as mentioned by @TFaga this error appears:
found certificate <name> with the same SHA-1 fingerprint
I'm experiencing this issue as well. I got create_before_destroy = true but its very often that I'm forced to create new certificates with new names due to this error. It makes the pipeline very flaky.
Same problem here.
In my case, I just need to update the leaf certificate.
Note that my resouce name is changed and the lifecycle.create_before_destroy was set to true.
Error creating Certificate: POST https://api.digitalocean.com/v2/certificates: 422 (request "<>uuid") found certificate main-cert with the same SHA-1 fingerprint
I solved a similar problem thanks to a recent fix from @andrewsomething. You can find a code example in #578.
@TFaga when
create_before_destroy = trueis set, DO API throws 422, as it complains, that name should be unique:digitalocean_certificate.cert-dev: Error creating Certificate: POST https://api.digitalocean.com/v2/certificates: 422 (request "<uid>") name is not unique
And this is still an issue as of today. Adding a new domain to a letsencrypt cert will raise this error. The workaround is to change the name of the certificate block (e.g. cert01 -> cert02) so a new one is created. Change the name in the load balancer too and the new domain will properly be added.
Would be great if this could be fixed!
