terraform-provider-hcloud [Feature]: Updating in-use certificates

What whould you like to see?

We're trying to set up a terraform setup where a certificate is acquired using the letsencrypt provider, and then uploaded to hetzner and used for a load balancer. However, since the hetzner provider doesn't support in-place updates of the certificate data, we're unable to update the certificate when it's close to its expiration date.

More specifically, when the LE certificate gets re-issued, TF tries to destroy and re-create the hetzner certificate, which in turn results in the following error, since the certificate is used by a load balancer:

Error: certificate still in use (service_error, xxxxxxxxxxxxxxx)

I don't know if it's possible to add support for updating existing certificates (since I don't see that option from the hetzner cloud UI either), so any help or alternative solutions to this would be greatly appreciated.

Jan 08 '25 03:01 OrfeasZ

You should be able to rotate the certificate of a load balancer by creating a new certificate and updating the load balancer service with the new certificate.

Could you provide us the Terraform code you use to perform this action?

Jan 08 '25 10:01 jooola

The problem with that is that I don't control the renewal of the LE certificate, so once it gets renewed I don't have a good way to rotate it in this way without having to manually remove the hcloud certificate resource from the terraform state, and create a new one with a different name.

I can't provide the exact Terraform code since we're using CDKTF, but here's a close equivalent:

resource "acme_registration" "reg" {
  email_address = "[email protected]"
}

resource "acme_certificate" "certificate" {
  account_key_pem = acme_registration.reg.account_key_pem
  common_name = "*.example.com"
  subject_alternative_names = ["*.example.com", "example.com"]

  dns_challenge {
    // ...
  }
}

resource "hcloud_uploaded_certificate" "hcloud_cert" {
  name = "example-cert"
  certificate = acme_certificate.certificate.certificate_pem
  private_key = acme_certificate.certificate.private_key_pem
}

// ...

resource "hcloud_load_balancer_service" "load_balancer" {
  http {
    certificates = [ hcloud_uploaded_certificate.hcloud_cert.id ]
    // ...
  }

  // ...
}

Jan 08 '25 12:01 OrfeasZ

Also a +1 for this. An in-place update of the certificate would be very helpful. We're also now doing manual updates to the load balancer via terraform each time we add renew the certificate

Feb 24 '25 01:02 teliov

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.

May 25 '25 13:05 github-actions[bot]

+1

May 25 '25 14:05 martipoe

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.

Aug 25 '25 13:08 github-actions[bot]

This is still very much relevant.

Aug 25 '25 13:08 OrfeasZ

I encountered this issue when attempting to extend an existing Lets Encrypt certificate with additional domains.

My current workaround is a for_each loop that generates an individual certificate for each domain:

resource "hcloud_managed_certificate" "managed_cert" {
  for_each     = toset(local.domain_list)
  name         = replace(each.value, ".", "-")
  domain_names = [each.value]
  labels       = {}
}

resource "hcloud_load_balancer_service" "load_balancer_service" {
  load_balancer_id = hcloud_load_balancer.lb01.id
  protocol         = "https"
  listen_port      = "443"
  destination_port = "80"

  http {
    certificates    = [for cert in hcloud_managed_certificate.managed_cert : cert.id]
    redirect_http   = true
    sticky_sessions = true
    cookie_name     = "HCLBSTICKY"
    cookie_lifetime = 300
  }
...

Sep 01 '25 09:09 martipoe