puppet-letsencrypt
puppet-letsencrypt copied to clipboard
voxpupuli
Adding domains to existing certificate leads to duplicate certs/renewal configs with pattern <cert>-0001,2 etc
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 7.5.0 but likely all current supported, eg 6x
- Ruby: 2.7.2
- Distribution: Ubuntu Focal
- Module version: 6.0.0 from Forge
How to reproduce (e.g Puppet code you use)
Step 1: Issue certificate successfully Step 2: Add additional domains to the array
What are you seeing
At renewal time, the config file in the '/etc/letsencrypt/renewal/' dir is duplicated with pattern "
What behaviour did you expect instead
The certificate with the same base name (no additional numbers on the end) replaces the old certificate when everything passes validation.
Output log
Redacted logfile available upon request (can't attach directly, too long to copy/paste). Puppet reports "A OK", no errors.
Any additional information you'd like to impart
Some evidence suggests that if there's more than one certificate per server, the above bug can affect all certificates on the server in the same way even if they haven't had additional domains added to trigger the bug.
Please note: this bug doesn't happen every time with the above reproduction steps - it's unreliable and there may be some other precipitating factor we've not yet found.
I encounter the same issue so I'll add some explanations to it :
As soon as you create a Duplicate certificate from letsencrypt (you create a new certificate for an already-valid domain) certbot will append a number to /etc/letsencrypt/live/${domain} -> /etc/letsencrypt/live/${domain}-0001
with that said, the check script used for the certbot certonly command's unless condition is not checking for the good path, so it returns 1, so puppet re-run certbot certonly, issue another duplicate certificate for the same domain, and repeat the operation on each puppet run until letsencrypt API ban
