Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding a new SubjectAlternativeName to a set doesn't cause a renew #57

Closed
jinnatar opened this issue Jan 11, 2019 · 4 comments · Fixed by #82
Closed

Adding a new SubjectAlternativeName to a set doesn't cause a renew #57

jinnatar opened this issue Jan 11, 2019 · 4 comments · Fixed by #82
Labels
released

Comments

@jinnatar
Copy link

If I first have a domainset such as:

domainsets:
    www:
      - example.com
      - www.example.com

And have that applied and then later on amend the domainset to for example:

domainsets:
    www:
      - example.com
      - www.example.com
      - www2.example.com

Applying the state won't trigger adding www2.example.com as an alternate name to the domainset's cert. The command visible in state apply output is correct and would cause the correct action, if it was actually executed:

/usr/bin/certbot certonly --quiet -d example.com -d www.example.com -d www2.example.com --non-interactive

.. but looks like it doesn't get executed. To me it seems because of this:

unless: {{ check_cert_cmd }} {{ domainlist[0] }}

i.e. only the status of the CN is checked, which ignores the fact of having new alternative names.
@jinnatar
Copy link
Author

jinnatar commented Feb 3, 2019

Looks like this could be worked around by having '--expand' as a certbot parameter.

@jinnatar
Copy link
Author

jinnatar commented Feb 3, 2019

The root cause is: https://github.com/saltstack-formulas/letsencrypt-formula/blob/master/letsencrypt/domains.sls#L44

If that would be expanded to checking the entire list the situation would be detected, and renewing always with --expand would allow the renew to do the correct thing.

@jinnatar jinnatar mentioned this issue Feb 3, 2019
Closed
@TimidRobot
Copy link

Specifying expand = True in pillar.letsencrypt.config does not result in SANs being added to the original certificate. I had to manually invoke certbot ({{ check_cert_cmd }} per L44 above).

TimidRobot added a commit to creativecommons/sre-salt-prime that referenced this issue Apr 8, 2019
@TimidRobot
added le-initialize.sh to help with saltstack-formulas/letsencrypt-fo…
98946fc 
…rmula#57
@javierbertoli javierbertoli linked a pull request May 26, 2020 that will close this issue
Update pillar.example to good-citizen defaults #63
Closed
@javierbertoli javierbertoli removed a link to a pull request May 26, 2020
Update pillar.example to good-citizen defaults #63
Closed
javierbertoli added a commit to netmanagers/letsencrypt-formula that referenced this issue Jun 13, 2021
@javierbertoli
fix(domains): check cert exists with desired domains
a11fa8b 
fixes saltstack-formulas#57
@javierbertoli javierbertoli mentioned this issue Jun 14, 2021
Merged
19 tasks
@myii myii closed this as completed in #82 Jun 23, 2021
saltstack-formulas-travis pushed a commit that referenced this issue Jun 23, 2021
@semantic-release-bot
chore(release): 2.1.1 [skip ci]
261081a 
## [2.1.1](v2.1.0...v2.1.1) (2021-06-23)

### Bug Fixes

* **domains:** check cert exists with desired domains ([a11fa8b](a11fa8b)), closes [#57](#57)
* **domains:** update git check cert script ([2cbb50c](2cbb50c))
* **gentoo:** use correct `git` package name ([1054e0d](1054e0d))
* **osfinger:** provide correct package for `centos-7` & `oraclelinux-7` ([19998df](19998df))

### Continuous Integration

* **kitchen+gitlab:** remove Ubuntu 16.04 & Fedora 32 (EOL) [skip ci] ([8b5b4f4](8b5b4f4))
* add `arch-master` to matrix and update `.travis.yml` [skip ci] ([7ea4e63](7ea4e63))
* **commitlint:** ensure `upstream/master` uses main repo URL [skip ci] ([5def61c](5def61c))
* **gemfile+lock:** use `ssf` customised `kitchen-docker` repo [skip ci] ([8cc1a93](8cc1a93))
* **gitlab-ci:** add `rubocop` linter (with `allow_failure`) [skip ci] ([824c5c2](824c5c2))
* **gitlab-ci:** use GitLab CI as Travis CI replacement ([90d8a06](90d8a06))
* **kitchen+ci:** use latest pre-salted images (after CVE) [skip ci] ([e6c0d13](e6c0d13))
* **kitchen+gitlab:** adjust matrix to add `3003` [skip ci] ([493ab98](493ab98))
* **kitchen+gitlab-ci:** use latest pre-salted images [skip ci] ([ae1610b](ae1610b))
* **pre-commit:** update hook for `rubocop` [skip ci] ([a9cbb16](a9cbb16))

### Documentation

* **readme:** fix `coala` violations [skip ci] ([98c2898](98c2898))
* **readme:** stretch is now old-stable [skip ci] ([7f0bab5](7f0bab5))

### Tests

* standardise use of `share` suite & `_mapdata` state [skip ci] ([1105cb8](1105cb8))
@saltstack-formulas-travis
Copy link

🎉 This issue has been resolved in version 2.1.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix certificate renewal checks netmanagers/letsencrypt-formula
3 participants
@TimidRobot @jinnatar @saltstack-formulas-travis