Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

impossible to alter an existing certificate (or replace) #705

Open
sandromastronardi opened this issue May 3, 2024 · 11 comments
Open

impossible to alter an existing certificate (or replace) #705

sandromastronardi opened this issue May 3, 2024 · 11 comments
Assignees
@shibayan
Labels
bug Something isn't working

Comments

@sandromastronardi
Copy link

I want to add host names (wildcards *.api.tld.com) to a certificate api.tld.com

  1. I deleted the certificate
  2. I also deleted the pending certificate: How to revoke / delete a wrong certificate #69 as i always get this error when i remove a certificate.

but so far it broke my environment and I just cant get it to work again...
The current state: creating a new certificate doesn't work (the vault cannot be purged)

I get this error now:
image
image
image

Now my application is in a broken state... my certificate is gone, and i cannot replace it with a new one...

a way to replace a certificate from the UI would be nice, also a way to delete certificates the 'right' way as it now seems to be going wrong all the time when i delete one.

Environment (please complete the following information):

  • Certificate Type: Sub-domain & Wildcard (although also happens in non wildcard situations)
  • Certificate Deploy Target: Key Vault
@sandromastronardi sandromastronardi added the bug Something isn't working label May 3, 2024
@shibayan
Copy link
Owner

shibayan commented May 6, 2024

Adding a new domain name to an already existing certificate results in an error. This is because Acmebot creates a certificate resource for Key Vault with the first domain name. Please try this by explicitly entering the name of the certificate from the advanced options when issuing the certificate.

@leonardochaia
Copy link

Hi @shibayan , I've just faced this issue.

First off, thanks for this project, I've been using it in production for a good couple of years now without any real issues.

I need to add one more SAN to a cert, so I:

  1. deleted the Certificate from key vault.
  2. Tried to generate a new one using the UI, got error Order includes different number of names than CSR specifies
  3. Removed the pending certificate as instructed here
  4. Tried to generate a new one using the UI, got error Pending certificate not found

Reading this issue, I ended up using the advanced options to change the Certificate resource name.
However, is there a way to keep the original name?

Reason I'm asking is my kubernetes deployment is referencing the Key Vault Certificate by name, so now I need to change my deployment. No biggie, but I do need to do this a couple of times and was wondering if there's a way to keep the certificate name

@sandromastronardi
Copy link
Author

Thanks, but I have the same issue as @leonardochaia as I have my templates use dns names, and i replace the dots with dashes to find the certificate name, if i will use another certificate name then i will have to change the templates, and do that like @leonardochaia each time i need to add a name to an existing certificate... it would be great if i could replace a certificate in full, with new names

@shibayan
Copy link
Owner

shibayan commented May 6, 2024

This is an operation not supported by the Acmebot dashboard, but since Acmebot uses the Key Vault Issuance Policy as is, SANs can be added or deleted by modifying the Issuance Policy from Azure Portal.

image

@sandromastronardi
Copy link
Author

How should that work? i add a dns name there, but then how is it REALLY added? by doing a renew?

@sandromastronardi
Copy link
Author

and how to fix if the certificate is already deleted, and there is a broken system?

@shibayan
Copy link
Owner

shibayan commented May 6, 2024

After modifying the Issuance Policy and running Renew, a new certificate should be issued with the SANs added. If you have deleted a file, it will be restored as long as soft delete is enabled and you have not purged it.

@leonardochaia
Copy link

After modifying the Issuance Policy and running Renew, a new certificate should be issued with the SANs added. If you have deleted a file, it will be restored as long as soft delete is enabled and you have not purged it.

Hi @shibayan , thank you for your replies. I propose this gets added to the wiki FAQ. Perhaps this issue can then become a feature request to eventually be able to edit the already issues certificates through the UI.

Thank you.
Leo.

@shibayan
Copy link
Owner

shibayan commented May 7, 2024

Since we did not think there were that many use cases for adding SANs later, we will consider updating certificates in the next major version.

Added to FAQ https://github.com/shibayan/keyvault-acmebot/wiki/Frequently-Asked-Questions#adding-sans-to-an-existing-certificate

@leonardochaia
Copy link

Thank you @shibayan for your time and answers. I think it is acceptable as is, since like you said, use cases for this are slim, and now there's a documented workaround, however, being able to do it from the UI, or perhaps adding a link from the UI to the Azure Portal Key Vault Certificate would be helpful!
I think this can be closed.

Regards,
Leo

@shibayan
Copy link
Owner

shibayan commented May 7, 2024

Adding a link to the Key Vault certificate is a good idea. I would like to incorporate that. Thanks!

@JohnLBevan JohnLBevan mentioned this issue Jul 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shibayan shibayan

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shibayan @leonardochaia @sandromastronardi