Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding a new SubjectAlternativeName to a set doesn't cause a renew #57

Closed
jinnatar opened this issue Jan 11, 2019 · 4 comments · Fixed by #82
Closed

Adding a new SubjectAlternativeName to a set doesn't cause a renew #57

jinnatar opened this issue Jan 11, 2019 · 4 comments · Fixed by #82
Labels

Comments

@jinnatar
Copy link

If I first have a domainset such as:

domainsets:
    www:
      - example.com
      - www.example.com

And have that applied and then later on amend the domainset to for example:

domainsets:
    www:
      - example.com
      - www.example.com
      - www2.example.com

Applying the state won't trigger adding www2.example.com as an alternate name to the domainset's cert. The command visible in state apply output is correct and would cause the correct action, if it was actually executed:

/usr/bin/certbot certonly --quiet -d example.com -d www.example.com -d www2.example.com --non-interactive

.. but looks like it doesn't get executed. To me it seems because of this:

unless: {{ check_cert_cmd }} {{ domainlist[0] }}

i.e. only the status of the CN is checked, which ignores the fact of having new alternative names.

@jinnatar
Copy link
Author

jinnatar commented Feb 3, 2019

Looks like this could be worked around by having '--expand' as a certbot parameter.

@jinnatar
Copy link
Author

jinnatar commented Feb 3, 2019

The root cause is: https://github.com/saltstack-formulas/letsencrypt-formula/blob/master/letsencrypt/domains.sls#L44

If that would be expanded to checking the entire list the situation would be detected, and renewing always with --expand would allow the renew to do the correct thing.

@TimidRobot
Copy link

Specifying expand = True in pillar.letsencrypt.config does not result in SANs being added to the original certificate. I had to manually invoke certbot ({{ check_cert_cmd }} per L44 above).

TimidRobot added a commit to creativecommons/sre-salt-prime that referenced this issue Apr 8, 2019
@javierbertoli javierbertoli linked a pull request May 26, 2020 that will close this issue
javierbertoli added a commit to netmanagers/letsencrypt-formula that referenced this issue Jun 13, 2021
@myii myii closed this as completed in #82 Jun 23, 2021
saltstack-formulas-travis pushed a commit that referenced this issue Jun 23, 2021
## [2.1.1](v2.1.0...v2.1.1) (2021-06-23)

### Bug Fixes

* **domains:** check cert exists with desired domains ([a11fa8b](a11fa8b)), closes [#57](#57)
* **domains:** update git check cert script ([2cbb50c](2cbb50c))
* **gentoo:** use correct `git` package name ([1054e0d](1054e0d))
* **osfinger:** provide correct package for `centos-7` & `oraclelinux-7` ([19998df](19998df))

### Continuous Integration

* **kitchen+gitlab:** remove Ubuntu 16.04 & Fedora 32 (EOL) [skip ci] ([8b5b4f4](8b5b4f4))
* add `arch-master` to matrix and update `.travis.yml` [skip ci] ([7ea4e63](7ea4e63))
* **commitlint:** ensure `upstream/master` uses main repo URL [skip ci] ([5def61c](5def61c))
* **gemfile+lock:** use `ssf` customised `kitchen-docker` repo [skip ci] ([8cc1a93](8cc1a93))
* **gitlab-ci:** add `rubocop` linter (with `allow_failure`) [skip ci] ([824c5c2](824c5c2))
* **gitlab-ci:** use GitLab CI as Travis CI replacement ([90d8a06](90d8a06))
* **kitchen+ci:** use latest pre-salted images (after CVE) [skip ci] ([e6c0d13](e6c0d13))
* **kitchen+gitlab:** adjust matrix to add `3003` [skip ci] ([493ab98](493ab98))
* **kitchen+gitlab-ci:** use latest pre-salted images [skip ci] ([ae1610b](ae1610b))
* **pre-commit:** update hook for `rubocop` [skip ci] ([a9cbb16](a9cbb16))

### Documentation

* **readme:** fix `coala` violations [skip ci] ([98c2898](98c2898))
* **readme:** stretch is now old-stable [skip ci] ([7f0bab5](7f0bab5))

### Tests

* standardise use of `share` suite & `_mapdata` state [skip ci] ([1105cb8](1105cb8))
@saltstack-formulas-travis

🎉 This issue has been resolved in version 2.1.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants