Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature]: Updating in-use certificates #1065

Open
OrfeasZ opened this issue Jan 8, 2025 · 2 comments
Open

[Feature]: Updating in-use certificates #1065

OrfeasZ opened this issue Jan 8, 2025 · 2 comments

Comments

@OrfeasZ
Copy link

OrfeasZ commented Jan 8, 2025

What whould you like to see?

We're trying to set up a terraform setup where a certificate is acquired using the letsencrypt provider, and then uploaded to hetzner and used for a load balancer. However, since the hetzner provider doesn't support in-place updates of the certificate data, we're unable to update the certificate when it's close to its expiration date.

More specifically, when the LE certificate gets re-issued, TF tries to destroy and re-create the hetzner certificate, which in turn results in the following error, since the certificate is used by a load balancer:

Error: certificate still in use (service_error, xxxxxxxxxxxxxxx)

I don't know if it's possible to add support for updating existing certificates (since I don't see that option from the hetzner cloud UI either), so any help or alternative solutions to this would be greatly appreciated.

@jooola
Copy link
Member

jooola commented Jan 8, 2025

You should be able to rotate the certificate of a load balancer by creating a new certificate and updating the load balancer service with the new certificate.

Could you provide us the Terraform code you use to perform this action?

@OrfeasZ
Copy link
Author

OrfeasZ commented Jan 8, 2025

The problem with that is that I don't control the renewal of the LE certificate, so once it gets renewed I don't have a good way to rotate it in this way without having to manually remove the hcloud certificate resource from the terraform state, and create a new one with a different name.

I can't provide the exact Terraform code since we're using CDKTF, but here's a close equivalent:

resource "acme_registration" "reg" {
  email_address = "[email protected]"
}

resource "acme_certificate" "certificate" {
  account_key_pem = acme_registration.reg.account_key_pem
  common_name = "*.example.com"
  subject_alternative_names = ["*.example.com", "example.com"]

  dns_challenge {
    // ...
  }
}

resource "hcloud_uploaded_certificate" "hcloud_cert" {
  name = "example-cert"
  certificate = acme_certificate.certificate.certificate_pem
  private_key = acme_certificate.certificate.private_key_pem
}

// ...

resource "hcloud_load_balancer_service" "load_balancer" {
  http {
    certificates = [ hcloud_uploaded_certificate.hcloud_cert.id ]
    // ...
  }

  // ...
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants