terraform-provider-acme: acme_certificate renewal fails with "First certificate is a CA certificate"

The certificate renewal (with latest terraform 0.11.14) with the acme provider (latest version 1.3.0) consistently fails during the terraform plan stage with the error:

Error: Error running plan: 1 error occurred:
	* acme_certificate.cc_acme_certificate: 1 error occurred:
	* acme_certificate.cc_acme_certificate: unable to calculate time to certificate expiry: First certificate is a CA certificate

Below is the configuration that causes the problem:

resource "tls_private_key" "private_staging_key" {
  algorithm = "RSA"
  rsa_bits = 4096
  lifecycle {
    create_before_destroy = true
  }
}

resource "tls_private_key" "private_prod_key" {
  algorithm = "RSA"
  rsa_bits = 4096
  lifecycle {
    create_before_destroy = true
  }
}

resource "acme_registration" "cc_staging_registration" {
  account_key_pem = "${tls_private_key.private_staging_key.private_key_pem}"
  email_address   = "some-email@email.com"
  provider = "acme.staging"
  lifecycle {
    create_before_destroy = true
  }
}

resource "acme_registration" "cc_prod_registration" {
  account_key_pem = "${tls_private_key.private_prod_key.private_key_pem}"
  email_address   = "some-email@email.com"
  provider = "acme.prod"
  lifecycle {
    create_before_destroy = true
  }
}

resource "acme_certificate" "cc_acme_certificate" {
  account_key_pem           = "${acme_registration.cc_prod_registration.account_key_pem}"
  common_name               = "*.our-domain.com"
  provider = "acme.prod"
  dns_challenge {
    provider = "route53"
  }
  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_acm_certificate" "cc_ssl_certificate" {
  private_key = "${acme_certificate.cc_acme_certificate.private_key_pem}"
  certificate_body = "${acme_certificate.cc_acme_certificate.certificate_pem}"
  certificate_chain = "${acme_certificate.cc_acme_certificate.issuer_pem}"
}

The acme provider is configured as follows:

provider "acme" {
  alias = "prod"
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
}

provider "acme" {
  alias = "staging"
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 1
  • Comments: 21 (10 by maintainers)

Most upvoted comments

@uovobw 1.3.3 is out now and should work with Terraform 0.12. Let me know how it goes!

+1
vancluever on May 29, 2019

Update:

#60 fixes the issue so that the certificate is not dropped during update.

#59 is already in which will fix anybody affected by this that just haven’t re-created their certificates.

As mentioned last night these should be released as 1.3.2 early next week!

+1
vancluever on May 25, 2019

Thanks all for the info. I have a reproduction now and am pretty sure I know what’s wrong, namely a lack of partial state mode is causing the certificate to be dropped if renewal is pending and an error occurs.

I should have a fix in early next week, including a fix that also recovers the existing certificate so that any states that have been affected by this that have not yet been recovered should be corrected.

Thanks for your patience!

+1
vancluever on May 25, 2019
Read more comments on GitHub
← fasthttp: Panics at on context close, v1.33.0
terraform-provider-acme: Bug: DNS provider configuration not passed correctly to lego when renewing multiple certs in parallell →