Cannot renew a valid wildcard certificate before the end of the authorizations cache

My domain is: *.sdxlive.com

The version of my client is: ansible 2.9.2

I somehow lost the private key used to create a valid wildcard certificate due to the fact that:

  • the private key used in the CSR/Certificate is created each time I run the role and I keep only the latest
  • I had to run my role multiple times due to DNS validation issues
  • the last time the role run, I realized there was no need to revalidate all SANs even though only one SAN had been validated during the previous pass. It seems that let’s encrypt servers memorize the SANs which are already validated and the SANs which still need to be challenged.

Long story short, I need to renew the valid certificate, even though it is still valid until 01/24/2020 (which is strange because I thought there was a 90 days validity period and it was issued on 12/18/2019).

When using the acme_certificate module, whatever value I use for the field remaining_days (I tried 90 and 37), with the field force set to yes, the certificate is not renewed because I don’t get the challenge_data in the response.

So, is this a let's encrypt or ansible issue, or is this expected meaning I will soon lose my wildcard certificate until I can renew it (the current one expires on Christmas day)?

1 Like

Hi @jean-christophe-manc

today you have created a new certificate - https://check-your-website.server-daten.de/?q=sdxlive.com#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-12-18 2020-03-17 *.sdxlive.com, sdxlive.com - 2 entries duplicate nr. 1

But you don’t use it, instead, there is the

CN=*.sdxlive.com
	26.09.2019
	25.12.2019
expires in 7 days	
*.sdxlive.com, sdxlive.com - 2 entries

certificate.

So if you have the new certificate, install it (a restart may be required). If you don’t have it, create one new. Max. 5 in one week are allowed.

1 Like

It is not possible to derive the private key from any certificate and the private key is absolutely necessary to be able to use the certificate.

I tried, but as the first post showed, it failed. So I guess there is an issue with the ansible module.

1 Like

If you have lost the private key, you have to create a new private / public key pair.

Then you have to forget the old private key.

You can’t recreate a lost private key. If you would be able to do that, the whole PKI system would be comprimised.

1 Like

Also, the data you showed about the new certificate seems to indicate that it is valid until 2020-03-17.
The data I got from the ansible module shows a different story:

...
            "*.sdxlive.com": {
                "challenges": [
                    {
                        "status": "valid", 
...
                ], 
                "expires": "2020-01-24T15:38:16Z", 
...
            }, 
            "sdxlive.com": {
                "challenges": [
                    {
                        "status": "valid", 
...
                "expires": "2020-01-24T15:25:28Z", 
...
...

I guess that’s a second ansible issue.

I never tried to create a new private key with an earlier certificate.
My process creates a new private key over the previous one each time I try to apply for a new certificate.

1 Like

That’s

completely unrelevant.

These are some informations about the challenge, not about the created certificate.

If you have created a certificate, these informations are not longer required.

That “ansible” (don’t know what that is) should listen your created certificates. There you have to look.

1 Like

(in an overly simplistic view) Ansible is basically just a simplified scripting language (YAML), that wraps complicated tasks into a simple(r) single one (PlayBooks) - but it really doesn’t DO anything on its’ own.

You do need to review the ansible “script” to ensure it works as expected and doesn’t destroy/overwrite the private key file at any point and is putting things where you need and expect them to be.

The ansible role is fine; the validation issues have been corrected, so losing the private key should never happen again.

This issue has been solved. More details are available here.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.