My domain is: *.sdxlive.com
The version of my client is: ansible 2.9.2
I somehow lost the private key used to create a valid wildcard certificate due to the fact that:
- the private key used in the CSR/Certificate is created each time I run the role and I keep only the latest
- I had to run my role multiple times due to DNS validation issues
- the last time the role run, I realized there was no need to revalidate all SANs even though only one SAN had been validated during the previous pass. It seems that let’s encrypt servers memorize the SANs which are already validated and the SANs which still need to be challenged.
Long story short, I need to renew the valid certificate, even though it is still valid until 01/24/2020 (which is strange because I thought there was a 90 days validity period and it was issued on 12/18/2019).
When using the
acme_certificate module, whatever value I use for the field
remaining_days (I tried 90 and 37), with the field
force set to yes, the certificate is not renewed because I don’t get the
challenge_data in the response.
So, is this a
let's encrypt or
ansible issue, or is this expected meaning I will soon lose my wildcard certificate until I can renew it (the current one expires on Christmas day)?
today you have created a new certificate - https://check-your-website.server-daten.de/?q=sdxlive.com#ct-logs
|Let’s Encrypt Authority X3
||*.sdxlive.com, sdxlive.com - 2 entries
||duplicate nr. 1
But you don’t use it, instead, there is the
expires in 7 days
*.sdxlive.com, sdxlive.com - 2 entries
So if you have the new certificate, install it (a restart may be required). If you don’t have it, create one new. Max. 5 in one week are allowed.
It is not possible to derive the private key from any certificate and the private key is absolutely necessary to be able to use the certificate.
I tried, but as the first post showed, it failed. So I guess there is an issue with the ansible module.
If you have lost the private key, you have to create a new private / public key pair.
Then you have to forget the old private key.
You can’t recreate a lost private key. If you would be able to do that, the whole PKI system would be comprimised.
Also, the data you showed about the new certificate seems to indicate that it is valid until
The data I got from the ansible module shows a different story:
I guess that’s a second ansible issue.
I never tried to create a new private key with an earlier certificate.
My process creates a new private key over the previous one each time I try to apply for a new certificate.
These are some informations about the challenge, not about the created certificate.
If you have created a certificate, these informations are not longer required.
That “ansible” (don’t know what that is) should listen your created certificates. There you have to look.
(in an overly simplistic view) Ansible is basically just a simplified scripting language (YAML), that wraps complicated tasks into a simple(r) single one (PlayBooks) - but it really doesn’t DO anything on its’ own.
You do need to review the ansible “script” to ensure it works as expected and doesn’t destroy/overwrite the private key file at any point and is putting things where you need and expect them to be.
The ansible role is fine; the validation issues have been corrected, so losing the private key should never happen again.
This issue has been solved. More details are available here.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.