Private Key Mismatch (Solved)

Edit: Something in our automated system or git flow compromised the CSR. Thanks for helping but…ultimately it was a code 18.

I’m using Ansible to renew my certs - and it’s been working flawlessly for at least 1yr now, 4 renewals. Last week however, a cert was renewed for my domain but NGINX failed because it doesn’t match my PK at all. Subsequent reattempts to regenerate the cert are producing the similar results(and I’ve busted my rate limit now).

My ansible commands are super simple:

  • name: letsencrypt first pass to get challenge data
    letsencrypt:
    account_email:
    account_key: /path/to/my/letsencrypt.key
    acme_directory: “{{ item.acme_directory | default(‘https://acme-v01.api.letsencrypt.org/directory’) }}”
    challenge: http-01
    csr: /etc/ssl/{{ item.domain }}/server.csr
    dest: /etc/ssl/{{ item.domain }}/bundle.crt
    remaining_days: “{{ item.remaining_days | default(10) }}”
    register: _letsencrypt__challenge
    run_once: yes
    with_items: “{{ letsencrypt__domains }}”
    become: yes

Followed by:

  • name: letsencrypt second pass to generate certificate
    letsencrypt:
    account_email:
    account_key: /path/to/my/letsencrypt.key
    acme_directory: “{{ item.acme_directory | default(‘https://acme-v01.api.letsencrypt.org/directory’) }}”
    challenge: http-01
    csr: /etc/ssl/{{ item.item.domain }}/server.csr
    data: “{{ item }}”
    dest: /etc/ssl/{{ item.item.domain }}/cert.pem
    remaining_days: “{{ item.remaining_days | default(10) }}”
    run_once: yes
    with_items: “{{ _letsencrypt__challenge.results }}”
    when: item | changed
    become: yes

Did you somehow “replace” the PK (with a new/older version) ?
I can’t think of any other reason…
Do you run the same script elsewhere and share the new certs back and forth?

PK has not changed. We version our keys, csrs and pks in github(encrypted). I initially thought our PK was inadvertently changed so I reverted back to our master version but I’m getting the same results.

I’m not really familiar with Ansible—what underlying client is it using to request the certificates? Also, where does the private key come from (and end up)?

http://docs.ansible.com/ansible/latest/modules/letsencrypt_module.html / https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/web_infrastructure/letsencrypt.py

None, it implements ACME v1/v2 on its own and has no local runtime outside of when the Ansible host copies temporary scripts over to execute.

I don't see how OP's issue happened though, unless somebody manually (or in another Ansible task) changed the CSR. Ansible's letsencrypt module doesn't and can't modify the CSR, and Let's Encrypt won't issue a certificate for a CSR other than the one provided in the order. The module sends the CSR from the filesystem pretty much verbatim.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.