Edit: Something in our automated system or git flow compromised the CSR. Thanks for helping but…ultimately it was a code 18.
I’m using Ansible to renew my certs - and it’s been working flawlessly for at least 1yr now, 4 renewals. Last week however, a cert was renewed for my domain but NGINX failed because it doesn’t match my PK at all. Subsequent reattempts to regenerate the cert are producing the similar results(and I’ve busted my rate limit now).
My ansible commands are super simple:
- name: letsencrypt first pass to get challenge data
letsencrypt:
account_email:
account_key: /path/to/my/letsencrypt.key
acme_directory: “{{ item.acme_directory | default(‘https://acme-v01.api.letsencrypt.org/directory’) }}”
challenge: http-01
csr: /etc/ssl/{{ item.domain }}/server.csr
dest: /etc/ssl/{{ item.domain }}/bundle.crt
remaining_days: “{{ item.remaining_days | default(10) }}”
register: _letsencrypt__challenge
run_once: yes
with_items: “{{ letsencrypt__domains }}”
become: yes
Followed by:
- name: letsencrypt second pass to generate certificate
letsencrypt:
account_email:
account_key: /path/to/my/letsencrypt.key
acme_directory: “{{ item.acme_directory | default(‘https://acme-v01.api.letsencrypt.org/directory’) }}”
challenge: http-01
csr: /etc/ssl/{{ item.item.domain }}/server.csr
data: “{{ item }}”
dest: /etc/ssl/{{ item.item.domain }}/cert.pem
remaining_days: “{{ item.remaining_days | default(10) }}”
run_once: yes
with_items: “{{ _letsencrypt__challenge.results }}”
when: item | changed
become: yes