Unable to regenerate certificate with terraform


#1

Hello,

I’ve successfully provisioned a certificate using terraform, with the following setup:

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "${var.support_email}"
}

resource "acme_certificate" "certificate" {
  account_key_pem           = "${acme_registration.reg.account_key_pem}"
  common_name               = "${var.domain}"
  subject_alternative_names = ["www.${var.domain}"]

  dns_challenge {
    provider = "cloudflare"
    config = {
      CLOUDFLARE_EMAIL = "${var.cloudflare_email}"
      CLOUDFLARE_API_KEY = "${var.cloudflare_token}"
    }
  }
}

I’m now unable to regenerate it (using same parameters and existing state) to no avail. I get Error 403 - urn:ietf:params:acme:error:unauthorized - Account is not valid, has status “deactivated”

Some help? Can I somehow reset my account/certificates and start all over?


#2

IDK about Terraform-isms, but the goal you should have is to make Terraform forget about the ACME account entirely:

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "${var.support_email}"
}

So if this is stored on disk or in a KV store somewhere, and you delete it, it should get regenerated with a new account.

Possibly you can try to taint these resources: https://www.terraform.io/docs/commands/taint.html


#3

So if I use a different private key / email, I should be still able to do everything, as long as I can alter the DNS?


#4

Yeah. Creating a new account is no problem, as long as you use a different private key. You can use the same email.

Try not to make a habit of it (like creating an account each time = not good), but as a one-off, no problem.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.