CONFIGDIR/renwal/domain.conf not updated

[ikcalB]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.19.1
• Ruby: 2.0.0p648
• Distribution: CentOS7
• Module version: 7.0.0

How to reproduce (e.g Puppet code you use)

use the following snippet in a node (adapt i.e.)

  class { letsencrypt:
    config => {
      email  => 'email@domin.com',
      server => 'https://acme-v02.api.letsencrypt.org/directory',
    },
    configure_epel             => false,
    renew_cron_ensure          => 'present',
  }

  letsencrypt::certonly { 'www.demoshop.com':
    domains         => ['www.demoshop.com', 'demoshop.com'],
    additional_args => ['--http-01-port 60001'],
    deploy_hook_commands => [
      "cat /etc/letsencrypt/live/www.demoshop.com/fullchain.pem /etc/letsencrypt/live/www.demoshop.com/privkey.pem > /tmp/www.demoshop.com.pem"
    ]
  }

What are you seeing

correct: deploy_hook_commands are propagated to CONFIGDIR/renewal-hooks-puppet/domain-deploy.sh
wrong: change not deployed to the domain.conf file in CONFIGDIR/renewal
(renew_hook still points to an obsolete script)

[root@host renewal]# cat www.demoshop.com.conf 
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/www.demoshop.com
cert = /etc/letsencrypt/live/www.demoshop.com/cert.pem
privkey = /etc/letsencrypt/live/www.demoshop.com/privkey.pem
chain = /etc/letsencrypt/live/www.demoshop.com/chain.pem
fullchain = /etc/letsencrypt/live/www.demoshop.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 538d234f67575639f455a060ac876fdb
manual_public_ip_logging_ok = None
http01_port = 60001
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = standalone
rsa_key_size = 4096
renew_hook = /etc/letsencrypt/renewal-hooks-puppet/renew-deploy.sh

What behaviour did you expect instead

Correctly configure deploy hook in CONFIGDIR/renewal/, as per documentation:

Note on certbot hook behavior: Hooks created by letsencrypt::certonly will be configured in the renewal config file of the certificate by certbot (stored in CONFIGDIR/renewal/),

Output log

Any additional information you'd like to impart

[kenyon]

Yes, I noticed something similar: if you change the server variable, the config isn't updated (like if you start with staging and switch to production). In general this is because the renewal/domain.conf files aren't managed by this module, and you have to run certbot to make changes, which this module doesn't do. I think I ended up just manually running certbot or editing the conf files, because it looked like a lot of work to get this module to effect those changes.

[ikcalB]

@pccibot any chance you want to work on this?
We're in the middle of infra change. have time in 3 months soonest, prio is unfortunately rather low