Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DXE-3653 Add extra SAN to DV certificate triggers DELETE, which fails #527

Open
david-raine opened this issue Feb 28, 2024 · 3 comments
Open

DXE-3653 Add extra SAN to DV certificate triggers DELETE, which fails #527

david-raine opened this issue Feb 28, 2024 · 3 comments
Labels
bug delivery waiting for reporter

Comments

@david-raine
Copy link

david-raine commented Feb 28, 2024
edited

versions

terraform: v1.7.4
Akamai terraform: v5.6.0

description

After importing a certificate, if I add a new SAN entry to the list of sans, the provider tries to DELETE the certificate rather than update-in place. As the certificate is LIVE, this always fails with a 409 error:

Error: remove enrollment: API error:
│ {
│       "type": "https://akab-redacted.luna.akamaiapis.net/cps/v2/error-types/certificate-live-on-network",
│       "title": "Cannot deprovision certificate(s). Certificate(s) are still live.",
│       "detail": "All Domains Inactive failure. Live certificates found on network: [a.uk, b.uk]",
│       "instance": "https://akab-redacted.luna.akamaiapis.net/cps/v2/error-types/certificate-live-on-network?id=9dae2a2eb12347c88cf973baaa617e6a",
│       "statusCode": 409
│ }

All that changes here is the local.sans list, adding one entry.

resource "akamai_cps_dv_enrollment" "certificate" {

  contract_id                           = data.akamai_contract.contract.id
  acknowledge_pre_verification_warnings = true
  common_name                           = "${var.programme}.${local.zone}"
  sans                                  = local.sans
  secure_network                = "enhanced-tls"
  sni_only                              = true
  certificate_chain_type                = "default"
...

expected

Plan should show update-in-place and terraform should trigger a certificate update.

actual

Plan shows "will be updated" and a certificate destroy is attempted.

terraform state after import

The import state looks good. SAN list seems correct.

  "certificate_type": "san",
  "common_name": "drtest3a.com.mands.uk",
  "id": "208027",
  "registration_authority": "lets-encrypt",
  "sans": [
    "preprod.drtest3a.com.mands.uk"
  ],
  "secure_network": "enhanced-tls",
  "signature_algorithm": "SHA-256",
  "sni_only": true,

Adding an entry to the SAN must not trigger a destroy.
@david-raine david-raine changed the title Add SAN to cert triggers DELETE, which fails Add extra SAN to DV certificate triggers DELETE, which fails Feb 28, 2024
@ckulinsk
Copy link

Hello @david-raine,

Thank you for raising this issue. We are investigating a potential solution.

Regards,
Cyryl

@ckulinsk ckulinsk changed the title Add extra SAN to DV certificate triggers DELETE, which fails DXE-3653 Add extra SAN to DV certificate triggers DELETE, which fails Feb 29, 2024
@david-raine
Copy link
Author

Is there any workaround possible? This is fully blocking our use of terraform for cps as the add new name to list of SAN's is our primary change activity.

@ckulinsk
Copy link

Hello @david-raine,
sorry for responding so late but we are still looking into your issue and we were unable to reproduce it. It seems not to be caused by terraform as we are not deleting the certificate. Could you please provide us log files? Setting environment variables: TF_LOG=TRACE and TF_LOG_PATH=./terraform.log will include optional logs and export them to file, which will be helpful in our investigation.

Best regards,
Cyryl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug delivery waiting for reporter
Milestone
No milestone
Development

No branches or pull requests
4 participants
@david-raine @lkowalsk-akamai-com @aka-mark @ckulinsk