Rancher-lets-encrypt thinks it is a self-signed certificate and tries to create the cert everytime
talecK opened this issue Β· comments
I've been using this in rancher for many years now without issue so I don't check it too often π but I recently added a new domain to let's encrypt and noticed an odd error in my logs that could have been going on for a while now.
"Error creating new order :: too many certificates already issued for exact set of domains". Looks like I've indeed hit my limit of 5 duplicate certificates for each domain, strange?
Taking a quick peek at the logs in /var/log/letsencrypt I noticed that the following block must be getting triggered based on the output which seems to create certs without checking their expiry.
elif "X3" not in server_cert_issuer and not STAGING:
# we have a self-signed certificate we should replace with a prod certificate.
# this should only happen once on initial rancher install.
print("INFO: Replacing self-signed certificate: {0}, "
"{1} with production LE cert".format(server, server_cert_issuer))
self.create_cert(server)
self.post_cert(server)
Looking at the output
Replacing self-signed certificate: *******.com, CN=R3,O=Let's Encrypt,C=US
Looking at https://letsencrypt.org/certificates/ that seems to make sense as X3 is retired and the default is now R3.
I'm guessing hardcoding the issuer here is a bad idea anyways? R4 / E2 are backups and this is subject to change anyways.