Error 409 - urn:acme:error:malformed - Certificate already revoked

Question

Error 409 - urn:acme:error:malformed - Certificate already revoked

Closed this issue 7 years ago · 6 comments

In my certificates I have create_before_destroy set in the lifecycle settings. I do this because I always want a valid certificate to be active, if this isn't set then the cert is destroyed and then a new one created, which leaves a few mins with no active certificates.

During the destroy process it timed out, which has left a deposed resource in my state file. When I try to do a plan it comes it as a destroy operation:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  - acme_certificate.jumplead-io (deposed)


Plan: 0 to add, 0 to change, 1 to destroy.

But when applying this plan it fails because the certificate has already been removed:

acme_certificate.jumplead-io.deposed: Destroying... (ID: https://acme-v01.api.letsencrypt.org/ac...t/048b267ca05e8031828b905109e0b4a7f8b6)

Error: Error applying plan:

1 error(s) occurred:

* acme_certificate.jumplead-io (destroy): 1 error(s) occurred:

* acme_certificate.jumplead-io (deposed #0): 1 error(s) occurred:

* acme_certificate.jumplead-io (deposed #0): acme: Error 409 - urn:acme:error:malformed - Certificate already revoked

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

This has currently left me with a broken state file as I'm unable to apply the destroy. Would it be possible if a 409 status has been returned to carry on with the normal terraform function?

Answer 1 · 2018-03-01T15:14:28.000Z

Hey @adamlc, this for sure sounds doable. Not too sure if it's possible to get the error code programmatically from lego but we can check for sure.

Might be a bit till I can get to it - how hard is it possibly for you to manually remove this from your state in the meantime?

Answer 2 · 2018-03-01T15:15:29.000Z

Cool! I've actually managed to manually fix my state file for now, so no rush 👍

Answer 3 · 2018-03-01T15:22:58.000Z

Awesome! Will fix this in a sweep of the other issues then 👍

Answer 4 · 2018-03-12T10:48:40.000Z

To clear the issue do something similar to terraform state rm acme_certificate.my_certificate_name.

Answer 5 · 2018-03-24T03:17:03.000Z

@vancluever I have had a fix in #35. This will check if the error is of type acme.RemoteError and if it is, checks if the StatusCode is set to 409. If so, it will proceed without returning the error.

Verified it in a similar scenario I encountered similar to @adamlc

Answer 6 · 2018-04-24T10:10:46.000Z

@vancluever the patch mentioned above is available one month and I just had to fiddle around with the state file as I ran into the same issue. Can we get this merged, please?