letsencrypt: add note on manual refresh of certificates

Add a note on how to manually refresh the certificates if required. Change-Id: Ie5f494e3769b7b878c2d1b03836d436dd845e5d9
2020-03-04 11:40:23 +11:00 · 2020-03-04 11:40:23 +11:00 · 288e516ace
commit 288e516ace
parent 3aaf87ee6d
1 changed files with 20 additions and 0 deletions
--- a/doc/source/letsencrypt.rst
+++ b/doc/source/letsencrypt.rst
@ -131,3 +131,23 @@ Hosts will log their ``acme.sh`` output to

 The `G Suite Toolbox Dig <https://toolbox.googleapps.com/apps/dig/>`__
 tool can be useful for checking DNS entries from a remote location.
+
+Refreshing keys
+===============
+
+In normal operation there should be no need to manually refresh keys
+on hosts.  However there have been situations (such as LetsEncrypt
+revoking certificates made during a certain period due to bugs) which
+may necessitate a manual renewal.
+
+The best way to do this is to move the ``.conf`` files from
+``/etc/letsencrypt-certs/<certname>`` on the affected host and allow
+the next Ansible pulse to renew.
+
+.. code-block:: console
+
+   # cd /etc/letsencrypt-certs/<name>
+   # rename 's/.conf/.conf.old/' *.conf
+   # tail -f /var/log/acme.sh/acme.sh.log
+   ... watch and should be renewed on next pulse
+   # rm *.conf.old