From 288e516acedd727670767865b8ff87487cc4a02b Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Wed, 4 Mar 2020 11:40:23 +1100
Subject: [PATCH] letsencrypt: add note on manual refresh of certificates

Add a note on how to manually refresh the certificates if required.

Change-Id: Ie5f494e3769b7b878c2d1b03836d436dd845e5d9
---
 doc/source/letsencrypt.rst | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/doc/source/letsencrypt.rst b/doc/source/letsencrypt.rst
index 260cb209f7..73bfdfac17 100644
--- a/doc/source/letsencrypt.rst
+++ b/doc/source/letsencrypt.rst
@@ -131,3 +131,23 @@ Hosts will log their ``acme.sh`` output to
 
 The `G Suite Toolbox Dig <https://toolbox.googleapps.com/apps/dig/>`__
 tool can be useful for checking DNS entries from a remote location.
+
+Refreshing keys
+===============
+
+In normal operation there should be no need to manually refresh keys
+on hosts.  However there have been situations (such as LetsEncrypt
+revoking certificates made during a certain period due to bugs) which
+may necessitate a manual renewal.
+
+The best way to do this is to move the ``.conf`` files from
+``/etc/letsencrypt-certs/<certname>`` on the affected host and allow
+the next Ansible pulse to renew.
+
+.. code-block:: console
+
+   # cd /etc/letsencrypt-certs/<name>
+   # rename 's/.conf/.conf.old/' *.conf
+   # tail -f /var/log/acme.sh/acme.sh.log
+   ... watch and should be renewed on next pulse
+   # rm *.conf.old