opendev/system-config
Code Issues Proposed changes

Merge "letsencrypt: add note on manual refresh of certificates"

Browse Source
This commit is contained in:
Zuul 2020-03-05 22:48:02 +00:00 committed by Gerrit Code Review
commit 6b8b665f8a
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
doc/source/letsencrypt.rst
View File

@ -131,3 +131,23 @@ Hosts will log their ``acme.sh`` output to
The `G Suite Toolbox Dig <https://toolbox.googleapps.com/apps/dig/>`__ The `G Suite Toolbox Dig <https://toolbox.googleapps.com/apps/dig/>`__
tool can be useful for checking DNS entries from a remote location. tool can be useful for checking DNS entries from a remote location.
Refreshing keys
===============
In normal operation there should be no need to manually refresh keys
on hosts. However there have been situations (such as LetsEncrypt
revoking certificates made during a certain period due to bugs) which
may necessitate a manual renewal.
The best way to do this is to move the ``.conf`` files from
``/etc/letsencrypt-certs/<certname>`` on the affected host and allow
the next Ansible pulse to renew.
.. code-block:: console
# cd /etc/letsencrypt-certs/<name>
# rename 's/.conf/.conf.old/' *.conf
# tail -f /var/log/acme.sh/acme.sh.log
... watch and should be renewed on next pulse
# rm *.conf.old