Merge "letsencrypt: add note on manual refresh of certificates"

2020-03-05 22:48:02 +00:00 · 2020-03-05 22:48:02 +00:00 · 6b8b665f8a
commit 6b8b665f8a
parent fd50bb63aa 288e516ace
1 changed files with 20 additions and 0 deletions
--- a/doc/source/letsencrypt.rst
+++ b/doc/source/letsencrypt.rst
@ -131,3 +131,23 @@ Hosts will log their ``acme.sh`` output to

 The `G Suite Toolbox Dig <https://toolbox.googleapps.com/apps/dig/>`__
 tool can be useful for checking DNS entries from a remote location.
+
+Refreshing keys
+===============
+
+In normal operation there should be no need to manually refresh keys
+on hosts.  However there have been situations (such as LetsEncrypt
+revoking certificates made during a certain period due to bugs) which
+may necessitate a manual renewal.
+
+The best way to do this is to move the ``.conf`` files from
+``/etc/letsencrypt-certs/<certname>`` on the affected host and allow
+the next Ansible pulse to renew.
+
+.. code-block:: console
+
+   # cd /etc/letsencrypt-certs/<name>
+   # rename 's/.conf/.conf.old/' *.conf
+   # tail -f /var/log/acme.sh/acme.sh.log
+   ... watch and should be renewed on next pulse
+   # rm *.conf.old