Switching CA does not regenerate certs

[c33s]

i would have opened a discussion if they where enabled in this git repo. i am not sure if i simply do something wrong or if i found a bug.

for the development i created the certificates with the ca letsencrypt_test. this worked quite well, just needed some puppet runs and the certificate was correctly there. after that i switched to the ca letsencrypt but the certificates where still from the test ca. i wasn't able to force a regeneration of the cert.
so i tried to delete the complete acme folder from the client but after the puppet run the i got wrong certs again. also tried to delete the folder on server and client which led me to an unusable system (not exactly in this order, i played around a bit) as "suddenly" the private key doesn't match the cert any more.

Jan 10 02:25:09 aio001 nginx[932050]: nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/acme.sh/keys/.../private.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Jan 10 02:25:09 aio001 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE

am i doing something wrong? should this module be able to switch ca's? how can i start-over? how to force regeneration?

[NikkelCoin]

Any update on this? I'm stuck on this aswell

[fraenki]

Unfortunately, this is currently not supported. In order to recover from this situation, run the following on both the Puppetserver and the affected Node:
https://github.com/markt-de/puppet-acme#rebuilding-nodes

In order to support changing CA for existing certs, it would be necessary to add this information to the name of every file that is used by acme.sh:

• We already do this for account configs, so this may be used as a boilerplate:

  puppet-acme/manifests/request.pp

  Line 96 in 20d2cb3

  $account_conf_file = "${acct_dir}/${account_email}/account_${ca_compat}.conf"

• It needs to be added for all cert configs/files too. The acme.sh command needs additional options. (Example: https://github.com/opnsense/plugins/blob/c6ad8a442bcc50a9e15228dfd9566a7dadf5c5a2/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php#L96-L100)
• And it needs to be implemented in a backwards-compatible way. Existing certs would not be altered, it would only be used for new certificates (similar to how we've done it for account configs).

(I consider this a bug, because it is an unexpected result. However, the module was not designed for this in the first place, so in reality this is a somewhat complicated feature request.)