impossible to alter an existing certificate (or replace) about keyvault-acmebot HOT 11 OPEN

Thanks, but I have the same issue as @leonardochaia as I have my templates use dns names, and i replace the dots with dashes to find the certificate name, if i will use another certificate name then i will have to change the templates, and do that like @leonardochaia each time i need to add a name to an existing certificate... it would be great if i could replace a certificate in full, with new names

from keyvault-acmebot.

This is an operation not supported by the Acmebot dashboard, but since Acmebot uses the Key Vault Issuance Policy as is, SANs can be added or deleted by modifying the Issuance Policy from Azure Portal.

• Docs: https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#certificate-policy

from keyvault-acmebot.

After modifying the Issuance Policy and running Renew, a new certificate should be issued with the SANs added. If you have deleted a file, it will be restored as long as soft delete is enabled and you have not purged it.

Hi @shibayan , thank you for your replies. I propose this gets added to the wiki FAQ. Perhaps this issue can then become a feature request to eventually be able to edit the already issues certificates through the UI.

Thank you.
Leo.

from keyvault-acmebot.

Since we did not think there were that many use cases for adding SANs later, we will consider updating certificates in the next major version.

Added to FAQ https://github.com/shibayan/keyvault-acmebot/wiki/Frequently-Asked-Questions#adding-sans-to-an-existing-certificate

from keyvault-acmebot.

Adding a link to the Key Vault certificate is a good idea. I would like to incorporate that. Thanks!

from keyvault-acmebot.

Adding a new domain name to an already existing certificate results in an error. This is because Acmebot creates a certificate resource for Key Vault with the first domain name. Please try this by explicitly entering the name of the certificate from the advanced options when issuing the certificate.

from keyvault-acmebot.

Hi @shibayan , I've just faced this issue.

First off, thanks for this project, I've been using it in production for a good couple of years now without any real issues.

I need to add one more SAN to a cert, so I:

1. deleted the Certificate from key vault.
2. Tried to generate a new one using the UI, got error Order includes different number of names than CSR specifies
3. Removed the pending certificate as instructed here
4. Tried to generate a new one using the UI, got error Pending certificate not found

Reading this issue, I ended up using the advanced options to change the Certificate resource name.
However, is there a way to keep the original name?

Reason I'm asking is my kubernetes deployment is referencing the Key Vault Certificate by name, so now I need to change my deployment. No biggie, but I do need to do this a couple of times and was wondering if there's a way to keep the certificate name

from keyvault-acmebot.

How should that work? i add a dns name there, but then how is it REALLY added? by doing a renew?

from keyvault-acmebot.

and how to fix if the certificate is already deleted, and there is a broken system?

from keyvault-acmebot.

After modifying the Issuance Policy and running Renew, a new certificate should be issued with the SANs added. If you have deleted a file, it will be restored as long as soft delete is enabled and you have not purged it.

from keyvault-acmebot.

Thank you @shibayan for your time and answers. I think it is acceptable as is, since like you said, use cases for this are slim, and now there's a documented workaround, however, being able to do it from the UI, or perhaps adding a link from the UI to the Azure Portal Key Vault Certificate would be helpful!
I think this can be closed.

Regards,
Leo

from keyvault-acmebot.