Certs are not renewing #402
Comments
|
@agentKnipe i am also in same situation, Did you find the solution for it? |
|
Why aren't you using the official Microsoft solution (which includes apex/root/naked domains)? |
I havent found a solution yet, ive been renewing certs by hand. |
I have been using lets encrypt for significantly longer than Microsoft has had their solution. Additionally the restrictions on the their solution create make it questionable whether it would work in my environment (app services, traffic manager). At this point its not worth my time or energy to attempt to switch. Not to mention I like what lets encrypt is doing and id much rather support them. And lastly if you are not the developer of this tool why are you actively trying to point people away from using it if it fits their solution? seems a bit shady and underhanded. If the developer isnt going to support the tool anymore thats fine, ill find another solution, but trying to actively point people away from it when it has solve SOOO many issues for people over the years is kind of messed up. |
|
Indeed, the limitations include:
Do you see any errors/warnings in the job's invocation output? If nothing jumps out, one more thing you could try is the WebJob I wrote on top of this extension (basically the same underlying engine): https://github.com/ohadschn/letsencrypt-webapp-renewer |
For some more context, we're not using it as we use Cloudflare to load balance our app services, meaning there isn't a direct mapping of CNAME to the Azure websites domain, so the Azure built in solution won't validate for us: As above, we've been using this before MS supported free certs - I'd switch if we could. Have recently had an issue where certs won't renew because of this error:
We're looking at other solutions - happy for any suggestions! Thanks |
The docs say:
Have you considered replacing CloudFlare with Azure Traffic Manager (TM) then? I guess you could even add CloudFlare as the single endpoint of the traffic manager so your current setup remains the same (TM would resolve your hostname to your CloudFlare endpoint at the DNS level). Another option, if relevant, is to use the App Service built-in scale-out / load balancing capabilities: https://learn.microsoft.com/en-us/azure/app-service/manage-scale-up |
|
Yes we have discussed it, but we have a lot of Workers and other "bits" that Cloudflare give us, that Azure might do now, but didn't when we set things up. It'd be a huge undertaking to move our infrastructure over to Azure traffic manager/front door for effectively the same functionality with a worse UX for our team. We already use app service scale out/scale up but CF allows us to do gradual rollouts to production and move traffic around in a much nicer way than Azure (at least when we last looked at it). It's looking like KeyVault and keyvault-acmebot is going to be a way to get it to work with the least amount of friction going forward |
|
@garethterrace what about:
From what I can tell the price would be very cheap: |
|
That's something I'd not considered, it's a bit convoluted bouncing traffic into azure, back out to CF and then back into Azure but I'll chat with the team about it. |
As I mentoined, Traffic Manager is a DNS-level balancer, meaning it's just one DNS call that gets processed by the DNS nameservers (TL, registrar, and Azure). So I don't think that traffic bouncing is actually going to happen. Moreover, DNS cache means that for most client this would be a one-time thing per TTL (which could be e.g. 12-24 hours). |
|
ah right- excuse my ignorance there. Discussions ongoing here, but that might be a very low effort solution - thanks! |
I know there's a lot of discussion in this thread as to other solutions - but does anyone know why this error has started happening? We're seeing the same thing |
I'd start here: fszlin/certes#315 |
I have the extension setup and updated in an app service. The web job is running successfully, however certs are not updating.
I had to renew the cert by hand.
The text was updated successfully, but these errors were encountered: