vancluever / terraform-provider-acme Goto Github PK

View Code? Open in Web Editor NEW

203.0 8.0 75.0 23.82 MB

Terraform ACME provider

Home Page: https://registry.terraform.io/providers/vancluever/acme/latest

License: Mozilla Public License 2.0

Makefile 1.18% Go 93.39% Shell 5.08% Nix 0.35%

terraform terraform-provider acme

terraform-provider-acme's Introduction

Terraform ACME Provider

This is the repository for the Terraform ACME Provider, which one can use with Terraform to manage and generate certificates generated by an ACME CA, such as Let's Encrypt.

For general information about Terraform, visit the official website and the GitHub project page.

⚠️ NOTE: The ACME provider found here supports ACME v2 only.

Documentation

Documentation for this provider can be found at https://registry.terraform.io/providers/vancluever/acme/latest/docs.

License

Copyright 2018-2023 Chris Marchesi
Copyright 2016-2018 PayByPhone Technologies, Inc.

This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.

terraform-provider-acme's People

Contributors

Stargazers

Watchers

terraform-provider-acme's Issues

certificate_p12 without a password

Hello,

I am trying to pass 'certificate_p12' attribute to azure web application firewall Resource. Looks like it is mandatory to have a password while adding ssl_certificate into azure WAF.
acme Resources

resource "tls_private_key" "private_key" {
    algorithm = "RSA"
}
resource "acme_registration" "reg" {
    account_key_pem = "${tls_private_key.private_key.private_key_pem}"
}
resource "acme_certificate" "certificate" {
    account_key_pem           = "${acme_registration.reg.account_key_pem}"
    common_name               = "mkg2test.com"
    subject_alternative_names = ["www.mkg2test.com"]
    dns_challenge {
        provider = "azure"
        config {
            AZURE_RESOURCE_GROUP = "mkg2test"
        }
    }
}

acme module output

output "certificate" {
  value = "${acme_certificate.certificate.certificate_p12}"
}

Calling WAF Resource

module "waf-dev" {
    source      = "./modules/waf"
    prefix      = "mkg2"
    location    = "${var.default_location}"
    certificate = "${module.ssl.certificate}" //Data from above output
    providers = {
        "azurerm" = "azurerm.azure"
    }
}

WAF Resource

resource "azurerm_application_gateway" "main" {
    name                = "${var.prefix}-agw"
    resource_group_name = "${azurerm_resource_group.main.name}"
    location            = "${var.location}"
    sku {
        name     = "WAF_Medium"
        tier     = "WAF"
        capacity = 2
    }    
    gateway_ip_configuration {
        name      = "${var.prefix}-gwip"
        subnet_id = "${azurerm_subnet.main.id}"
    }
    frontend_ip_configuration {
        name                 = "${var.prefix}-frontEndIpConf"
        public_ip_address_id = "${azurerm_public_ip.main.id}"
    }    
    frontend_port {
        name = "${var.prefix}-https"
        port = 443
    }
    ssl_certificate {
        name     = "${var.prefix}-cert"
        data     = "${var.certificate}"
        password    = ""
    }
.........
.......
    waf_configuration {
        firewall_mode    = "detection"
        rule_set_type    = "OWASP"
        rule_set_version = "3.0"
        enabled          = "true"
    }
}

Error


1 error(s) occurred:


* module.waf-dev.azurerm_application_gateway.main: 1 error(s) occurred:


* azurerm_application_gateway.main: Error Creating/Updating Application Gateway "main" (Resource Group "mkg2test"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ApplicationGatewaySslCertificateInvalidData" Message="Data or Password for certificate /subscriptions/****/resourceGroups/mkg2test/providers/Microsoft.Network/applicationGateways/mkg2test-agw/sslCertificates/mkg2test-cert is invalid." Details=[]

Any advise or guidance would be greatly appreciated..

Thanks,
mkg

No matching GoogleCloud domain found

I'm attempting to use the gcloud DNS challenge provider. I get the following error:

Error: error creating certificate: acme: Error -> One or more domains had a problem:                                                                   
[zbrbdl.com] Error presenting token: No matching GoogleCloud domain found for domain zbrbdl.com.                                                       
                                                                                                                                                       
                                                                                                                                                       
  on tls-acme.tf line 14, in resource "acme_certificate" "zbrbdl_com":                                                                                 
  14: resource "acme_certificate" "zbrbdl_com" {

I believe my GCP project is set up with the proper APIs enabled and the domain in question (zbrbdl.com) is available in the dns service. Authentication is working as I use terraform to create several resources in GCP including the project itself.

$ gcloud --project=zbrbdl-oob-93d1 services list
NAME                              TITLE
bigquery-json.googleapis.com      BigQuery API
compute.googleapis.com            Compute Engine API
container.googleapis.com          Kubernetes Engine API
containerregistry.googleapis.com  Container Registry API
dns.googleapis.com                Google Cloud DNS API
oslogin.googleapis.com            Cloud OS Login API
pubsub.googleapis.com             Cloud Pub/Sub API
storage-api.googleapis.com        Google Cloud Storage JSON API
storage-component.googleapis.com  Google Cloud Storage

$ gcloud --project=zbrbdl-oob-93d1 domains list-user-verified |grep zbrbdl
zbrbdl.com

So I'm not sure why it doesn't find the domain in GCP. Terraform configs and debug output below. Thanks!

Config

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "lets_encrypt" {
  algorithm = "RSA"
}

resource "acme_registration" "lets_encrypt" {
  account_key_pem = "${tls_private_key.lets_encrypt.private_key_pem}"
  email_address   = "[email protected]"
}

resource "acme_certificate" "zbrbdl_com" {
  account_key_pem = "${acme_registration.lets_encrypt.account_key_pem}"
  common_name     = "zbrbdl.com"

  subject_alternative_names = []

  dns_challenge {
    provider = "gcloud"

    config = {
      GCE_PROJECT = "${google_project.oob.project_id}"
    }
  }
}

Apply Log

tf-debug-log.txt

Update lego library to v2

Bug fixes in github.com/xenolf/lego are only being applied to the latest version, which has many breaking API changes. I'm working on adapting this provider to use the new API.

Crash while parsing acme_certificate resource

This issue was originally opened by @Cavorter as hashicorp/terraform#22062. It was migrated here as a result of the provider split. The original body of the issue is below.

I'm working on a project the generates a Let's Encrypt cert and stores it in an Azure Key Vault for later use and if the project is run all at once it always crashes while parsing the acme_certificate resource. I'm not sure if the problem is with the acme provider, terraform, or (more likely) with the azuread provider that the cert resource is referencing for service principal credentials in the DNS challenge settings.

Terraform Version

Terraform v0.12.3
+ provider.acme v1.3.4
+ provider.azuread v0.4.0
+ provider.azurerm v1.31.0
+ provider.local v1.3.0
+ provider.random v2.1.2
+ provider.tls v2.0.1

Expected Behavior

It should run to completion.

Actual Behavior

It crashes

Steps to Reproduce

terraform init
terraform plan

Additional Context

If I plan/apply the project in stages it works fine, so the following command sequence does NOT crash:

terraform init
terraform apply -target module.ad -target module.dns --auto-approve
terraform apply -target module.ssl --auto-approve

References

N/A

Provider fails to find SOA for Route53 hosted zone even when it's present.

Terraform Version

<<develop>> blog.carlosnunez.me]$: 2>/dev/null docker-compose run --rm terraform version
Terraform v0.11.10

Expected Output

The acme provider should be able to locate the SOA for my Route53 zone.

Partial debug output

<<develop>> blog.carlosnunez.me]$: dig -t SOA carlosnunez.me

; <<>> DiG 9.10.6 <<>> -t SOA carlosnunez.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35876
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;carlosnunez.me.                        IN      SOA

;; ANSWER SECTION:
carlosnunez.me.         900     IN      SOA     ns-814.awsdns-37.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 21 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Jan 03 13:42:15 CST 2019
;; MSG SIZE  rcvd: 127

<<develop>> blog.carlosnunez.me]$: terraform apply
2019/01/03 19:24:39 [DEBUG] plugin: waiting for all plugin processes to complete...
Error: Error applying plan:

2019-01-03T19:24:39.722Z [DEBUG] plugin.terraform-provider-tls_v1.2.0_x4: 2019/01/03 19:24:39 [ERR] plugin: plugin server: accept unix /tmp/plugin596598099: use of closed network connection
2019-01-03T19:24:39.722Z [DEBUG] plugin: plugin process exited: path=/work/.terraform/plugins/linux_amd64/terraform-provider-tls_v1.2.0_x4
1 error(s) occurred:
2019-01-03T19:24:39.723Z [DEBUG] plugin.terraform-provider-acme_v1.0.1_x4: 2019/01/03 19:24:39 [ERR] plugin: plugin server: accept unix /tmp/plugin334579739: use of closed network connection
2019-01-03T19:24:39.726Z [DEBUG] plugin: plugin process exited: path=/work/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.0.1_x4

* acme_certificate.https_certificate: 1 error(s) occurred:

* acme_certificate.https_certificate: error creating certificate: acme: Error -> One or more domains had a problem:
[blog.carlosnunez.me] Error presenting token: failed to determine Route 53 hosted zone ID: Could not find the start of authority

How to repro

Define an acme provider and configure it to use either the staging or production URLs.
Create an acme_certificate and use route53 for the dns_challenge block.
terraform apply.

digitalocean provider cert renewal is flaky

This setup used to work without issues, suddenly started misbehaving about a month ago.

Reproducible on 1.3.0, 1.3.5 and 1.4.0

Log on execution:

acme_certificate.ci: Creating...
acme_certificate.ci: Still creating... [10s elapsed]
acme_certificate.ci: Still creating... [20s elapsed]
acme_certificate.ci: Still creating... [30s elapsed]
acme_certificate.ci: Still creating... [40s elapsed]
acme_certificate.ci: Still creating... [50s elapsed]
acme_certificate.ci: Still creating... [1m0s elapsed]

Error: error creating certificate: acme: Error -> One or more domains had a problem:
[ci.mydomain.com] time limit exceeded: last error: NS ns2.digitalocean.com. did not return the expected TXT record [fqdn: _acme-challenge.ci.mydomain.com., value: 1J6yMS8zdDAtKSBmS8GNNPHw_BVuu02Wi9qcl5R5d3c]:


  on letsencrypt.tf line 14, in resource "acme_certificate" "ci":
  14: resource "acme_certificate" "ci" {

At the same time, while it is executing I can properly read off the challenge myself:

λ host -t txt _acme-challenge.ci.mydomain.com ns2.digitalocean.com
Using domain server:
Name: ns1.digitalocean.com
Address: 173.245.58.51#53
Aliases:

_acme-challenge.ci.mydomain.com descriptive text "hFZcDN0R4_Nn57faD1xrd3V0oEbwxKglMG_7K4kZxz0"

Gist with the debug log: https://gist.github.com/Temikus/6758fdb87ceb4ef6ff2bd061c00d80a6

I can get the cert renewed but it works only once every 10-20 tries. I'm not quite sure what the reason could be so any pointers would be appreciated.

Let me know if I can provide any additional info.

Issue with timeout creating acme cert

Terraform Version

0.11.7

Terraform Configuration Files

resource "acme_certificate" "certificate" {
  account_key_pem           = "${acme_registration.reg.account_key_pem}"
  common_name               = "test.foobar.com"
  subject_alternative_names = "["a.test.foobar.com", "b.test.foobar.com"... 16 of these]"

  dns_challenge {
    provider = "route53"
    config {
      AWS_HOSTED_ZONE_ID = "SOME ZONE"
    }
  }
}

Debug Output

Times out..

Crash Output

None

Expected Behavior

A cert is created with foo.com an all its subject alternative names

Actual Behavior

Times out after 50 minutes

Steps to Reproduce

create a module with the above code in it and run it

acme_registration stores plain text account_key_pem in state

I'm not sure to what extent this is a problem or if it can be avoided. The goal being limiting the exposure of sensitive data like a private key.

This is the Terraform state for an acme_registration resource:

$ terraform state show acme_registration.reg
id               = https://acme-staging-v02.api.letsencrypt.org/acme/acct/9632425
account_key_pem  = -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwAVXkUzpBKwAccow8GXPVBzStG2ceWmR0g+TZBR5T9yX8HKG
...
-----END RSA PRIVATE KEY-----
email_address    = [email protected]
registration_url = https://acme-staging-v02.api.letsencrypt.org/acme/acct/9632425

Compare for example with tls_cert_request:

$ terraform state show tls_cert_request.req | grep private_key_pem
private_key_pem               = ae7c79c14b5d1a1aeea3ec7f826433d99b47b131

Only an irreversable secure hash of the private key will be stored in the Terraform state. -- documentation

Would it be possible to store an hash as well?

Notice that acme_certificate doesn't have this problem because when used in conjunction with tls_cert_request it will only see the CSR rather than the private key.

Resource to generate a PKCS #12 archive file

Original issue opened by @ebekker

Currently the ACME provider's resources are accessible as PEM outputs. It would be useful to be able to produce a PKCS #12 (PKCS12 or alternatively PFX) archive format file out of these components, as there are cases where a PFX archive is preferred or even required.

I recommend supporting this resource in a more general-purpose manner, such that you can give it an optional private key PEM, and one or more certificates (i.e. an array of certificate PEM clobs). By doing so, the resource would be usable in tandem with other resources of this provider, as well as alternate providers, such as the out-of-the-box TLS provider.

Note, I have a similar request out in terraform-provider-tls/#29 because I do feel it is more natural and general-purpose for that provider to implement this resource, however, I'm not sure how likely the are to produce it in a timely manner.

Duplication between common name and SANs incorrectly disallowed

Error: common name X should not appear in SAN list

This prevents creating compatible certificates that contain all names in the SAN list and one of those names (arbitrarily) in the Common Name.

See https://stackoverflow.com/questions/5935369/ssl-how-do-common-names-cn-and-subject-alternative-names-san-work-together

Migration from dns_challenge config to environment variables config stuck in state

Original issue opened by @berney

Previously I had a config like this: -

resource "acme_certificate" "docs-pub" {
   dns_challenge {
     provider = "azure"
    config {
      AZURE_SUBSCRIPTION_ID = "${var.arm_subscription_id}"
      AZURE_CLIENT_ID       = "${var.arm_client_id}"
      AZURE_CLIENT_SECRET   = "${var.arm_client_secret}"
      AZURE_TENANT_ID       = "${var.arm_tenant_id}"
      AZURE_RESOURCE_GROUP  = "${var.dns_zone_rg_name}"
    }
}

And I removed the AZURE_* properties so that credentials must be passed in the environment variables: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_RESOURCE_GROUP.

After do terraform plan and terraform apply the execution plan always wants to remove the old AZURE_* properties but they are stuck, after an apply they are still in the state and a subsequent apply will have the same execution plan.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ module.docs-elttam.acme_certificate.docs-pub
      dns_challenge.2546575925.provider:                     "" => "azure"
      dns_challenge.3392271354.config.%:                     "5" => "0"
      dns_challenge.3392271354.config.AZURE_CLIENT_ID:       "<REDACTED>" => ""
      dns_challenge.3392271354.config.AZURE_CLIENT_SECRET:   "<REDACTED>" => ""
      dns_challenge.3392271354.config.AZURE_RESOURCE_GROUP:  "<REDACTED>" => ""
      dns_challenge.3392271354.config.AZURE_SUBSCRIPTION_ID: "<REDACTED>" => ""
      dns_challenge.3392271354.config.AZURE_TENANT_ID:       "<REDACTED>" => ""
      dns_challenge.3392271354.provider:                     "azure" => ""

I'd like the old configuration properties to be removed by the apply and a subsequent apply to say no changes required. I'm not sure how to manually clear the issue, if I manually remove the state I'm not sure if it's possible to import the certificate and keys etc.

Terraform / ACME version

Terraform v0.11.7
+ provider.acme v1.0.0
+ provider.azurerm v1.8.0bc
+ provider.local v1.1.0
+ provider.null v1.0.0
+ provider.random v1.3.1
+ provider.tls v1.1.0

timeout with gcloud dns provider

I'm using the gcloud dns provider and do create a new subdomain zone in the same terraform run. I'm also creating NS records in the parent domain to forward request for the new subdomain to the newly created zone.
In the first terraform run the certificate creation does fail after 3 minutes but in the second run succeeds.
I guess it just needs more than 3 minutes to finish dns propagation? Can I specify the timeout for the acme provider somewhere?

400 Error creating certificates

I am unable to create a certificate using this provider, I have in the past with the same terraform setup, but the latest version fails for me with acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for example.com. (Note I didn't actually try to do this for example.com, but rather for a domain I control and can change the DNS settings for).

I've reached the limit of my knowledge on this, and I think it is an issue with this provider or lego. Hopefully I've provided enough details below that you'll be able to figure it out,

Terraform v0.11.13
+ provider.acme v1.3.4
+ provider.gandi (unversioned)
+ provider.gitlab v2.2.0
+ provider.heroku v2.0.1
+ provider.tls v2.0.1

2019-06-26T09:38:22.452+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:22 [DEBUG] lego: acme: Trying to resolve account by key
2019-06-26T09:38:23.069+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:23 [DEBUG] lego: [example.com, www.example.com] acme: Obtaining bundled SAN certificate
2019-06-26T09:38:24.091+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:24 [DEBUG] lego: [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/OmXGbHjG7C0VGC1fNw9Pued8kUdRewatmB_rHYq1g24
2019-06-26T09:38:24.091+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:24 [DEBUG] lego: [www.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/5_qjEloHKj7SYYcb1LgzjAWOckZu0IIArrZbm5SkJQU
2019-06-26T09:38:24.091+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:24 [DEBUG] lego: [example.com] acme: Could not find solver for: tls-alpn-01
2019-06-26T09:38:24.092+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:24 [DEBUG] lego: [example.com] acme: Could not find solver for: http-01
2019-06-26T09:38:24.092+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:24 [DEBUG] lego: [example.com] acme: use dns-01 solver
2019-06-26T09:38:24.092+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:24 [DEBUG] lego: [www.example.com] acme: Could not find solver for: tls-alpn-01
2019-06-26T09:38:24.092+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:24 [DEBUG] lego: [www.example.com] acme: Could not find solver for: http-01
2019-06-26T09:38:24.092+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:24 [DEBUG] lego: [www.example.com] acme: use dns-01 solver
2019-06-26T09:38:24.092+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:24 [DEBUG] lego: [example.com] acme: Preparing to solve DNS-01
2019-06-26T09:38:25.321+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:25 [DEBUG] lego: API response: DNS Record Created
2019-06-26T09:38:25.321+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:25 [DEBUG] lego: [www.example.com] acme: Preparing to solve DNS-01
2019-06-26T09:38:26.140+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:26 [DEBUG] lego: API response: DNS Record Created
2019-06-26T09:38:26.140+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:26 [DEBUG] lego: [example.com] acme: Trying to solve DNS-01
2019-06-26T09:38:26.140+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:26 [DEBUG] lego: [example.com] acme: Checking DNS record propagation using [8.8.8.8:53 8.8.4.4:53]
2019-06-26T09:38:26.140+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:26 [DEBUG] lego: Wait for propagation [timeout: 20m0s, interval: 20s]
2019-06-26T09:38:27.117+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:27 [DEBUG] lego: [www.example.com] acme: Trying to solve DNS-01
2019-06-26T09:38:27.117+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:27 [DEBUG] lego: [www.example.com] acme: Checking DNS record propagation using [8.8.8.8:53 8.8.4.4:53]
2019-06-26T09:38:27.117+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:27 [DEBUG] lego: Wait for propagation [timeout: 20m0s, interval: 20s]
2019/06/26 09:38:27 [TRACE] dag/walk: vertex "meta.count-boundary (count boundary fixup)", waiting for: "acme_certificate.ocean"
2019/06/26 09:38:27 [TRACE] dag/walk: vertex "root", waiting for: "meta.count-boundary (count boundary fixup)"
2019/06/26 09:38:27 [TRACE] dag/walk: vertex "provider.acme (close)", waiting for: "acme_certificate.ocean"
2019-06-26T09:38:28.083+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:28 [DEBUG] lego: [example.com] acme: Cleaning DNS-01 challenge
2019-06-26T09:38:28.391+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:28 [DEBUG] lego: [www.example.com] acme: Cleaning DNS-01 challenge
2019-06-26T09:38:28.903+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:28 [DEBUG] lego: Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/OmXGbHjG7C0VGC1fNw9Pued8kUdRewatmB_rHYq1g24
2019-06-26T09:38:29.142+0100 [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 2019/06/26 09:38:29 [DEBUG] lego: Unable to deactivated authorizations: https://acme-v02.api.letsencrypt.org/acme/authz/5_qjEloHKj7SYYcb1LgzjAWOckZu0IIArrZbm5SkJQU
2019/06/26 09:38:29 [TRACE] root: eval: *terraform.EvalWriteState
2019/06/26 09:38:29 [TRACE] root: eval: *terraform.EvalApplyProvisioners
2019/06/26 09:38:29 [TRACE] root: eval: *terraform.EvalIf
2019/06/26 09:38:29 [TRACE] root: eval: *terraform.EvalWriteState
2019/06/26 09:38:29 [TRACE] root: eval: *terraform.EvalWriteDiff
2019/06/26 09:38:29 [TRACE] root: eval: *terraform.EvalApplyPost
2019/06/26 09:38:29 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:

* acme_certificate.ocean: error creating certificate: acme: Error -> One or more domains had a problem:
[example.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com, url: 
[www.example.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.example.com, url: 
2019/06/26 09:38:29 [ERROR] root: eval: *terraform.EvalSequence, err: 1 error(s) occurred:

* acme_certificate.ocean: error creating certificate: acme: Error -> One or more domains had a problem:
[example.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com, url: 
[www.example.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.example.com, url: 
2019/06/26 09:38:29 [TRACE] [walkApply] Exiting eval tree: acme_certificate.ocean
2019/06/26 09:38:29 [TRACE] dag/walk: upstream errored, not walking "meta.count-boundary (count boundary fixup)"
2019/06/26 09:38:29 [TRACE] dag/walk: upstream errored, not walking "provider.acme (close)"
2019/06/26 09:38:29 [TRACE] dag/walk: upstream errored, not walking "root"
2019/06/26 09:38:29 [TRACE] Preserving existing state lineage "55ee690f-7b13-e2c8-97bb-a6735508293e"
2019/06/26 09:38:29 [TRACE] Preserving existing state lineage "55ee690f-7b13-e2c8-97bb-a6735508293e"
2019/06/26 09:38:29 [TRACE] Preserving existing state lineage "55ee690f-7b13-e2c8-97bb-a6735508293e"
2019/06/26 09:38:29 [TRACE] Preserving existing state lineage "55ee690f-7b13-e2c8-97bb-a6735508293e"

2019/06/26 09:38:29 [DEBUG] plugin: waiting for all plugin processes to complete...
Error: Error applying plan:

1 error(s) occurred:

* acme_certificate.ocean: 1 error(s) occurred:

* acme_certificate.ocean: error creating certificate: acme: Error -> One or more domains had a problem:
[example.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com, url: 
[www.example.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.example.com, url:

Error 403 Account deactivated on `terraform apply`

I am using Terraform acme provider with acme_certificate and acme_registration resources for several domains. This setup worked for the past few weeks. Since few days ago when running terraform apply on some of the domains I receive 403 error. Now I cannot use neither apply nor apply on these setups.

Error I'm receiving (formatted for readability):

* module.vpn.module.paidy-openvpn.acme_registration.reg: acme_registration.reg: 
    acme: Error 403 - urn:ietf:params:acme:error:unauthorized - 
    Account is not valid, has status "deactivated"

Is there any way to clear there errors?

Terraform crash when apply with acme

This issue was originally opened by @NickSu86 as hashicorp/terraform#22330. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.12.5
+ provider.acme v1.3.5
+ provider.aws v2.17.0
+ provider.tls v2.0.1

Terraform Configuration Files

provider "aws" {
  version = "v2.17.0"
  region = "ap-southeast-1"
}

resource "aws_iam_server_certificate" "www" {
  name             = "${local.www_domain}"
  certificate_body = "${acme_certificate.www.certificate_pem}"
  private_key      = "${tls_private_key.private_key.private_key_pem}"
}

resource "aws_elb" "elb" {
  name               = "${local.elb_name}"
  availability_zones = ["${var.az}"]

  listener {
    instance_port     = 8000
    instance_protocol = "http"
    lb_port           = 443
    lb_protocol       = "https"
    ssl_certificate_id = "${aws_iam_server_certificate.www.arn}"
  }

  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = 3
    target              = "HTTP:8000/"
    interval            = 30
  }

  cross_zone_load_balancing   = true
  idle_timeout                = 400
  connection_draining         = true
  connection_draining_timeout = 400

  tags = {
    Name = "${var.tag_name}"
  }
}

resource "aws_route53_zone" "primary" {
  name = "${var.domain}"
}

resource "aws_route53_record" "www" {
  zone_id = "${aws_route53_zone.primary.zone_id}"
  name    = "${local.www_domain}"
  type    = "NS"
  ttl     = "3600"

  records = ["${aws_elb.bar.dns_name}"]
}

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "${var.email_address}"
}

resource "acme_certificate" "www" {
  account_key_pem           = "${acme_registration.reg.account_key_pem}"
  common_name               = "${local.www_domain}"
  subject_alternative_names = ["${local.www_domain}"]

  dns_challenge {
    provider = "route53"

    config = {
      AWS_HOSTED_ZONE_ID = "${aws_route53_zone.primary.zone_id}"
    }
  }
}

Debug Output

2019/08/05 21:13:14 [INFO] Terraform version: 0.12.5  
2019/08/05 21:13:14 [INFO] Go runtime version: go1.12.4
2019/08/05 21:13:14 [INFO] CLI args: []string{"/usr/local/bin/terraform", "apply"}
2019/08/05 21:13:14 [DEBUG] Attempting to open CLI config file: /home/user/.terraformrc
2019/08/05 21:13:14 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2019/08/05 21:13:14 [INFO] CLI command args: []string{"apply"}
2019/08/05 21:13:14 [DEBUG] New state was assigned lineage "b8a40261-421f-94c7-a831-dec9697ced2f"
2019/08/05 21:13:14 [TRACE] Meta.Backend: using default local state only (no backend configuration, and no existing initialized backend)
2019/08/05 21:13:14 [TRACE] Meta.Backend: instantiated backend of type <nil>
2019/08/05 21:13:14 [DEBUG] checking for provider in "."
2019/08/05 21:13:14 [DEBUG] checking for provider in "/usr/local/bin"
2019/08/05 21:13:14 [DEBUG] checking for provider in ".terraform/plugins/linux_amd64"
2019/08/05 21:13:14 [DEBUG] found provider "terraform-provider-acme_v1.3.5_x4"
2019/08/05 21:13:14 [DEBUG] found provider "terraform-provider-aws_v2.17.0_x4"
2019/08/05 21:13:14 [DEBUG] found provider "terraform-provider-tls_v2.0.1_x4"
2019/08/05 21:13:14 [DEBUG] found valid plugin: "tls", "2.0.1", "/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4"
2019/08/05 21:13:14 [DEBUG] found valid plugin: "acme", "1.3.5", "/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4"
2019/08/05 21:13:14 [DEBUG] found valid plugin: "aws", "2.17.0", "/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4"
2019/08/05 21:13:14 [DEBUG] checking for provisioner in "."
2019/08/05 21:13:14 [DEBUG] checking for provisioner in "/usr/local/bin"
2019/08/05 21:13:14 [DEBUG] checking for provisioner in ".terraform/plugins/linux_amd64"
2019/08/05 21:13:14 [INFO] backend/local: starting Apply operation
2019-08-05T21:13:16.084+0800 [INFO]  plugin: configuring client automatic mTLS
2019-08-05T21:13:16.124+0800 [DEBUG] plugin: starting plugin: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 args=[/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4]
2019-08-05T21:13:16.124+0800 [DEBUG] plugin: plugin started: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 pid=29576
2019-08-05T21:13:16.124+0800 [DEBUG] plugin: waiting for RPC address: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4
2019-08-05T21:13:16.133+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 2019/08/05 21:13:16 [DEBUG] lego: Messages from the lego library will show up as DEBUG messages.
2019-08-05T21:13:16.133+0800 [INFO]  plugin.terraform-provider-acme_v1.3.5_x4: configuring server automatic mTLS: timestamp=2019-08-05T21:13:16.133+0800
2019-08-05T21:13:16.168+0800 [DEBUG] plugin: using plugin: version=5
2019-08-05T21:13:16.168+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: plugin address: address=/tmp/plugin205197848 network=unix timestamp=2019-08-05T21:13:16.168+0800
2019-08-05T21:13:16.243+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 pid=29576
2019-08-05T21:13:16.243+0800 [DEBUG] plugin: plugin exited
2019/08/05 21:13:16 [TRACE] LoadSchemas: retrieving schema for provider type "aws"
2019-08-05T21:13:16.243+0800 [INFO]  plugin: configuring client automatic mTLS
2019-08-05T21:13:16.278+0800 [DEBUG] plugin: starting plugin: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 args=[/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4]
2019-08-05T21:13:16.278+0800 [DEBUG] plugin: plugin started: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 pid=29606
2019-08-05T21:13:16.278+0800 [DEBUG] plugin: waiting for RPC address: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4
2019-08-05T21:13:16.294+0800 [INFO]  plugin.terraform-provider-aws_v2.17.0_x4: configuring server automatic mTLS: timestamp=2019-08-05T21:13:16.294+0800
2019-08-05T21:13:16.332+0800 [DEBUG] plugin: using plugin: version=5
2019-08-05T21:13:16.332+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: plugin address: address=/tmp/plugin956759930 network=unix timestamp=2019-08-05T21:13:16.332+0800
2019-08-05T21:13:16.459+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 pid=29606
2019-08-05T21:13:16.459+0800 [DEBUG] plugin: plugin exited
2019-08-05T21:13:16.459+0800 [INFO]  plugin: configuring client automatic mTLS
2019-08-05T21:13:16.492+0800 [DEBUG] plugin: starting plugin: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4 args=[/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4]
2019-08-05T21:13:16.492+0800 [DEBUG] plugin: plugin started: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4 pid=29631
2019-08-05T21:13:16.492+0800 [DEBUG] plugin: waiting for RPC address: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4
2019-08-05T21:13:16.498+0800 [INFO]  plugin.terraform-provider-tls_v2.0.1_x4: configuring server automatic mTLS: timestamp=2019-08-05T21:13:16.498+0800
2019-08-05T21:13:16.536+0800 [DEBUG] plugin.terraform-provider-tls_v2.0.1_x4: plugin address: address=/tmp/plugin481353143 network=unix timestamp=2019-08-05T21:13:16.536+0800
2019-08-05T21:13:16.536+0800 [DEBUG] plugin: using plugin: version=5
2019-08-05T21:13:16.613+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4 pid=29631
2019-08-05T21:13:16.613+0800 [DEBUG] plugin: plugin exited
2019/08/05 21:13:16 [INFO] terraform: building graph: GraphTypeValidate
2019/08/05 21:13:16 [DEBUG] adding implicit provider configuration provider.tls, implied first by tls_private_key.private_key
2019/08/05 21:13:16 [DEBUG] ProviderTransformer: "acme_certificate.www" (*terraform.NodeValidatableResource) needs provider.acme
2019/08/05 21:13:16 [DEBUG] ProviderTransformer: "aws_route53_record.www" (*terraform.NodeValidatableResource) needs provider.aws
2019/08/05 21:13:16 [DEBUG] ProviderTransformer: "aws_iam_server_certificate.www" (*terraform.NodeValidatableResource) needs provider.aws
2019/08/05 21:13:16 [TRACE] ProviderTransformer: exact match for provider.aws serving aws_route53_zone.primary
2019/08/05 21:13:16 [DEBUG] ProviderTransformer: "aws_route53_zone.primary" (*terraform.NodeValidatableResource) needs provider.aws
2019/08/05 21:13:16 [DEBUG] ProviderTransformer: "aws_elb.elb" (*terraform.NodeValidatableResource) needs provider.aws
2019/08/05 21:13:16 [DEBUG] ProviderTransformer: "aws_elb.bar" (*terraform.NodeValidatableResource) needs provider.aws
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "tls_private_key.private_key" references: []
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "acme_registration.reg" references: [var.email_address tls_private_key.private_key]
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "aws_route53_record.www" references: [aws_elb.bar local.www_domain aws_route53_zone.primary]
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "provider.tls" references: []
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "aws_iam_server_certificate.www" references: [local.www_domain tls_private_key.private_key acme_certificate.www]
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "local.elb_name" references: []
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "output.elb-ip" references: [aws_elb.bar]
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "aws_route53_zone.primary" references: [var.domain]
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "local.www_domain" references: [var.domain]
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "var.email_address" references: []
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "var.tag_name" references: []
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "provider.acme" references: []
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "aws_elb.elb" references: [var.tag_name var.az local.elb_name aws_iam_server_certificate.www]
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "aws_elb.bar" references: [aws_iam_server_certificate.www]
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "acme_certificate.www" references: [acme_registration.reg local.www_domain local.www_domain aws_route53_zone.primary]
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "var.domain" references: []
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "var.az" references: []
2019/08/05 21:13:16 [DEBUG] ReferenceTransformer: "provider.aws" references: []
.reg - *terraform.NodeValidatableResource
  aws_elb.bar - *terraform.NodeValidatableResource
  aws_elb.elb - *terraform.NodeValidatableResource
  aws_iam_server_certificate.www - *terraform.NodeValidatableResource
  aws_route53_record.www - *terraform.NodeValidatableResource
  aws_route53_zone.primary - *terraform.NodeValidatableResource
  local.elb_name - *terraform.NodeLocal
  local.www_domain - *terraform.NodeLocal
  output.elb-ip - *terraform.NodeApplyableOutput
  provider.acme - *terraform.NodeApplyableProvider
  provider.aws - *terraform.NodeApplyableProvider
  provider.tls - *terraform.NodeApplyableProvider
  tls_private_key.private_key - *terraform.NodeValidatableResource
  var.az - *terraform.NodeRootVariable
  var.domain - *terraform.NodeRootVariable
  var.email_address - *terraform.NodeRootVariable
  var.tag_name - *terraform.NodeRootVariable
output.elb-ip - *terraform.NodeApplyableOutput
  aws_elb.bar - *terraform.NodeValidatableResource
provider.acme - *terraform.NodeApplyableProvider
provider.acme (close) - *terraform.graphNodeCloseProvider
  acme_certificate.www - *terraform.NodeValidatableResource
  acme_registration.reg - *terraform.NodeValidatableResource
  provider.acme - *terraform.NodeApplyableProvider
provider.aws - *terraform.NodeApplyableProvider
provider.aws (close) - *terraform.graphNodeCloseProvider
  aws_elb.bar - *terraform.NodeValidatableResource
  aws_elb.elb - *terraform.NodeValidatableResource
  aws_iam_server_certificate.www - *terraform.NodeValidatableResource
  aws_route53_record.www - *terraform.NodeValidatableResource
  aws_route53_zone.primary - *terraform.NodeValidatableResource
  provider.aws - *terraform.NodeApplyableProvider
provider.tls - *terraform.NodeApplyableProvider
provider.tls (close) - *terraform.graphNodeCloseProvider
  provider.tls - *terraform.NodeApplyableProvider
  tls_private_key.private_key - *terraform.NodeValidatableResource
tls_private_key.private_key - *terraform.NodeValidatableResource
  provider.tls - *terraform.NodeApplyableProvider
var.az - *terraerraform.NodeValidatableResource
  aws_elb.bar - *terraform.NodeValidatableResource
  aws_elb.elb - *terraform.NodeValidatableResource
  aws_iam_server_certificate.www - *terraform.NodeValidatableResource
  aws_route53_record.www - *terraform.NodeValidatableResource
  aws_route53_zone.primary - *terraform.NodeValidatableResource
  local.elb_name - *terraform.NodeLocal
  local.www_domain - *terraform.NodeLocal
  output.elb-ip - *terraform.NodeApplyableOutput
  provider.acme - *terraform.NodeApplyableProvider
  provider.aws - *terraform.NodeApplyableProvider
  provider.tls - *terraform.NodeApplyableProvider
  tls_private_key.private_key - *terraform.NodeValidatableResource
  var.az - *terraform.NodeRootVariable
  var.domain - *terraform.NodeRootVariable
  var.email_address - *terraform.NodeRootVariable
  var.tag_name - *terraform.NodeRootVariable
output.elb-ip - *terraform.NodeApplyableOutput
  aws_elb.bar - *terraform.NodeValidatableResource
provider.acme - *terraform.NodeApplyableProvider
provider.acme (close) - *terraform.graphNodeCloseProvider
  acme_certificate.www - *terraform.NodeValidatableResource
  acme_registration.reg - *terraform.NodeValidatableResource
  provider.acme - *terraform.NodeApplyableProvider
provider.aws - *terraform.NodeApplyableProvider
provider.aws (close) - *terraform.graphNodeCloseProvider
  aws_elb.bar - *terraform.NodeValidatableResource
  aws_elb.elb - *terraform.NodeValidatableResource
  aws_iam_server_certificate.www - *terraform.NodeValidatableResource
  aws_route53_record.www - *terraform.NodeValidatableResource
  aws_route53_zone.primary - *terraform.NodeValidatableResource
  provider.aws - *terraform.NodeApplyableProvider
provider.tls - *terraform.NodeApplyableProvider
provider.tls (close) - *terraform.graphNodeCloseProvider
  provider.tls - *terraform.NodeApplyableProvider
  tls_private_key.private_key - *terraform.NodeValidatableResource
root - terraform.graphNodeRoot
  meta.count-boundary (EachMode fixup) - *terraform.NodeCountBoundary
  provider.acme (close) - *terraform.glb.elb - *terraform.NodeValidatableResource
  aws_route53_record.www - *terraform.NodeValidatableResource
provider.tls - *terraform.NodeApplyableProvider
provider.tls (close) - *terraform.graphNodeCloseProvider
  tls_private_key.private_key - *terraform.NodeValidatableResource
root - terraform.graphNodeRoot
  meta.count-boundary (EachMode fixup) - *terraform.NodeCountBoundary
  provider.acme (close) - *terraform.graphNodeCloseProvider
  provider.aws (close) - *terraform.graphNodeCloseProvider
  provider.tls (close) - *terraform.graphNodeCloseProvider
tls_private_key.private_key - *terraform.NodeValidatableResource
  provider.tls - *terraform.NodeApplyableProvider
var.az - *terraform.NodeRootVariable
var.domain - *terraform.NodeRootVariable
var.email_address - *terraform.NodeRootVariable
var.tag_name - *terraform.NodeRootVariable
------
2019/08/05 21:13:16 [DEBUG] Starting graph walk: walkValidate
2019-08-05T21:13:16.620+0800 [INFO]  plugin: configuring client automatic mTLS
2019-08-05T21:13:16.654+0800 [DEBUG] plugin: starting plugin: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4 args=[/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4]
2019-08-05T21:13:16.655+0800 [DEBUG] plugin: plugin started: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4 pid=29662
2019-08-05T21:13:16.655+0800 [DEBUG] plugin: waiting for RPC address: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4
2019-08-05T21:13:16.661+0800 [INFO]  plugin.terraform-provider-tls_v2.0.1_x4: configuring server automatic mTLS: timestamp=2019-08-05T21:13:16.661+0800
2019-08-05T21:13:16.698+0800 [DEBUG] plugin: using plugin: version=5
2019-08-05T21:13:16.698+0800 [DEBUG] plugin.terraform-provider-tls_v2.0.1_x4: plugin address: address=/tmp/plugin731220874 network=unix timestamp=2019-08-05T21:13:16.698+0800
2019-08-05T21:13:16.699+0800 [INFO]  plugin: configuring client automatic mTLS
2019-08-05T21:13:16.739+0800 [DEBUG] plugin: starting plugin: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 args=[/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4]
2019-08-05T21:13:16.739+0800 [DEBUG] plugin: plugin started: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 pid=29687
2019-08-05T21:13:16.739+0800 [DEBUG] plugin: waiting for RPC address: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4
2019-08-05T21:13:16.749+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 2019/08/05 21:13:16 [DEBUG] lego: Messages from the lego library will show up as DEBUG messages.
2019-08-05T21:13:16.749+0800 [INFO]  plugin.terraform-provider-acme_v1.3.5_x4: configuring server automatic mTLS: timestamp=2019-08-05T21:13:16.749+0800
2019-08-05T21:13:16.788+0800 [DEBUG] plugin: using plugin: version=5
2019-08-05T21:13:16.788+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: plugin address: address=/tmp/plugin607650388 network=unix timestamp=2019-08-05T21:13:16.787+0800
2019-08-05T21:13:16.788+0800 [INFO]  plugin: configuring client automatic mTLS
2019-08-05T21:13:16.827+0800 [DEBUG] plugin: starting plugin: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 args=[/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4]
2019-08-05T21:13:16.827+0800 [DEBUG] plugin: plugin started: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 pid=29711
2019-08-05T21:13:16.827+0800 [DEBUG] plugin: waiting for RPC address: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4
2019-08-05T21:13:16.843+0800 [INFO]  plugin.terraform-provider-aws_v2.17.0_x4: configuring server automatic mTLS: timestamp=2019-08-05T21:13:16.843+0800
2019-08-05T21:13:16.879+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: plugin address: address=/tmp/plugin676171810 network=unix timestamp=2019-08-05T21:13:16.879+0800
2019-08-05T21:13:16.879+0800 [DEBUG] plugin: using plugin: version=5
2019-08-05T21:13:16.881+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4 pid=29662
2019-08-05T21:13:16.881+0800 [DEBUG] plugin: plugin exited
2019/08/05 21:13:16 [TRACE] [walkValidate] Exiting eval tree: provider.tls (close)
2019-08-05T21:13:17.058+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 pid=29687
2019-08-05T21:13:17.058+0800 [DEBUG] plugin: plugin exited
2019/08/05 21:13:17 [TRACE] [walkValidate] Exiting eval tree: provider.acme (close)
2019/08/05 21:13:17 [TRACE] vertex "provider.acme (close)": visit complete
2019-08-05T21:13:17.063+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 pid=29711
2019-08-05T21:13:17.063+0800 [DEBUG] plugin: plugin exited
2019/08/05 21:13:17 [TRACE] [walkValidate] Exiting eval tree: provider.aws (close)
2019/08/05 21:13:17 [TRACE] vertex "provider.aws (close)": visit complete
2019/08/05 21:13:17 [INFO] backend/local: apply calling Refresh
2019/08/05 21:13:17 [INFO] terraform: building graph: GraphTypeRefresh
2019/08/05 21:13:17 [TRACE] No managed resources in state during refresh; skipping managed resource transformer
2019/08/05 21:13:17 [DEBUG] pruning unused provider.aws
2019/08/05 21:13:17 [DEBUG] pruning unused provider.acme
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "var.tag_name" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "var.email_address" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "var.az" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "var.domain" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "local.www_domain" references: [var.domain]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "local.elb_name" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "output.elb-ip" references: []
2019/08/05 21:13:17 [DEBUG] Starting graph walk: walkRefresh
2019/08/05 21:13:17 [INFO] backend/local: apply calling Plan
2019/08/05 21:13:17 [INFO] terraform: building graph: GraphTypePlan
2019/08/05 21:13:17 [DEBUG] adding implicit provider configuration provider.tls, implied first by tls_private_key.private_key
2019/08/05 21:13:17 [DEBUG] ProviderTransformer: "tls_private_key.private_key" (*terraform.NodePlannableResource) needs provider.tls
2019/08/05 21:13:17 [DEBUG] ProviderTransformer: "acme_registration.reg" (*terraform.NodePlannableResource) needs provider.acme
2019/08/05 21:13:17 [DEBUG] ProviderTransformer: "aws_elb.elb" (*terraform.NodePlannableResource) needs provider.aws
2019/08/05 21:13:17 [DEBUG] ProviderTransformer: "aws_route53_record.www" (*terraform.NodePlannableResource) needs provider.aws
2019/08/05 21:13:17 [DEBUG] ProviderTransformer: "acme_certificate.www" (*terraform.NodePlannableResource) needs provider.acme
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "aws_elb.elb" references: [var.tag_name local.elb_name var.az aws_iam_server_certificate.www]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "aws_iam_server_certificate.www" references: [acme_certificate.www local.www_domain tls_private_key.private_key]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "var.tag_name" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "var.az" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "provider.tls" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "aws_route53_record.www" references: [aws_route53_zone.primary aws_elb.bar local.www_domain]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "aws_elb.bar" references: [aws_iam_server_certificate.www]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "acme_certificate.www" references: [local.www_domain acme_registration.reg local.www_domain aws_route53_zone.primary]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "var.email_address" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "tls_private_key.private_key" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "local.www_domain" references: [var.domain]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "local.elb_name" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "provider.acme" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "provider.aws" references: []
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "acme_registration.reg" references: [tls_private_key.private_key var.email_address]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "aws_route53_zone.primary" references: [var.domain]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "output.elb-ip" references: [aws_elb.bar]
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "var.domain" references: []
ource
  aws_elb.bar - *terraform.NodePlannableResource
  aws_elb.elb - *terraform.NodePlannableResource
  aws_iam_server_certificate.www - *terraform.NodePlannableResource
  aws_route53_record.www - *terraform.NodePlannableResource
  aws_route53_zone.primary - *terraform.NodePlannableResource
  local.elb_name - *terraform.NodeLocal
  local.www_domain - *terraform.NodeLocal
  output.elb-ip - *terraform.NodeApplyableOutput
  provider.acme - *terraform.NodeApplyableProvider
  provider.aws - *terraform.NodeApplyableProvider
  provider.tls - *terraform.NodeApplyableProvider
  tls_private_key.private_key - *terraform.NodePlannableResource
  var.az - *terraform.NodeRootVariable
  var.domain - *terraform.NodeRootVariable
  var.email_address - *terraform.NodeRootVariable
  var.tag_name - *terraform.NodeRootVariable
output.elb-ip - *terraform.NodeApplyableOutput
  aws_elb.bar - *terraform.NodePlannableResource
provider.acme - *terraform.NodeApplyableProvider
provider.acme (close) - *terraform.graphNodeCloseProvider
  acme_certificate.www - *terraform.NodePlannableResource
  acme_registration.reg - *terraform.NodePlannableResource
  provider.acme - *terraform.NodeApplyableProvider
provider.aws - *terraform.NodeApplyableProvider
provider.aws (close) - *terraform.graphNodeCloseProvider
  aws_elb.bar - *terraform.NodePlannableResource
  aws_elb.elb - *terraform.NodePlannableResource
  aws_iam_server_certificate.www - *terraform.NodePlannableResource
  aws_route53_record.www - *terraform.NodePlannableResource
  aws_route53_zone.primary - *terraform.NodePlannableResource
  provider.aws - *terraform.NodeApplyableProvider
provider.tls - *terraform.NodeApplyableProvider
provider.tls (close) - *terraform.graphNodeCloseProvider
  provider.tls - *terraform.NodeApplyableProvider
  tls_private_key.private_key - *terraform.NodePlannableResource
tls_private_key.private_key - *terraform.NodePlannableResource
  provider.tls - *terraform.NodeApplyableProvider
var.az - *terraform.NodeRootVariable
var.domain - *terraform.NodeRootVariable
var.ews_elb.bar - *terraform.NodePlannableResource
  aws_elb.elb - *terraform.NodePlannableResource
  aws_iam_server_certificate.www - *terraform.NodePlannableResource
  aws_route53_record.www - *terraform.NodePlannableResource
  aws_route53_zone.primary - *terraform.NodePlannableResource
  local.elb_name - *terraform.NodeLocal
  local.www_domain - *terraform.NodeLocal
  output.elb-ip - *terraform.NodeApplyableOutput
  provider.acme - *terraform.NodeApplyableProvider
  provider.aws - *terraform.NodeApplyableProvider
  provider.tls - *terraform.NodeApplyableProvider
  tls_private_key.private_key - *terraform.NodePlannableResource
  var.az - *terraform.NodeRootVariable
  var.domain - *terraform.NodeRootVariable
  var.email_address - *terraform.NodeRootVariable
  var.tag_name - *terraform.NodeRootVariable
output.elb-ip - *terraform.NodeApplyableOutput
  aws_elb.bar - *terraform.NodePlannableResource
provider.acme - *terraform.NodeApplyableProvider
provider.acme (close) - *terraform.graphNodeCloseProvider
  acme_certificate.www - *terraform.NodePlannableResource
  acme_registration.reg - *terraform.NodePlannableResource
  provider.acme - *terraform.NodeApplyableProvider
provider.aws - *terraform.NodeApplyableProvider
provider.aws (close) - *terraform.graphNodeCloseProvider
  aws_elb.bar - *terraform.NodePlannableResource
  aws_elb.elb - *terraform.NodePlannableResource
  aws_iam_server_certificate.www - *terraform.NodePlannableResource
  aws_route53_record.www - *terraform.NodePlannableResource
  aws_route53_zone.primary - *terraform.NodePlannableResource
  provider.aws - *terraform.NodeApplyableProvider
provider.tls - *terraform.NodeApplyableProvider
provider.tls (close) - *terraform.graphNodeCloseProvider
  provider.tls - *terraform.NodeApplyableProvider
  tls_private_key.private_key - *terraform.NodePlannableResource
root - terraform.graphNodeRoot
  meta.count-boundary (EachMode fixup) - *terraform.NodeCountBoundary
  provider.acme (close) - *terraform.graphNodeCloseProvider
  provider.aws (close) - *terraform.graphNodource
  aws_route53_record.www - *terraform.NodePlannableResource
provider.tls - *terraform.NodeApplyableProvider
provider.tls (close) - *terraform.graphNodeCloseProvider
  tls_private_key.private_key - *terraform.NodePlannableResource
root - terraform.graphNodeRoot
  meta.count-boundary (EachMode fixup) - *terraform.NodeCountBoundary
  provider.acme (close) - *terraform.graphNodeCloseProvider
  provider.aws (close) - *terraform.graphNodeCloseProvider
  provider.tls (close) - *terraform.graphNodeCloseProvider
tls_private_key.private_key - *terraform.NodePlannableResource
  provider.tls - *terraform.NodeApplyableProvider
var.az - *terraform.NodeRootVariable
var.domain - *terraform.NodeRootVariable
var.email_address - *terraform.NodeRootVariable
var.tag_name - *terraform.NodeRootVariable
------
2019/08/05 21:13:17 [DEBUG] Starting graph walk: walkPlan
2019-08-05T21:13:17.103+0800 [DEBUG] plugin: starting plugin: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 args=[/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4]
2019-08-05T21:13:17.103+0800 [DEBUG] plugin: plugin started: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 pid=29746
2019-08-05T21:13:17.103+0800 [DEBUG] plugin: waiting for RPC address: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4
2019-08-05T21:13:17.118+0800 [INFO]  plugin.terraform-provider-aws_v2.17.0_x4: configuring server automatic mTLS: timestamp=2019-08-05T21:13:17.118+0800
2019-08-05T21:13:17.154+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: plugin address: address=/tmp/plugin057844006 network=unix timestamp=2019-08-05T21:13:17.154+0800
2019-08-05T21:13:17.154+0800 [DEBUG] plugin: using plugin: version=5
2019-08-05T21:13:17.155+0800 [INFO]  plugin: configuring client automatic mTLS
2019-08-05T21:13:17.192+0800 [DEBUG] plugin: starting plugin: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 args=[/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4]
2019-08-05T21:13:17.193+0800 [DEBUG] plugin: plugin started: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 pid=29768
2019-08-05T21:13:17.193+0800 [DEBUG] plugin: waiting for RPC address: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4
2019-08-05T21:13:17.202+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 2019/08/05 21:13:17 [DEBUG] lego: Messages from the lego library will show up as DEBUG messages.
2019-08-05T21:13:17.203+0800 [INFO]  plugin.terraform-provider-acme_v1.3.5_x4: configuring server automatic mTLS: timestamp=2019-08-05T21:13:17.202+0800
2019-08-05T21:13:17.237+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: plugin address: address=/tmp/plugin924443008 network=unix timestamp=2019-08-05T21:13:17.237+0800
2019-08-05T21:13:17.237+0800 [DEBUG] plugin: using plugin: version=5
2019-08-05T21:13:17.238+0800 [INFO]  plugin: configuring client automatic mTLS
2019-08-05T21:13:17.278+0800 [DEBUG] plugin: starting plugin: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4 args=[/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4]
2019-08-05T21:13:17.278+0800 [DEBUG] plugin: plugin started: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4 pid=29793
2019-08-05T21:13:17.278+0800 [DEBUG] plugin: waiting for RPC address: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4
2019-08-05T21:13:17.284+0800 [INFO]  plugin.terraform-provider-tls_v2.0.1_x4: configuring server automatic mTLS: timestamp=2019-08-05T21:13:17.283+0800
2019-08-05T21:13:17.317+0800 [DEBUG] plugin.terraform-provider-tls_v2.0.1_x4: plugin address: address=/tmp/plugin100019862 network=unix timestamp=2019-08-05T21:13:17.317+0800
2019-08-05T21:13:17.317+0800 [DEBUG] plugin: using plugin: version=5
2019-08-05T21:13:17.319+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:17 [INFO] No assume_role block read from configuration
2019-08-05T21:13:17.319+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:17 [INFO] Building AWS auth structure
2019-08-05T21:13:17.319+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:17 [INFO] Setting AWS metadata API timeout to 100ms
2019/08/05 21:13:17 [DEBUG] Resource instance state not found for node "tls_private_key.private_key", instance tls_private_key.private_key
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "tls_private_key.private_key" references: []
2019/08/05 21:13:17 [WARN] Provider "tls" produced an invalid plan for tls_private_key.private_key, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .ecdsa_curve: planned value cty.StringVal("P224") does not match config value cty.NullVal(cty.String)
      - .rsa_bits: planned value cty.NumberIntVal(2048) does not match config value cty.NullVal(cty.Number)
2019/08/05 21:13:17 [DEBUG] Resource instance state not found for node "acme_registration.reg", instance acme_registration.reg
2019/08/05 21:13:17 [DEBUG] ReferenceTransformer: "acme_registration.reg" references: []
2019/08/05 21:13:17 [TRACE] Completed graph transform *terraform.ReferenceTransformer (no changes)
2019-08-05T21:13:17.385+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-tls_v2.0.1_x4 pid=29793
2019-08-05T21:13:17.385+0800 [DEBUG] plugin: plugin exited
2019-08-05T21:13:18.004+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:18 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id
2019-08-05T21:13:18.004+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:18 [INFO] AWS Auth provider used: "SharedCredentialsProvider"
2019-08-05T21:13:18.004+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:18 [DEBUG] Trying to get account information via sts:GetCallerIdentity
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:18 [DEBUG] [aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details:
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: POST / HTTP/1.1
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Host: sts.amazonaws.com
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: User-Agent: aws-sdk-go/1.20.8 (go1.12.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.2
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Length: 43
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Authorization: *****
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: X-Amz-Date: 20190805T131318Z
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Accept-Encoding: gzip
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Action=GetCallerIdentity&Version=2011-06-15
2019-08-05T21:13:18.005+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: -----------------------------------------------------
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:21 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: ---[ RESPONSE ]--------------------------------------
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: HTTP/1.1 200 OK
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Connection: close
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Length: 406
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Type: text/xml
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Date: Mon, 05 Aug 2019 13:13:20 GMT
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: X-Amzn-Requestid: cc2096e6-b782-11e9-81bc-5b197525c3fa
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: -----------------------------------------------------
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:21 [DEBUG] [aws-sdk-go] <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:   <GetCallerIdentityResult>
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <Arn>*****</Arn>
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <UserId>*****</UserId>
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <Account>*****</Account>
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:   </GetCallerIdentityResult>
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:   <ResponseMetadata>
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <RequestId>*****</RequestId>
2019-08-05T21:13:21.628+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:   </ResponseMetadata>
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: </GetCallerIdentityResponse>
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:21 [DEBUG] Trying to get account information via sts:GetCallerIdentity
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:21 [DEBUG] [aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details:
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: POST / HTTP/1.1
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Host: sts.amazonaws.com
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: User-Agent: aws-sdk-go/1.20.8 (go1.12.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.2
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Length: 43
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Authorization: *****
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: X-Amz-Date: 20190805T131321Z
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Accept-Encoding: gzip
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Action=GetCallerIdentity&Version=2011-06-15
2019-08-05T21:13:21.629+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: -----------------------------------------------------
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:23 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: ---[ RESPONSE ]--------------------------------------
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: HTTP/1.1 200 OK
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Connection: close
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Length: 406
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Type: text/xml
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Date: Mon, 05 Aug 2019 13:13:22 GMT
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: X-Amzn-Requestid: cd46049f-b782-11e9-8032-05ccebe63eb8
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: -----------------------------------------------------
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:23 [DEBUG] [aws-sdk-go] <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:   <GetCallerIdentityResult>
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <Arn>*****</Arn>
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <UserId>*****</UserId>
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <Account>*****</Account>
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:   </GetCallerIdentityResult>
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:   <ResponseMetadata>
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <RequestId>*****</RequestId>
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:   </ResponseMetadata>
2019-08-05T21:13:23.067+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: </GetCallerIdentityResponse>
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:23 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeAccountAttributes Details:
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: POST / HTTP/1.1
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Host: ec2.ap-southeast-1.amazonaws.com
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: User-Agent: aws-sdk-go/1.20.8 (go1.12.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.2
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Length: 87
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Authorization: *****
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: X-Amz-Date: 20190805T131323Z
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Accept-Encoding: gzip
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Action=DescribeAccountAttributes&AttributeName.1=supported-platforms&Version=2016-11-15
2019-08-05T21:13:23.070+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: -----------------------------------------------------
2019-08-05T21:13:33.180+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:33 [DEBUG] [aws-sdk-go] DEBUG: Send Request ec2/DescribeAccountAttributes failed, attempt 0/25, error RequestError: send request failed
2019-08-05T21:13:33.180+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: caused by: Post https://ec2.ap-southeast-1.amazonaws.com/: dial tcp: lookup ec2.ap-southeast-1.amazonaws.com on 10.10.0.1:53: read udp 10.10.0.30:23343->10.10.0.1:53: i/o timeout
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:33 [DEBUG] [aws-sdk-go] DEBUG: Retrying Request ec2/DescribeAccountAttributes, attempt 1
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:33 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeAccountAttributes Details:
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: POST / HTTP/1.1
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Host: ec2.ap-southeast-1.amazonaws.com
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: User-Agent: aws-sdk-go/1.20.8 (go1.12.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.2
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Length: 87
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Authorization:*****
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: X-Amz-Date: 20190805T131333Z
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Accept-Encoding: gzip
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Action=DescribeAccountAttributes&AttributeName.1=supported-platforms&Version=2016-11-15
2019-08-05T21:13:33.218+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: -----------------------------------------------------
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:34 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeAccountAttributes Details:
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: ---[ RESPONSE ]--------------------------------------
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: HTTP/1.1 200 OK
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Connection: close
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Length: 540
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Content-Type: text/xml;charset=UTF-8
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Date: Mon, 05 Aug 2019 13:13:33 GMT
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: Server: AmazonEC2
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: -----------------------------------------------------
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: 2019/08/05 21:13:34 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: <DescribeAccountAttributesResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <requestId>2507fa1b-367f-474a-8a74-b9a63a82faea</requestId>
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     <accountAttributeSet>
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:         <item>
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:             <attributeName>supported-platforms</attributeName>
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:             <attributeValueSet>
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:                 <item>
2019-08-05T21:13:34.475+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:                     <attributeValue>VPC</attributeValue>
2019-08-05T21:13:34.476+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:                 </item>
2019-08-05T21:13:34.476+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:             </attributeValueSet>
2019-08-05T21:13:34.476+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:         </item>
2019-08-05T21:13:34.476+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4:     </accountAttributeSet>
2019-08-05T21:13:34.476+0800 [DEBUG] plugin.terraform-provider-aws_v2.17.0_x4: </DescribeAccountAttributesResponse>
2019/08/05 21:13:34 [DEBUG] Resource instance state not found for node "aws_route53_zone.primary", instance aws_route53_zone.primary
2019/08/05 21:13:34 [TRACE] Completed graph transform *terraform.AttachStateTransformer (no changes)
2019/08/05 21:13:34 [DEBUG] ReferenceTransformer: "aws_route53_zone.primary" references: []
2019/08/05 21:13:34 [TRACE] Completed graph transform *terraform.ReferenceTransformer (no changes)
2019/08/05 21:13:34 [TRACE] Executing graph transform *terraform.RootTransformer
2019/08/05 21:13:34 [TRACE] Completed graph transform *terraform.RootTransformer (no changes)
2019/08/05 21:13:34 [TRACE] vertex "aws_route53_zone.primary": entering dynamic subgraph
2019/08/05 21:13:34 [TRACE] dag/walk: updating graph
2019/08/05 21:13:34 [TRACE] dag/walk: added new vertex: "aws_route53_zone.primary"
2019/08/05 21:13:34 [TRACE] dag/walk: visiting "aws_route53_zone.primary"
2019/08/05 21:13:34 [TRACE] vertex "aws_route53_zone.primary": starting visit (*terraform.NodePlannableResourceInstance)
2019/08/05 21:13:34 [TRACE] vertex "aws_route53_zone.primary": evaluating
2019/08/05 21:13:34 [TRACE] [walkPlan] Entering eval tree: aws_route53_zone.primary
2019/08/05 21:13:34 [TRACE] <root>: eval: *terraform.EvalSequence
2019/08/05 21:13:34 [TRACE] <root>: eval: *terraform.EvalGetProvider
2019/08/05 21:13:34 [TRACE] <root>: eval: *terraform.EvalReadState
2019/08/05 21:13:34 [TRACE] EvalReadState: reading state for aws_route53_zone.primary
2019/08/05 21:13:34 [TRACE] EvalReadState: no state present for aws_route53_zone.primary
2019/08/05 21:13:34 [TRACE] <root>: eval: *terraform.EvalValidateSelfRef
2019/08/05 21:13:34 [TRACE] <root>: eval: *terraform.EvalDiff
2019/08/05 21:13:34 [WARN] Provider "aws" produced an invalid plan for aws_route53_zone.primary, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .force_destroy: planned value cty.False does not match config value cty.NullVal(cty.Bool)
      - .comment: planned value cty.StringVal("Managed by Terraform") does not match config value cty.NullVal(cty.String)
2019/08/05 21:13:34 [TRACE] <root>: eval: *terraform.EvalCheckPreventDestroy
2019/08/05 21:13:34 [DEBUG] Resource instance state not found for node "acme_certificate.www", instance acme_certificate.www
2019/08/05 21:13:34 [TRACE] Completed graph transform *terraform.AttachStateTransformer (no changes)
2019/08/05 21:13:34 [TRACE] Executing graph transform *terraform.TargetsTransformer
2019/08/05 21:13:34 [DEBUG] ReferenceTransformer: "acme_certificate.www" references: []
2019/08/05 21:13:34 [TRACE] Completed graph transform *terraform.ReferenceTransformer (no changes)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 
Error: rpc error: code = Unavailable desc = transport is closing


panic: interface conversion: interface {} is nil, not map[string]interface {}
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: goroutine 98 [running]:
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).readMap(0xc0001fa120, 0xc0001fa450, 0x3, 0x3, 0xc000292a00, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:98 +0x61c
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).ReadField(0xc0001fa120, 0xc0001fa450, 0x3, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe20000c00028ccd8, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:71 +0x5e0
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.readObjectField(0x1be5540, 0xc0001fa120, 0xc00016c740, 0x2, 0x2, 0xc0001fb5f0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader.go:244 +0x1fc
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).ReadField(0xc0001fa120, 0xc00016c740, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:75 +0x4fa
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.readListField(0x1be5540, 0xc0001fa120, 0xc000291c00, 0x1, 0x1, 0xc000292900, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader.go:211 +0x351
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).ReadField(0xc0001fa120, 0xc000291c00, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:69 +0x26d
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*MultiLevelFieldReader).ReadFieldMerge(0xc00016c5e0, 0xc000291c00, 0x1, 0x1, 0x18ce6c8, 0x7, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_multi.go:45 +0x1de
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*ResourceDiff).get(0xc0000ac0c0, 0xc000291c00, 0x1, 0x1, 0x18ce6c8, 0x7, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource_diff.go:485 +0xa0
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*ResourceDiff).GetOk(0xc0000ac0c0, 0x18d6029, 0xd, 0x30, 0x30, 0xc0001fa1e0)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource_diff.go:384 +0xb9
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*ResourceDiff).Get(...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource_diff.go:365
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/acme.resourceACMECertificateCustomizeDiff(0xc0000ac0c0, 0x14fe320, 0xc0001a2750, 0xc0004b7660, 0xc0000ac0c0)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/acme/resource_acme_certificate.go:364 +0xbe
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.schemaMap.Diff(0xc000473cb0, 0xc0000d9950, 0xc0001fa930, 0x1937af0, 0x14fe320, 0xc0001a2750, 0x0, 0x2, 0xc0001fa6f0, 0x1)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/schema.go:509 +0xac3
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*Resource).simpleDiff(0xc000170280, 0xc0000d9950, 0xc0001fa930, 0x14fe320, 0xc0001a2750, 0x1, 0xc00003e920, 0xc0001fa930)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource.go:339 +0x1de
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*Provider).SimpleDiff(0xc000170300, 0xc0001a1a90, 0xc0000d9950, 0xc0001fa930, 0xc0001a2870, 0xc0001fa930, 0x0)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/provider.go:312 +0x18f
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/plugin.(*GRPCProviderServer).PlanResourceChange(0xc00000e038, 0x1c16740, 0xc000147770, 0xc0000b1c20, 0xc00000e038, 0xc000147770, 0xc000197ba8)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/plugin/grpc_provider.go:603 +0x73c
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/internal/tfplugin5._Provider_PlanResourceChange_Handler(0x1839640, 0xc00000e038, 0x1c16740, 0xc000147770, 0xc0000d9770, 0x0, 0x1c16740, 0xc000147770, 0xc00004f880, 0x36d)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/internal/tfplugin5/tfplugin5.pb.go:3001 +0x23e
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc000594c00, 0x1c28ec0, 0xc0005a6f00, 0xc000311700, 0xc0004b5170, 0x2d2f888, 0x0, 0x0, 0x0)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:972 +0x470
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).handleStream(0xc000594c00, 0x1c28ec0, 0xc0005a6f00, 0xc000311700, 0x0)
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:1252 +0xda6
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc000044450, 0xc000594c00, 0x1c28ec0, 0xc0005a6f00, 0xc000311700)
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:691 +0x9f
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: created by github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).serveStreams.func1
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:689 +0xa1
2019-08-05T21:13:34.490+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 pid=29768 error="exit status 2"
2019/08/05 21:13:34 [ERROR] <root>: eval: *terraform.EvalDiff, err: rpc error: code = Unavailable desc = transport is closing
2019/08/05 21:13:34 [ERROR] <root>: eval: *terraform.EvalSequence, err: rpc error: code = Unavailable desc = transport is closing
2019/08/05 21:13:34 [TRACE] [walkPlan] Exiting eval tree: acme_certificate.www
2019/08/05 21:13:34 [TRACE] vertex "acme_certificate.www": visit complete
2019/08/05 21:13:34 [TRACE] vertex "acme_certificate.www": dynamic subgraph encountered errors
2019/08/05 21:13:34 [TRACE] vertex "acme_certificate.www": visit complete
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "provider.acme (close)" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "aws_iam_server_certificate.www" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "aws_elb.elb" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "aws_elb.bar" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "aws_route53_record.www" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "output.elb-ip" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "provider.aws (close)" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "root" errored, so skipping
2019/08/05 21:13:34 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2019/08/05 21:13:34 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2019-08-05T21:13:34.490+0800 [DEBUG] plugin: plugin exited
2019-08-05T21:13:34.493+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 pid=29746
2019-08-05T21:13:34.493+0800 [DEBUG] plugin: plugin exited
panic: interface conversion: interface {} is nil, not map[string]interface {}
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: goroutine 98 [running]:
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).readMap(0xc0001fa120, 0xc0001fa450, 0x3, 0x3, 0xc000292a00, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:98 +0x61c
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).ReadField(0xc0001fa120, 0xc0001fa450, 0x3, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe20000c00028ccd8, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:71 +0x5e0
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.readObjectField(0x1be5540, 0xc0001fa120, 0xc00016c740, 0x2, 0x2, 0xc0001fb5f0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader.go:244 +0x1fc
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).ReadField(0xc0001fa120, 0xc00016c740, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:75 +0x4fa
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.readListField(0x1be5540, 0xc0001fa120, 0xc000291c00, 0x1, 0x1, 0xc000292900, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader.go:211 +0x351
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).ReadField(0xc0001fa120, 0xc000291c00, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:69 +0x26d
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*MultiLevelFieldReader).ReadFieldMerge(0xc00016c5e0, 0xc000291c00, 0x1, 0x1, 0x18ce6c8, 0x7, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_multi.go:45 +0x1de
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*ResourceDiff).get(0xc0000ac0c0, 0xc000291c00, 0x1, 0x1, 0x18ce6c8, 0x7, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource_diff.go:485 +0xa0
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*ResourceDiff).GetOk(0xc0000ac0c0, 0x18d6029, 0xd, 0x30, 0x30, 0xc0001fa1e0)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource_diff.go:384 +0xb9
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*ResourceDiff).Get(...)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource_diff.go:365
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/acme.resourceACMECertificateCustomizeDiff(0xc0000ac0c0, 0x14fe320, 0xc0001a2750, 0xc0004b7660, 0xc0000ac0c0)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/acme/resource_acme_certificate.go:364 +0xbe
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.schemaMap.Diff(0xc000473cb0, 0xc0000d9950, 0xc0001fa930, 0x1937af0, 0x14fe320, 0xc0001a2750, 0x0, 0x2, 0xc0001fa6f0, 0x1)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/schema.go:509 +0xac3
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*Resource).simpleDiff(0xc000170280, 0xc0000d9950, 0xc0001fa930, 0x14fe320, 0xc0001a2750, 0x1, 0xc00003e920, 0xc0001fa930)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource.go:339 +0x1de
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*Provider).SimpleDiff(0xc000170300, 0xc0001a1a90, 0xc0000d9950, 0xc0001fa930, 0xc0001a2870, 0xc0001fa930, 0x0)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/provider.go:312 +0x18f
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/plugin.(*GRPCProviderServer).PlanResourceChange(0xc00000e038, 0x1c16740, 0xc000147770, 0xc0000b1c20, 0xc00000e038, 0xc000147770, 0xc000197ba8)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/plugin/grpc_provider.go:603 +0x73c
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/internal/tfplugin5._Provider_PlanResourceChange_Handler(0x1839640, 0xc00000e038, 0x1c16740, 0xc000147770, 0xc0000d9770, 0x0, 0x1c16740, 0xc000147770, 0xc00004f880, 0x36d)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/internal/tfplugin5/tfplugin5.pb.go:3001 +0x23e
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc000594c00, 0x1c28ec0, 0xc0005a6f00, 0xc000311700, 0xc0004b5170, 0x2d2f888, 0x0, 0x0, 0x0)
2019-08-05T21:13:34.488+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:972 +0x470
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).handleStream(0xc000594c00, 0x1c28ec0, 0xc0005a6f00, 0xc000311700, 0x0)
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:1252 +0xda6
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc000044450, 0xc000594c00, 0x1c28ec0, 0xc0005a6f00, 0xc000311700)
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:691 +0x9f
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: created by github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).serveStreams.func1
2019-08-05T21:13:34.489+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:689 +0xa1
2019-08-05T21:13:34.490+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 pid=29768 error="exit status 2"
2019/08/05 21:13:34 [ERROR] <root>: eval: *terraform.EvalDiff, err: rpc error: code = Unavailable desc = transport is closing
2019/08/05 21:13:34 [ERROR] <root>: eval: *terraform.EvalSequence, err: rpc error: code = Unavailable desc = transport is closing
2019/08/05 21:13:34 [TRACE] [walkPlan] Exiting eval tree: acme_certificate.www
2019/08/05 21:13:34 [TRACE] vertex "acme_certificate.www": visit complete
2019/08/05 21:13:34 [TRACE] vertex "acme_certificate.www": dynamic subgraph encountered errors
2019/08/05 21:13:34 [TRACE] vertex "acme_certificate.www": visit complete
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "provider.acme (close)" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "aws_iam_server_certificate.www" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "aws_elb.elb" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "aws_elb.bar" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "aws_route53_record.www" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "output.elb-ip" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "provider.aws (close)" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2019/08/05 21:13:34 [TRACE] dag/walk: upstream of "root" errored, so skipping
2019/08/05 21:13:34 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2019/08/05 21:13:34 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2019-08-05T21:13:34.490+0800 [DEBUG] plugin: plugin exited
2019-08-05T21:13:34.493+0800 [DEBUG] plugin: plugin process exited: path=/home/user/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 pid=29746
2019-08-05T21:13:34.493+0800 [DEBUG] plugin: plugin exited

Crash Output

panic: interface conversion: interface {} is nil, not map[string]interface {}
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: goroutine 82 [running]:
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).readMap(0xc0003f9290, 0xc0003f9680, 0x3, 0x3, 0xc0004f2600, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:98 +0x61c
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).ReadField(0xc0003f9290, 0xc0003f9680, 0x3, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:71 +0x5e0
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.readObjectField(0x1be5540, 0xc0003f9290, 0xc000655480, 0x2, 0x2, 0xc0003f9170, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader.go:244 +0x1fc
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).ReadField(0xc0003f9290, 0xc000655480, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:12:17.291+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:75 +0x4fa
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.readListField(0x1be5540, 0xc0003f9290, 0xc0004f89f0, 0x1, 0x1, 0xc0004f2400, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader.go:211 +0x351
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*DiffFieldReader).ReadField(0xc0003f9290, 0xc0004f89f0, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_diff.go:69 +0x26d
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*MultiLevelFieldReader).ReadFieldMerge(0xc000655340, 0xc0004f89f0, 0x1, 0x1, 0x18ce6c8, 0x7, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_reader_multi.go:45 +0x1de
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*ResourceDiff).get(0xc0001818c0, 0xc0004f89f0, 0x1, 0x1, 0x18ce6c8, 0x7, 0x0, 0x0, 0x0, 0x0, ...)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource_diff.go:485 +0xa0
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*ResourceDiff).GetOk(0xc0001818c0, 0x18d6029, 0xd, 0x30, 0x30, 0xc0003f9350)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource_diff.go:384 +0xb9
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*ResourceDiff).Get(...)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource_diff.go:365
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/acme.resourceACMECertificateCustomizeDiff(0xc0001818c0, 0x14fe320, 0xc0001aa8b0, 0xc000654420, 0xc0001818c0)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/acme/resource_acme_certificate.go:364 +0xbe
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.schemaMap.Diff(0xc0004ac1e0, 0xc0004c4870, 0xc0003f84b0, 0x1937af0, 0x14fe320, 0xc0001aa8b0, 0x0, 0x2, 0xc0003f8270, 0x1)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/schema.go:509 +0xac3
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*Resource).simpleDiff(0xc000154d80, 0xc0004c4870, 0xc0003f84b0, 0x14fe320, 0xc0001aa8b0, 0x1, 0xc00003e820, 0xc0003f84b0)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource.go:339 +0x1de
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*Provider).SimpleDiff(0xc000154e00, 0xc0000c9a90, 0xc0004c4870, 0xc0003f84b0, 0xc0002623e0, 0xc0003f84b0, 0x0)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/provider.go:312 +0x18f
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/plugin.(*GRPCProviderServer).PlanResourceChange(0xc0000eed00, 0x1c16740, 0xc0004ad2f0, 0xc0000f0ea0, 0xc0000eed00, 0xc0004ad2f0, 0xc00025aba8)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/plugin/grpc_provider.go:603 +0x73c
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/internal/tfplugin5._Provider_PlanResourceChange_Handler(0x1839640, 0xc0000eed00, 0x1c16740, 0xc0004ad2f0, 0xc0004c4690, 0x0, 0x1c16740, 0xc0004ad2f0, 0xc000264700, 0x36d)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/internal/tfplugin5/tfplugin5.pb.go:3001 +0x23e
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).processUnaryRPC(0xc0005a8c00, 0x1c28ec0, 0xc000586c00, 0xc000170800, 0xc000164420, 0x2d2f888, 0x0, 0x0, 0x0)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:972 +0x470
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).handleStream(0xc0005a8c00, 0x1c28ec0, 0xc000586c00, 0xc000170800, 0x0)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:1252 +0xda6
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc0000e43e0, 0xc0005a8c00, 0x1c28ec0, 0xc000586c00, 0xc000170800)
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:691 +0x9f
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: created by github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc.(*Server).serveStreams.func1
2019-08-05T21:12:17.292+0800 [DEBUG] plugin.terraform-provider-acme_v1.3.5_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/google.golang.org/grpc/server.go:689 +0xa1
2019/08/05 21:12:17 [ERROR] <root>: eval: *terraform.EvalDiff, err: rpc error: code = Unavailable desc = transport is closing
2019/08/05 21:12:17 [ERROR] <root>: eval: *terraform.EvalSequence, err: rpc error: code = Unavailable desc = transport is closing
2019-08-05T21:12:17.294+0800 [DEBUG] plugin: plugin process exited: path=/home/nick/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.5_x4 pid=29187 error="exit status 2"
2019/08/05 21:12:17 [TRACE] [walkPlan] Exiting eval tree: acme_certificate.www
2019/08/05 21:12:17 [TRACE] vertex "acme_certificate.www": visit complete
2019/08/05 21:12:17 [TRACE] vertex "acme_certificate.www": dynamic subgraph encountered errors
2019/08/05 21:12:17 [TRACE] vertex "acme_certificate.www": visit complete
2019/08/05 21:12:17 [TRACE] dag/walk: upstream of "aws_iam_server_certificate.www" errored, so skipping
2019/08/05 21:12:17 [TRACE] dag/walk: upstream of "aws_elb.bar" errored, so skipping
2019/08/05 21:12:17 [TRACE] dag/walk: upstream of "aws_route53_record.www" errored, so skipping
2019/08/05 21:12:17 [TRACE] dag/walk: upstream of "provider.acme (close)" errored, so skipping
2019/08/05 21:12:17 [TRACE] dag/walk: upstream of "output.elb-ip" errored, so skipping
2019/08/05 21:12:17 [TRACE] dag/walk: upstream of "aws_elb.elb" errored, so skipping
2019/08/05 21:12:17 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2019/08/05 21:12:17 [TRACE] dag/walk: upstream of "provider.aws (close)" errored, so skipping
2019/08/05 21:12:17 [TRACE] dag/walk: upstream of "root" errored, so skipping
2019/08/05 21:12:17 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2019/08/05 21:12:17 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2019-08-05T21:12:17.295+0800 [DEBUG] plugin: plugin exited
2019-08-05T21:12:17.297+0800 [DEBUG] plugin: plugin process exited: path=/home/nick/Dev/homeproject/test/.terraform/plugins/linux_amd64/terraform-provider-aws_v2.17.0_x4 pid=29239
2019-08-05T21:12:17.297+0800 [DEBUG] plugin: plugin exited

Steps to Reproduce

1. `terraform init`
2.`terraform apply`

Use Go modules for dependencies

Go modules are the new new. I find it's a much more intuitive and less error-prone dependency system than dep, etc. The main terraform project uses them, as well as other providers switching to them.

I'm working on this.

Unable to upload pem to azure key vault as a certificate

Hello,

Currently when i generate a certificate using the certbot/cerbot docker container i'm able to successfully create a keyvault certificate in the PEM format that can be uploaded to azure key vault as a certificate. The certficate ends up being in the following format

Lets Encrypt Certficate with private key embedded

-----BEGIN PRIVATE KEY-----
ggEBALV0PjbCoF/Frqg....
-----END PRIVATE KEY-----
----BEGIN CERTIFICATE-----
3AyBXg8awnY..
-----END CERTIFICATE-----

When i attempt to use the acme_certificate and build the above format with the outputs exposed i'm able to create a similiar looking file but not one azure key vault will accept.

terraform acme_certificate with private key embedded

-----BEGIN CERTIFICATE-----
MIIFSTCCB...
MT9A/8MZrWhEToWvyw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEArJvjd...
-----END RSA PRIVATE KEY-----

Error message from portal

Your certificate file was invalid, or the password was not correct.

Below is the terraform that i'm using

Terraform

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "reg_private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.reg_private_key.private_key_pem}"
  email_address   = "[email protected]"
}

resource "tls_private_key" "cert_private_key" {
  algorithm = "RSA"
}

resource "tls_cert_request" "req" {
  key_algorithm   = "RSA"
  private_key_pem = "${tls_private_key.cert_private_key.private_key_pem}"
  dns_names       = ["*.bob.com"]

  subject {
    common_name = "bob.com"
  }
}


resource "acme_certificate" "certificate" {
  account_key_pem         = "${acme_registration.reg.account_key_pem}"
  certificate_request_pem = "${tls_cert_request.req.cert_request_pem}"

  dns_challenge {
    provider = "fastdns"
    config {
        AKAMAI_HOST = "XXXXXX.luna.akamaiapis.net"
        AKAMAI_CLIENT_TOKEN = "XXXXXX"
        AKAMAI_CLIENT_SECRET = "XXXXXXX"
        AKAMAI_ACCESS_TOKEN = "XXXXXX"
    }
  }
}


resource "local_file" "fullchain_file" {
  content  = "${data.template_file.fullchain.rendered}"
  filename = "${path.module}/cert.pem"
}

data "template_file" "fullchain" {
  template = "$${certificate}$${private_key}"

  vars = {
    certificate    = "${acme_certificate.certificate.certificate_pem}"
    private_key    = "${tls_private_key.cert_private_key.private_key_pem}"
  }
}

Switching provider server_url raises 404 error

So, I tried the provider with the "https://acme-staging-v02.api.letsencrypt.org/directory" server_url. Created a registration and a cert, all is fine. Now I want to use the real thing, so I use the real letsencrypt url. But "terraform apply" fails with

module.certificates.acme_registration.reg: Destroying... [id=https://acme-v02.api.letsencrypt.org/acme/acct/65536822]
module.certificates.acme_certificate.certificate: Destroying... [id=https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa393f4a5dcb98b363502cea7d39847580fb]
module.certificates.acme_registration.reg: Destruction complete after 1s
module.certificates.tls_private_key.reg_private_key: Destroying... [id=7584ae844a75c15ec019d6a19ea4e803c5fc4645]
module.certificates.tls_private_key.reg_private_key: Destruction complete after 0s

Error: acme: error: 404 :: POST :: https://acme-v02.api.letsencrypt.org/acme/revoke-cert :: urn:ietf:params:acme:error:malformed :: No such certificate, url:

It looks like it tried to delete the previous certificate but using the new server_url...so the server replies "not found".

I think it's safe to ignore a 404 error on a delete operation: certificate is unknown/deleted, which is what we wanted in the first place

gcloud DNS: nameserver did not return the expected TXT record

Hi, I'm having problems with a multi-zone SAN setup in 1.3 where the challenge TXT records are being created incorrectly in the top-level zone, and therefore are not resolvable. I can reproduce this in my test environment, though in production I eventually managed to get the cert. after a great number of retries applying my terraform config. All zones (including in test) are accessible by public DNS, only the subdomains change for the test environment and I use the staging server https://acme-staging-v02.api.letsencrypt.org/directory

The relevant part of my terraform configuration for looks similar to this:

data "template_file" "domain_ns" {
    count = "4"
    // Must subtract trailing period
    template = "${substr(data.google_dns_managed_zone.domain.name_servers[count.index],
                         0,
                         length(data.google_dns_managed_zone.domain.name_servers[count.index]) - 1)}"
}

resource "acme_certificate" "domain" {
    account_key_pem = "${acme_registration.reg.account_key_pem}"
    // Must subtract trailing period
    common_name = "${substr(data.google_dns_managed_zone.domain.dns_name,
                            0,
                            length(data.google_dns_managed_zone.domain.dns_name) - 1)}"
    subject_alternative_names = ["${local.sans}"]
    key_type = "${tls_private_key.cert_private_key.rsa_bits}"
    min_days_remaining = "15"
    certificate_p12_password = "${var.certpassword}"
    // decouple from default nameservers on runtime host
    recursive_nameservers = ["${data.template_file.domain_ns.*.rendered}"]

    dns_challenge {
        provider = "gcloud"
        config {
            GCE_POLLING_INTERVAL = "30"
            GCE_PROPAGATION_TIMEOUT = "120"
            GCE_TTL = "60"
            GCE_PROJECT = "${var.project}"
            GCE_SERVICE_ACCOUNT_FILE = "${var.gcejson}"
        }
    }
}

Using example.com as the dns_name and with local.sans containing:

*.example.com
*.test.example.com
*.stage.example.com
*.prod.example.com

I see this (and two other similar) records show up in the top-level example-com zone:

_acme-challenge.test.example.com. | TXT | 60 | "blah1234blah"

Which definitely won't resolve, that record needs to be added to the subdomain zonetest-example-com zone. Any client trying to resolve _acme-challenge.test.example.com. will look in the test-example-com subdomain zone based on the glue record defined in example-com:

test.example.com. | NS | 86400 | ns-cloud-a1.googledomains.com.
ns-cloud-a2.googledomains.com.
ns-cloud-a3.googledomains.com.
ns-cloud-a4.googledomains.com.

I do have my setup working in production, so at some point this wasn't a problem. I'm not sure if that was possibly due to something I changed on my end or if the acme provider has a bug.

Terraform destroy

Hi there,

I'm receiving the following error after attempting to destroy terraform infrastructure:
Error: acme: error: 403 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:unauthorized :: An account with the provided public key exists but is deactivated, url:

I'm not well versed in Go or terraform provider implementation in general, so I'm afraid it might take me a while to be able to pitch in for a fix, but I'm curious if this is a known issue that should be handled.

Note, I'm using terraform 0.12.1 and terraform-provider-acme_v1.3.4_x4

ACME renewal querying wrong NS

I have a private and public Route53 Zone of the same domain, and during renewal it adds the challenge to the public zone, but to verify, it's asking the private zone... therefore Route53 returns REFUSED.

acme_certificate.acme_wildcard: Modifying... (ID: https://acme-v02.api.letsencrypt.org/ac...t/...)
...
acme_certificate.acme_wildcard: Still modifying... (ID: https://acme-v02.api.letsencrypt.org/ac...t/..., 1m50s elapsed)
acme_certificate.acme_wildcard: Still modifying... (ID: https://acme-v02.api.letsencrypt.org/ac...t/..., 2m0s elapsed)
acme_certificate.acme_wildcard: Still modifying... (ID: https://acme-v02.api.letsencrypt.org/ac...t/..., 2m10s elapsed)

Error: Error applying plan:

1 error(s) occurred:

* acme_certificate.acme_wildcard: 1 error(s) occurred:

* acme_certificate.acme_wildcard: acme: Error -> One or more domains had a problem:
[host.domain.tld] Time limit exceeded. Last error: NS ns-512.awsdns-00.net. returned REFUSED for _acme-challenge.domain.tld.

I looked into my zones and noticed that ns-512.awsdns-00.net is only on my private zone, not on the public zone. Is there a way to control this?

Overlapping domain TXT records lead to race condition.

Steps to reproduce: Create a configuration with two acme_certificate resources, one of which has a common name (or SAN) for which the other has a wildcard of the same name (e.g. users.example.com and *.users.example.com). The ACME record name for both will be the same (_acme-challenge.users.example.com), which is supported by ACME, but causes problems for this provider.

It looks like either the second certificate's TXT record is never created or is removed after the first certificate is validated. Terraform will then eventually timeout on the other resource (failing for both certificates).

Difficulty with Route 53 DNS Challenge

I have used this Terraform plan to provision a certificate before. The certificate is nearing expiration and I attempted to renew, but ran into some of the other recent issues surrounding that. I ended up destroying the existing certificate and then applying the plan from scratch.

I am using Route53 and DNS-01, the TXT record gets properly set and propagates (can see in Route 53 console, as well as resolve using dig on the server applying the plan), but the apply times out with the error:

time limit exceeded: last error: read udp [2605:cb80:0:113:85ad:266a:cd23:95f8]:52688->[2600:9000:5304:9a00::1]:53: read: no route to host

Looking at the trace, it appears to be able to communicate with the Lets Encrypt server to verify the registration, and AWS as well, so I'm not totally clear on what host it is unable to reach. I cannot see anywhere in the trace where it is querying the DNS record, but that may be normal.

Attempted with both Terraform 0.11 and 0.12, identical errors.

error creating certifate: NS returned REFUSED for _acme-challenge

Hey there,
thanks for this provider.
I'm having a bit of trouble getting it to work. I am by no means an expert in DNS, so likely I made some obvious mistake that I just don't see. 😁

Using the basic config (from the docs), I can verify that the TXT records are created, but somehow the challenge is refused anyway.
It seems to be querying the right nameserver as well.

provider "tls" {
  version = "~> 1.2"
}

provider "acme" {
  version = "~> 1.1"
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "[email protected]"
}

resource "acme_certificate" "certificate" {
  account_key_pem           = "${acme_registration.reg.account_key_pem}"
  common_name               = "tjdev.cc"
  dns_challenge {
    provider = "route53"
  }
}

TXT record during creation matches what I see in Route53:

dig _acme-challenge.tjdev.cc -t txt

; <<>> DiG 9.10.6 <<>> _acme-challenge.tjdev.cc -t txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24356
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.tjdev.cc.      IN      TXT

;; ANSWER SECTION:
_acme-challenge.tjdev.cc. 2     IN      TXT     "BwpbYVOYgiaCuhNun7dV7HTixuXNUSvKyGneAzkzbAs"

;; Query time: 51 msec
;; SERVER: 10.10.1.1#53(10.10.1.1)
;; WHEN: Sun Apr 07 14:41:23 CEST 2019
;; MSG SIZE  rcvd: 109

Nameservers match too:

dig tjdev.cc ANY

; <<>> DiG 9.10.6 <<>> tjdev.cc ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19665
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tjdev.cc.                      IN      ANY

;; ANSWER SECTION:
tjdev.cc.               20596   IN      NS      ns-1391.awsdns-45.org.
tjdev.cc.               20596   IN      NS      ns-1958.awsdns-52.co.uk.
tjdev.cc.               20596   IN      NS      ns-520.awsdns-01.net.
tjdev.cc.               20596   IN      NS      ns-92.awsdns-11.com.

;; Query time: 43 msec
;; SERVER: 10.10.1.1#53(10.10.1.1)
;; WHEN: Sun Apr 07 14:43:37 CEST 2019
;; MSG SIZE  rcvd: 176

Finally, the relevant terraform log (which does not reveal much to me)

module.ssl.acme_certificate.certificate: Creating...
  account_key_pem:          "<sensitive>" => "<sensitive>"
  certificate_domain:       "" => "<computed>"
  certificate_p12:          "<sensitive>" => "<sensitive>"
  certificate_pem:          "" => "<computed>"
  certificate_url:          "" => "<computed>"
  common_name:              "" => "tjdev.cc"
  dns_challenge.#:          "" => "1"
  dns_challenge.0.provider: "" => "route53"
  issuer_pem:               "" => "<computed>"
  key_type:                 "" => "2048"
  min_days_remaining:       "" => "7"
  must_staple:              "" => "false"
  private_key_pem:          "<sensitive>" => "<sensitive>"
2019/04/07 14:40:09 [TRACE] dag/walk: vertex "meta.count-boundary (count boundary fixup)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:40:09 [TRACE] dag/walk: vertex "root", waiting for: "module.ssl.provider.acme (close)"
2019/04/07 14:40:09 [TRACE] dag/walk: vertex "module.ssl.provider.acme (close)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:40:14 [TRACE] dag/walk: vertex "root", waiting for: "module.ssl.provider.acme (close)"
2019/04/07 14:40:14 [TRACE] dag/walk: vertex "module.ssl.provider.acme (close)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:40:14 [TRACE] dag/walk: vertex "meta.count-boundary (count boundary fixup)", waiting for: "module.ssl.acme_certificate.certificate"
module.ssl.acme_certificate.certificate: Still creating... (10s elapsed)
2019/04/07 14:40:19 [TRACE] dag/walk: vertex "root", waiting for: "module.ssl.provider.acme (close)"
2019/04/07 14:40:19 [TRACE] dag/walk: vertex "meta.count-boundary (count boundary fixup)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:40:19 [TRACE] dag/walk: vertex "module.ssl.provider.acme (close)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:40:24 [TRACE] dag/walk: vertex "root", waiting for: "module.ssl.provider.acme (close)"
2019/04/07 14:40:24 [TRACE] dag/walk: vertex "meta.count-boundary (count boundary fixup)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:40:24 [TRACE] dag/walk: vertex "module.ssl.provider.acme (close)", waiting for: "module.ssl.acme_certificate.certificate"
module.ssl.acme_certificate.certificate: Still creating... (20s elapsed)
[…MORE OF THE SAME…]
module.ssl.acme_certificate.certificate: Still creating... (3m0s elapsed)
2019/04/07 14:43:09 [TRACE] dag/walk: vertex "meta.count-boundary (count boundary fixup)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:43:09 [TRACE] dag/walk: vertex "module.ssl.provider.acme (close)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:43:09 [TRACE] dag/walk: vertex "root", waiting for: "module.ssl.provider.acme (close)"
2019/04/07 14:43:14 [TRACE] dag/walk: vertex "meta.count-boundary (count boundary fixup)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:43:14 [TRACE] dag/walk: vertex "module.ssl.provider.acme (close)", waiting for: "module.ssl.acme_certificate.certificate"
2019/04/07 14:43:14 [TRACE] dag/walk: vertex "root", waiting for: "module.ssl.provider.acme (close)"
module.ssl.acme_certificate.certificate: Still creating... (3m10s elapsed)
2019/04/07 14:43:14 [TRACE] root.ssl: eval: *terraform.EvalWriteState
2019/04/07 14:43:14 [TRACE] root.ssl: eval: *terraform.EvalApplyProvisioners
2019/04/07 14:43:14 [TRACE] root.ssl: eval: *terraform.EvalIf
2019/04/07 14:43:14 [TRACE] root.ssl: eval: *terraform.EvalWriteState
2019/04/07 14:43:14 [TRACE] root.ssl: eval: *terraform.EvalWriteDiff
2019/04/07 14:43:14 [TRACE] root.ssl: eval: *terraform.EvalApplyPost
2019/04/07 14:43:14 [ERROR] root.ssl: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:

* acme_certificate.certificate: error creating certificate: acme: Error -> One or more domains had a problem:
[tjdev.cc] time limit exceeded: last error: NS ns-1391.awsdns-45.org. returned REFUSED for _acme-challenge.tjdev.cc.
2019/04/07 14:43:14 [ERROR] root.ssl: eval: *terraform.EvalSequence, err: 1 error(s) occurred:

* acme_certificate.certificate: error creating certificate: acme: Error -> One or more domains had a problem:
[tjdev.cc] time limit exceeded: last error: NS ns-1391.awsdns-45.org. returned REFUSED for _acme-challenge.tjdev.cc.
2019/04/07 14:43:14 [TRACE] [walkApply] Exiting eval tree: module.ssl.acme_certificate.certificate
2019/04/07 14:43:14 [TRACE] dag/walk: upstream errored, not walking "meta.count-boundary (count boundary fixup)"
2019/04/07 14:43:14 [TRACE] dag/walk: upstream errored, not walking "module.ssl.provider.acme (close)"
2019/04/07 14:43:14 [TRACE] dag/walk: upstream errored, not walking "root"
2019/04/07 14:43:14 [TRACE] Preserving existing state lineage "2e5e6ff7-d10f-839c-ece6-02e914f72c08"
2019/04/07 14:43:14 [TRACE] Preserving existing state lineage "2e5e6ff7-d10f-839c-ece6-02e914f72c08"
2019/04/07 14:43:14 [TRACE] Preserving existing state lineage "2e5e6ff7-d10f-839c-ece6-02e914f72c08"
2019/04/07 14:43:14 [TRACE] Preserving existing state lineage "2e5e6ff7-d10f-839c-ece6-02e914f72c08"

2019/04/07 14:43:14 [DEBUG] plugin: waiting for all plugin processes to complete...
Error: Error applying plan:

1 error(s) occurred:

* module.ssl.acme_certificate.certificate: 1 error(s) occurred:

* acme_certificate.certificate: error creating certificate: acme: Error -> One or more domains had a problem:
[tjdev.cc] time limit exceeded: last error: NS ns-1391.awsdns-45.org. returned REFUSED for _acme-challenge.tjdev.cc.


Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.


2019-04-07T14:43:14.813+0200 [DEBUG] plugin.terraform-provider-aws_v2.5.0_x4: 2019/04/07 14:43:14 [ERR] plugin: plugin server: accept unix /var/folders/kp/3g8rwzr9415g1pwflgl7ycqc0000gn/T/plugin775087129: use of closed network connection
2019-04-07T14:43:14.813+0200 [DEBUG] plugin.terraform-provider-tls_v1.2.0_x4: 2019/04/07 14:43:14 [ERR] plugin: plugin server: accept unix /var/folders/kp/3g8rwzr9415g1pwflgl7ycqc0000gn/T/plugin012962052: use of closed network connection
2019-04-07T14:43:14.813+0200 [DEBUG] plugin.terraform-provider-acme_v1.1.1_x4: 2019/04/07 14:43:14 [ERR] plugin: plugin server: accept unix /var/folders/kp/3g8rwzr9415g1pwflgl7ycqc0000gn/T/plugin024414340: use of closed network connection
2019-04-07T14:43:14.813+0200 [DEBUG] plugin: plugin process exited: path=/data/dev/homelab/ops/tf/.terraform/plugins/darwin_amd64/terraform-provider-acme_v1.1.1_x4
2019-04-07T14:43:14.813+0200 [DEBUG] plugin: plugin process exited: path=/data/dev/homelab/ops/tf/.terraform/plugins/darwin_amd64/terraform-provider-tls_v1.2.0_x4
2019-04-07T14:43:14.814+0200 [DEBUG] plugin: plugin process exited: path=/data/dev/homelab/ops/tf/.terraform/plugins/darwin_amd64/terraform-provider-aws_v2.5.0_x4

Things that I tried unsuccessfully:

using a different recursive nameserver
using a different domain
explicitly stating the Route53 zone
trying different common names / alternate names
using a VPN while running terraform (🤷‍♂️)

Would be very thankful for any ideas.

Incorrect TXT record "..." found at _acme-challenge.domain.com.au

I'm having trouble generating a certificate for a base domain and wildcard SAN - it keeps failing with and error like Error 403 - urn:ietf:params:acme:error:unauthorized - Incorrect TXT record "MZU..." found at _acme-challenge.domain.com.au.

I've tried it a few times and the TXT record does change (so Terraform does have access through the environment variables to update Cloudflare) but unfortunately that's about the extent of what I can think of to debug.

Any other ideas? Or is there any more information I can provide?

Terraform config:

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "[email protected]"
}

resource "acme_certificate" "certificate" {
  account_key_pem           = "${acme_registration.reg.account_key_pem}"
  common_name               = "domain.com.au"
  subject_alternative_names = ["*.domain.com.au"]

  dns_challenge {
    provider = "cloudflare"
  }
}

Log:

...
acme_registration.reg: Creation complete after 4s (ID: https://acme-staging-v02.api.letsencrypt.org/acme/acct/8371243)
acme_certificate.certificate: Creating...
  account_key_pem:                      "<sensitive>" => "<sensitive>"
  account_ref:                          "" => "<computed>"
  certificate_domain:                   "" => "<computed>"
  certificate_pem:                      "" => "<computed>"
  certificate_url:                      "" => "<computed>"
  common_name:                          "" => "domain.com.au"
  dns_challenge.#:                      "" => "1"
  dns_challenge.2049738136.provider:    "" => "cloudflare"
  issuer_pem:                           "" => "<computed>"
  key_type:                             "" => "2048"
  min_days_remaining:                   "" => "7"
  must_staple:                          "" => "false"
  private_key_pem:                      "<sensitive>" => "<sensitive>"
  subject_alternative_names.#:          "" => "1"
  subject_alternative_names.1512744266: "" => "*.domain.com.au"
acme_certificate.certificate: Still creating... (10s elapsed)
acme_certificate.certificate: Still creating... (20s elapsed)

Error: Error applying plan:

1 error(s) occurred:

* acme_certificate.certificate: 1 error(s) occurred:

* acme_certificate.certificate: error creating certificate: acme: Error -> One or more domains had a problem:
[domain.com.au] acme: Error 403 - urn:ietf:params:acme:error:unauthorized - Incorrect TXT record "MZU...oe0" found at _acme-challenge.domain.com.au

module.ssl.acme_certificate.cert issue

Hi there,

I am trying to do a ssl cert setup in GCP using terraform.( modules ). Whenever i tried to safe apply tf i m getting the below error
(attribute changed)
seems like a bug in ACME provider, always flagged as attribute change

Could you please help to resolve the same.

DNS validation

Could we please add DNS validation to this as well? Maybe handle it the same way we do with ACM certificates on Amazon?

I realize this might be difficult to do on other platforms than AWS, but it would certainly be cleaner than having to create a new email address for validations...

AWS_PROFILE seems not working

Can't get AWS_PROFILE to work.
Tried access/secret keys, obviously they have worked.
Also tried to set AWS_PROFILE as env var, but it just doesn't work.
Also haven't found AWS_PROFILE in lego library.

Terraform version:

Terraform v0.11.11

Acme version

+ provider.acme v1.0.1

DNS Challange

  dns_challenge {
    provider = "route53"

    config {
      AWS_PROFILE = "mgmt"
      AWS_DEFAULT_REGION = "us-east-1"
    }
  }

~/.aws/config

[profile mgmt]
role_arn = arn:aws:iam::999999999999:role/mgmt
source_profile = main

Error

* acme_certificate.vault_dev: error creating certificate: acme: Error -> One or more domains had a problem:
[foo.sub.example.com] Error presenting token: failed to change Route 53 record set: NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

DNS challenge does not support multiple primary DNS providers

With two primary DNS providers, the challenge token needs to be presented to both in order to guarantee success. So far as I can tell, this is not supported by the provider as-is. I have a proposed implementation here.

[PROPOSAL] Switch to Go Modules

As part of the preparation for Terraform v0.12, we would like to migrate all providers to use Go Modules. We plan to continue checking dependencies into vendor/ to remain compatible with existing tooling/CI for a period of time, however go modules will be used for management. Go Modules is the official solution for the go programming language, we understand some providers might not want this change yet, however we encourage providers to begin looking towards the switch as this is how we will be managing all Go projects in the future. Would maintainers please react with 👍 for support, or 👎 if you wish to have this provider omitted from the first wave of pull requests. If your provider is in support, we would ask that you avoid merging any pull requests that mutate the dependencies while the Go Modules PR is open (in fact a total codefreeze would be even more helpful), otherwise we will need to close that PR and re-run go mod init. Once merged, dependencies can be added or updated as follows:

$ GO111MODULE=on go get github.com/some/module@master
$ GO111MODULE=on go mod tidy
$ GO111MODULE=on go mod vendor

GO111MODULE=on might be unnecessary depending on your environment, this example will fetch a module @ master and record it in your project's go.mod and go.sum files. It's a good idea to tidy up afterward and then copy the dependencies into vendor/. To remove dependencies from your project, simply remove all usage from your codebase and run:

$ GO111MODULE=on go mody tidy
$ GO111MODULE=on go mod vendor

Thank you sincerely for all your time, contributions, and cooperation!

Base64 encode p12 cert is missing padding

When trying to use the base64 encoded string in Azure it fails due to the base64 string missing its padding.

After doing some digging it looks like the Encode method being used here is specifically stripping the padding out.

It also looks like it may be a simple fix to change as documented here The RawStdEncoding excludes the padding and the method StdEncoding keeps it.

I am happy to make the change and raise a PR but am aware this provider will be used across providers, who may or may not behave differently to Azure. It may be worth including both with and without padding or even removing it completely and letting the consuming generate it as required.

Happy to discuss then pick up the relevant work.

Broken links in docs

Commit 54e49ad added some broken links, which are breaking builds for terraform.io.

The broken links are in:

docs/dns_providers/exec.html.markdown (linking to /dns/exec)
docs/dns_providers/httpreq.html.markdown (linking to /dns/httpreq)

Where were these supposed to point to?

EOF error on version 1.3.0

The latest release of the terraform acme provider fails with the following error:

Error: Error running plan: 1 error(s) occurred:

* acme_certificate.tls: 1 error(s) occurred:

* acme_certificate.tls: unexpected EOF

where the relevant resource is defined as follows:

resource "acme_certificate" "tls" {
  account_key_pem           = "${acme_registration.tls.account_key_pem}"
  common_name               = "${element(var.domains, 0)}"
  subject_alternative_names = ["${slice(var.domains, 1, length(var.domains))}"]

  dns_challenge {
    provider = "gcloud"

    config {
      GCE_PROJECT = "${var.project}"
    }
  }
}

Note that this is a regression, as the above error does not happen on versions 1.1.x and 1.2.x. It only occurs on 1.3.0.

Provider crashes with latest xenolf/lego and latest Terraform

The current version of t-p-a does not correct provision wildcard certificates when using NS1 as a DNS provider. I've gotten xenolf/lego fixed upstream, and switched Gopkg.toml to using master of lego and v0.11.8 of hashicorp/terraform (the version I'm running).

This causes Terraform to crash:

2018/10/02 17:58:27 [DEBUG] apply: acme_certificate.certificate: executing Apply
2018-10-02T17:58:28.974-0700 [DEBUG] plugin.terraform-provider-acme_v1.0.1_x4: panic: interface conversion: interface {} is schema.Set, not *schema.Set
2018-10-02T17:58:28.974-0700 [DEBUG] plugin.terraform-provider-acme_v1.0.1_x4:
2018-10-02T17:58:28.974-0700 [DEBUG] plugin.terraform-provider-acme_v1.0.1_x4: goroutine 60 [running]:
2018-10-02T17:58:28.974-0700 [DEBUG] plugin.terraform-provider-acme_v1.0.1_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*MapFieldWriter).setSet(0xc420317400, 0xc42061f930, 0x1, 0x1, 0x1d4c560, 0xc420317460, 0xc42052e870, 0x0, 0xffffffffffffffff)
2018-10-02T17:58:28.974-0700 [DEBUG] plugin.terraform-provider-acme_v1.0.1_x4: 	/home/idcmp/go/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_writer_map.go:343 +0xa63
2018-10-02T17:58:28.974-0700 [DEBUG] plugin.terraform-provider-acme_v1.0.1_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*MapFieldWriter).set(0xc420317400, 0xc42061f930, 0x1, 0x1, 0x1d4c560, 0xc420317460, 0x0, 0x0)
2018-10-02T17:58:28.974-0700 [DEBUG] plugin.terraform-provider-acme_v1.0.1_x4: 	/home/idcmp/go/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/field_writer_map.go:107 +0x2ac

DNS challenge consistently fails for gcloud

I consistently get the following when trying a DNS challenge with gcloud.

* googlecloud: no public zone found for domain sub.example.com.

There is a public zone and everything is set up properly with gcloud. I've done quite a bit of testing on various versions of this provider, and am confident this change happened when updating to v1.2.0. It works as expected on v1.1.2.

pass glcoud service account key by env rather than file

lego v2.2 will allow specifying the gcloud service account key optional by setting GCE_SERVICE_ACCOUNT to the actual json go-acme/lego#776, rather than GCE_SERVICE_ACCOUNT_FILE which requires a service account file.

Documentation will need to be updated, once v2.2 is leveraged for the terraform acme provider.

TODO: Remove custom hash functions from this provider

There are a few custom set hash functions in this provider (ie: set with the Set field on TypeSet schema fields). These were added when my understanding of Terraform was still not 100% complete and I thought that set hash functions were always needed, but they aren't at all, and the perfectly capable schema.HashResource default function should be fine for anything that I had custom hash functions in here for.

#25 adds another field to dns_challenge specifically and I forgot to update the hash function, illustrating the tech debt continuing to have these in the codebase brings. Once all pending PRs are merged I just want to get rid of these functions so that we don't need to maintain them anymore.

Certificate renewal not applied with terraform 0.12

When a certificate is due for renewal, the provider detects this and outputs the correct plan (resourceACMECertificateCustomizeDiff). However, when the update is applied (resourceACMECertificateUpdate) the check d.HasChange("certificate_pem") returns false and no update is made, leading to the certificate not being renewed.

I guess it's related to https://github.com/hashicorp/terraform/issues/21977

No mechanism to override domain name guessing.

I'm using the ns1 acme dns challenge provider, but I believe this issue is provider-agnostic.

I'm creating a wildcard cert for "*.idcmp.foo.example.org". This is part of the "foo.example.org" zone. When the provider attempts to do a DNS challenge, it thinks it's supposed to hit the "idcmp.foo.example.org" zone, which doesn't exist.

Therefore Terraform reports:

* acme_certificate.certificate: error creating certificate: acme: Error -> One or more domains had a problem:
[idcmp.foo.example.org] Error presenting token: zone does not exist

I have no logs as setting TF_LOG=INFO doesn't seem to output any Provider logs.

I'm running Terraform v0.11.8, with master of the acme plugin.

If I could just tell the acme_certificate stanza which zone to use, I would be set.

Interestingly, calling certbot with -d *.idcmp.foo.example.org doesn't exhibit this problem.

`No such authorization` Unable to generate staging cert

When trying to generate certificate from LetsEncrypt staging env, getting the following error:

2019/06/17 11:35:19 [DEBUG] module.rancher_server.acme_certificate.staging[0]: apply errored, but we're indicating that via the Error pointer rather than returning it: error creating certificate: acme: Error -> One or more domains had a problem:
[rancher.k8s-svpc.igentify.net] acme: error: 404 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/authz/213331 :: urn:ietf:params:acme:error:malformed :: No such authorization, url:

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "No such authorization",
  "status": 404
}

400 when generating a certificate for Azure

I took the example from here and modified it to use Azure for the dns challenge. The main.tf is below, you will only need to supply azure details and an email.

Any advice on how to proceed would be welcome.

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

# Create the resource group
resource "azurerm_resource_group" "environment" {
  name     = "certest-rg"
  location = "West Europe"
}

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "[email protected]"
}

resource "acme_certificate" "certificate" {
  account_key_pem           = "${acme_registration.reg.account_key_pem}"
  common_name               = "www.example.com"
  subject_alternative_names = ["www2.example.com"]

  dns_challenge {
    provider = "azure"

    config {
      AZURE_CLIENT_ID         = ""
      AZURE_CLIENT_SECRET     = ""
      AZURE_SUBSCRIPTION_ID   = ""
      AZURE_TENANT_ID         = ""
      AZURE_RESOURCE_GROUP    = "${azurerm_resource_group.environment.id}"
    }
  }
}

And the error.

Error: Error applying plan:

1 error(s) occurred:

* acme_certificate.certificate: 1 error(s) occurred:

* acme_certificate.certificate: error creating certificate: acme: Error -> One or more domains had a problem:
[www2.example.com] Error presenting token: dns.ZonesClient#Get: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidApiVersionParameter" Message="The api-version '2017-09-01' is invalid. The supported versions are '2018-07-01,2018-06-01,2018-05-01,2018-02-01,2018-01-01,2017-12-01,2017-08-01,2017-06-01,2017-05-10,2017-05-01,2017-03-01,2016-09-01,2016-07-01,2016-06-01,2016-02-01,2015-11-01,2015-01-01,2014-04-01-preview,2014-04-01,2014-01-01,2013-03-01,2014-02-26,2014-04'."
[www.example.com] Error presenting token: dns.ZonesClient#Get: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidApiVersionParameter" Message="The api-version '2017-09-01' is invalid. The supported versions are '2018-07-01,2018-06-01,2018-05-01,2018-02-01,2018-01-01,2017-12-01,2017-08-01,2017-06-01,2017-05-10,2017-05-01,2017-03-01,2016-09-01,2016-07-01,2016-06-01,2016-02-01,2015-11-01,2015-01-01,2014-04-01-preview,2014-04-01,2014-01-01,2013-03-01,2014-02-26,2014-04'."

Validations are slow

Hi, sorry for the vague title. First off, thanks for this great provider!

I'm using this to register a certificate with Let's Encrypt, using Route53 for the DNS challenge. The certificate has something like 20 SANs. It seems that each validation happens in sequence, and each takes 30-60 seconds.

Also, after all the SANs are validated successfully (or fail to validate), the DNS records are removed in sequence, which takes another 30-60 seconds.

All in all, it takes a little over half an hour for my certificate to be validated.

Am I correct in understanding that these validations are all happening in sequence (there's no debug output, so I'm speculating based on when records appear in Route53)? Would it cause problems if they were attempted in parallel? Thanks.

acme_certificate fails to destroy after certificate expired

When the LE certificate has already expired, Terraform will fail its run which results in a failure to clean up the state file. Not sure if this is addressable in the DNS provider or not, I do know I can manually delete state however it would be great if there was a more graceful approach - of if in the wisdom of the provider it's attempting to delete an expired certificate it accepts that LE will return a 403 from /acme/revoke-cert; or skip this all together.

Log: https://gist.github.com/mengesb/ecc2bee6c3be26899b2f2b4c8c781e9b

output certificate issuer thumbprint

This is a feature request rather than a bug

There is already a certificate_issuer_pem output, but a certificate_issuer_thumbprint would also be very useful

certificate renewal does not appear to update other resources using the certificate_p12 attribute on first apply

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and ACME Provider) Version

Terraform v0.11.14

provider.acme v1.3.2
provider.azurerm v1.29.0
provider.random v2.1.2
provider.tls v2.0.1

Affected Resource(s)

acme_certificate

Terraform Configuration Files

Here is a snippet of the Terraform I have been using to help reproduce:-

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "${var.certificate_notification_email_address}"
}

resource "random_string" "certificate_password" {
  length      = 30
  upper       = true
  min_upper   = 5
  lower       = true
  min_lower   = 5
  number      = true
  min_numeric = 5
  special     = false
}

resource "acme_certificate" "certificate" {
  account_key_pem          = "${acme_registration.reg.account_key_pem}"
  common_name              = "${local.sub_domain}.${var.domain_name}"
  key_type                 = 4096
  certificate_p12_password = "${random_string.certificate_password.result}"

  # intentionally set to 90 to test renewal process immediately
  min_days_remaining = 90

  dns_challenge {
    provider = "azure"

    config = {
      ARM_CLIENT_ID       = "${var.dns_client_id}"
      ARM_CLIENT_SECRET   = "${var.dns_client_secret}"
      ARM_SUBSCRIPTION_ID = "${var.dns_subscription_id}"
      ARM_TENANT_ID       = "${var.dns_tenant_id}"
      ARM_RESOURCE_GROUP  = "${var.dns_resource_group_name}"
    }
  }
}

resource "azurerm_key_vault" "vault" {
  name                = "${lower(var.environment)}"
  location            = "${azurerm_resource_group.certificate.location}"
  resource_group_name = "${azurerm_resource_group.certificate.name}"

  sku {
    name = "standard"
  }

  tenant_id = "${data.azurerm_client_config.current.tenant_id}"

  enabled_for_deployment          = true
  enabled_for_template_deployment = true

  access_policy {
    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
    object_id = "${data.azurerm_client_config.current.service_principal_object_id}"

    key_permissions = []

    secret_permissions = [
      "delete",
      "get",
      "list",
      "set",
    ]

    certificate_permissions = [
      "get",
      "list",
      "update",
      "import",
      "delete",
    ]
  }

  tags = "${local.tags}"
}

resource "azurerm_key_vault_certificate" "certificate" {
  name         = "${local.sub_domain}"
  key_vault_id = "${azurerm_key_vault.vault.id}"

  certificate {
    contents = "${acme_certificate.certificate.certificate_p12}"
    password = "${acme_certificate.certificate.certificate_p12_password}"
  }

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 4096
      key_type   = "RSA"
      reuse_key  = false
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }
  }

  tags = "${local.tags}"
}

Expected Behavior

When terraform apply is executed and the acme_certificate resource is within the min_days_remaining window the certificate is renewed and the computed certificate_p12 attribute is updated, so that dependant resources can also be updated.

Actual Behavior

On first terraform apply execution within the min_days_remaining on the acme_certificate resource only the acme_certificate resource is updated, you have to perform a second terraform apply before the certificate_p12 attribute and dependant resources are updated.

Steps to Reproduce

terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ acme_certificate.certificate
      certificate_pem: "-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----\n" => <computed>


Plan: 0 to add, 1 to change, 0 to destroy.

terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  ~ acme_certificate.certificate
      certificate_pem: "-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----\n" => <computed>

-/+ azurerm_key_vault_certificate.certificate (new resource required)
      id:                                                    "https://cisteve.vault.azure.net/certificates/self-core-cisteve-uksouth/1eeadeb992e441f9b6c62463a4069d0c" => <computed> (forces new resource)
      certificate.#:                                         "1" => "1"
      certificate.0.contents:                                <sensitive> => <sensitive> (forces new resource)
      certificate.0.password:                                <sensitive> => <sensitive> (attribute changed)
      certificate_data:                                      "[REDACTED]" => <computed>
      certificate_policy.#:                                  "1" => "1"
      certificate_policy.0.issuer_parameters.#:              "1" => "1"
      certificate_policy.0.issuer_parameters.0.name:         "Self" => "Self"
      certificate_policy.0.key_properties.#:                 "1" => "1"
      certificate_policy.0.key_properties.0.exportable:      "true" => "true"
      certificate_policy.0.key_properties.0.key_size:        "4096" => "4096"
      certificate_policy.0.key_properties.0.key_type:        "RSA" => "RSA"
      certificate_policy.0.key_properties.0.reuse_key:       "false" => "false"
      certificate_policy.0.secret_properties.#:              "1" => "1"
      certificate_policy.0.secret_properties.0.content_type: "application/x-pkcs12" => "application/x-pkcs12"
      certificate_policy.0.x509_certificate_properties.#:    "1" => <computed>
      key_vault_id:                                          "/subscriptions/[REDACTED]/resourceGroups/self-core-cisteve-certificate-uksouth/providers/Microsoft.KeyVault/vaults/cisteve" => "/subscriptions/[REDACTED]/resourceGroups/self-core-cisteve-certificate-uksouth/providers/Microsoft.KeyVault/vaults/cisteve"
      name:                                                  "self-core-cisteve-uksouth" => "self-core-cisteve-uksouth"
      secret_id:                                             "https://cisteve.vault.azure.net/secrets/self-core-cisteve-uksouth/1eeadeb992e441f9b6c62463a4069d0c" => <computed>
      tags.%:                                                "4" => "4"
      tags.environment:                                      "cisteve" => "cisteve"
      tags.organisation:                                     "self" => "self"
      tags.owner:                                            "Innovation" => "Innovation"
      tags.system:                                           "core" => "core"
      thumbprint:                                            "B7165BA96426ED32865AF53C6BE05154637F7D04" => <computed>
      vault_uri:                                             "https://cisteve.vault.azure.net/" => <computed>
      version:                                               "1eeadeb992e441f9b6c62463a4069d0c" => <computed>


Plan: 1 to add, 1 to change, 1 to destroy.

References

This appears to be a different scenario to the following issue:-

v1.0.0 - Change from ACME staging to prod

Original issue opened by @GMartinez-Sisti

Hi,

I just updated your plugin from 0.50 to v1.0.0 and requested a new staging certificate. It worked perfectly with the documentation provided in https://github.com/vancluever/terraform-provider-acme/blob/v1.0.0/doc/resource_acme_certificate.md .

The issue occurred when changing from staging to prod, just by changing the variable server_url. The error was the following:

module.XXX.acme_registration.reg: acme_registration.reg: acme: Error 400 - urn:ietf:params:acme:error:accountDoesNotExist - No account exists with the provided key

I realised that by changing the server_url, the plugin was trying to get information about the existing account, created with the staging url, on the production url, and the production url had no information about the account.

I had to change the steps to the following:

# To force resource recreation, there are duplicate resources for each environment

# Create the private key for the registration
resource "tls_private_key" "reg_private_key_staging" {
  count     = "${var.acme_server_env == "staging" ? 1 : 0}"
  algorithm = "RSA"
  rsa_bits  = 4096

  lifecycle {
    create_before_destroy = true
  }
}

resource "tls_private_key" "reg_private_key_prod" {
  count     = "${var.acme_server_env == "prod" ? 1 : 0}"
  algorithm = "RSA"
  rsa_bits  = 4096

  lifecycle {
    create_before_destroy = true
  }
}

# Set up registration server
provider "acme" {
  alias      = "staging"
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

provider "acme" {
  alias      = "prod"
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
}

# Set up a registration using a private key from tls_private_key
resource "acme_registration" "reg_staging" {
  count           = "${var.acme_server_env == "staging" ? 1 : 0}"
  provider        = "acme.staging"
  account_key_pem = "${tls_private_key.reg_private_key_staging.private_key_pem}"
  email_address   = "${var.email}"
}

resource "acme_registration" "reg_prod" {
  provider        = "acme.prod"
  count           = "${var.acme_server_env == "prod" ? 1 : 0}"
  account_key_pem = "${tls_private_key.reg_private_key_prod.private_key_pem}"
  email_address   = "${var.email}"
}

# Create the private key for the certificate
resource "tls_private_key" "cert_private_key_staging" {
  count     = "${var.acme_server_env == "staging" ? 1 : 0}"
  algorithm = "RSA"
  rsa_bits  = 4096

  lifecycle {
    create_before_destroy = true
  }
}

resource "tls_private_key" "cert_private_key_prod" {
  count     = "${var.acme_server_env == "prod" ? 1 : 0}"
  algorithm = "RSA"
  rsa_bits  = 4096

  lifecycle {
    create_before_destroy = true
  }
}

resource "tls_cert_request" "req_staging" {
  count           = "${var.acme_server_env == "staging" ? 1 : 0}"
  key_algorithm   = "RSA"
  private_key_pem = "${tls_private_key.cert_private_key_staging.private_key_pem}"
  dns_names       = ["${var.fqdn}"]

  subject {
    common_name = "${var.fqdn}"
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "tls_cert_request" "req_prod" {
  count           = "${var.acme_server_env == "prod" ? 1 : 0}"
  key_algorithm   = "RSA"
  private_key_pem = "${tls_private_key.cert_private_key_prod.private_key_pem}"
  dns_names       = ["${var.fqdn}"]

  subject {
    common_name = "${var.fqdn}"
  }

  lifecycle {
    create_before_destroy = true
  }
}

# Create a certificate.
resource "acme_certificate" "certificate_staging" {
  count                   = "${var.acme_server_env == "staging" ? 1 : 0}"
  provider                = "acme.staging"
  account_key_pem         = "${acme_registration.reg_staging.account_key_pem}"
  certificate_request_pem = "${tls_cert_request.req_staging.cert_request_pem}"
  min_days_remaining      = 7

  dns_challenge {
    provider = "route53"
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "acme_certificate" "certificate_prod" {
  count                   = "${var.acme_server_env == "prod" ? 1 : 0}"
  provider                = "acme.prod"
  account_key_pem         = "${acme_registration.reg_prod.account_key_pem}"
  certificate_request_pem = "${tls_cert_request.req_prod.cert_request_pem}"
  min_days_remaining      = 7

  dns_challenge {
    provider = "route53"
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_iam_server_certificate" "iam_server_certificate" {
  name_prefix = "${var.fqdn}-"

  certificate_body  = "${coalesce(join(",",acme_certificate.certificate_staging.*.certificate_pem),join(",",acme_certificate.certificate_prod.*.certificate_pem))}"
  certificate_chain = "${coalesce(join(",",acme_certificate.certificate_staging.*.issuer_pem),join(",",acme_certificate.certificate_prod.*.issuer_pem))}"
  private_key       = "${coalesce(join(",",tls_private_key.cert_private_key_staging.*.private_key_pem),join(",",tls_private_key.cert_private_key_prod.*.private_key_pem))}"
  path              = "/certs/"

  lifecycle {
    create_before_destroy = true
  }

  provisioner "local-exec" {
    command = "sleep 10"
  }
}

I'm sharing this to suggest that it would be best to reconfigure the plugin to keep the original server_url with the resource, or to upgrade the documentation with this information.

I can submit a pull request to the documentation if you want. Just let me know!

Keep up the great work :)

Regards
Gabriel

Renewal attempted on expired cert, crash

I know this won't be a terrible amount of data go to on, and reproducing this takes 91+ days.

I ran my acme plan attempt to renew a certificate expired yesterday, and the provider crashed. Naturally, since I use pTFE, I don't have the exact crash.log however I do have the terminal output:

�Terraform v0.11.13

Initializing plugins and modules...
2019/07/05 16:11:00 [DEBUG] Using modified User-Agent: Terraform/0.11.13 PTFE/e63ebf6
acme_certificate.acme: Modifying... (ID: https://acme-v02.api.letsencrypt.org/ac...t/0301baacc85183a04279ed465afcf62cdb83)
  certificate_domain: "dev1.app-arcus.anaplan.io" => "<computed>"
  certificate_p12:    "<sensitive>" => "<sensitive>"
  certificate_pem:    "-----BEGIN CERTIFICATE-----\nREDACTED\n-----END CERTIFICATE-----\n" => "<computed>"
  certificate_url:    "https://acme-v02.api.letsencrypt.org/acme/cert/0301baacc85183a04279ed465afcf62cdb83" => "<computed>"
  issuer_pem:         "-----BEGIN CERTIFICATE-----\nnREDACTED\n-----END CERTIFICATE-----\n" => "<computed>"
  private_key_pem:    "<sensitive>" => "<sensitive>"

Error: Error applying plan:

1 error(s) occurred:

* acme_certificate.acme: 1 error(s) occurred:

* acme_certificate.acme: unexpected EOF

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.


panic: runtime error: invalid memory address or nil pointer dereference
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xdbc068]
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: goroutine 46 [running]:
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/go-acme/lego/certcrypto.ParsePEMPrivateKey(0x2d5c320, 0x0, 0x0, 0xc000669880, 0x2, 0x2, 0x38)
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/go-acme/lego/certcrypto/crypto.go:83 +0x48
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/go-acme/lego/certificate.(*Certifier).Renew(0xc0001304b0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2d5c320, 0x0, 0x0, ...)
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/go-acme/lego/certificate/certificates.go:372 +0x58b
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: github.com/terraform-providers/terraform-provider-acme/acme.resourceACMECertificateUpdate(0xc000200c40, 0x14fe320, 0xc0001624a0, 0x24, 0x2d5dc00)
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/acme/resource_acme_certificate.go:461 +0x405
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*Resource).Apply(0xc00018b200, 0xc0000c2280, 0xc0000a8f80, 0x14fe320, 0xc0001624a0, 0xc00057ec01, 0x0, 0xc0003a6bd0)
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/resource.go:292 +0x264
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema.(*Provider).Apply(0xc00018b280, 0xc0000c2230, 0xc0000c2280, 0xc0000a8f80, 0xc0004c9470, 0xc0003a6bd0, 0x7fe669aba6d0)
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/helper/schema/provider.go:285 +0x18f
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/plugin.(*ResourceProviderServer).Apply(0xc0004ad7c0, 0xc0000a8a00, 0xc000163e20, 0x0, 0x0)
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-acme/vendor/github.com/hashicorp/terraform/plugin/resource_provider.go:530 +0x57
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: reflect.Value.call(0xc000590540, 0xc00016a048, 0x13, 0x18ca7b0, 0x4, 0xc00058cf18, 0x3, 0x3, 0xc0004b8d40, 0x0, ...)
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/goenv/versions/1.12.5/src/reflect/value.go:447 +0x461
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: reflect.Value.Call(0xc000590540, 0xc00016a048, 0x13, 0xc000220f18, 0x3, 0x3, 0x0, 0x0, 0x0)
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/goenv/versions/1.12.5/src/reflect/value.go:308 +0xa4
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: net/rpc.(*service).call(0xc0004b8600, 0xc000172190, 0xc0004664e8, 0xc000466510, 0xc000122000, 0xc000166620, 0x150cba0, 0xc0000a8a00, 0x16, 0x150cbe0, ...)
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/goenv/versions/1.12.5/src/net/rpc/server.go:384 +0x14e
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: created by net/rpc.(*Server).ServeCodec
2019-07-05T16:11:02.463Z [DEBUG] plugin.terraform-provider-acme_v1.3.4_x4: 	/opt/goenv/versions/1.12.5/src/net/rpc/server.go:481 +0x42b
2019/07/05 16:11:02 [TRACE] root: eval: *terraform.EvalWriteState
2019-07-05T16:11:02.465Z [DEBUG] plugin: plugin process exited: path=/terraform/.terraform/plugins/linux_amd64/terraform-provider-acme_v1.3.4_x4
2019/07/05 16:11:02 [TRACE] root: eval: *terraform.EvalApplyProvisioners
2019/07/05 16:11:02 [TRACE] root: eval: *terraform.EvalIf
2019/07/05 16:11:02 [TRACE] root: eval: *terraform.EvalWriteState
2019/07/05 16:11:02 [TRACE] root: eval: *terraform.EvalWriteDiff
2019/07/05 16:11:02 [TRACE] root: eval: *terraform.EvalApplyPost
2019/07/05 16:11:02 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:

* acme_certificate.acme: unexpected EOF
2019/07/05 16:11:02 [ERROR] root: eval: *terraform.EvalSequence, err: 1 error(s) occurred:

* acme_certificate.acme: unexpected EOF
2019/07/05 16:11:02 [TRACE] [walkApply] Exiting eval tree: acme_certificate.acme
2019/07/05 16:11:02 [TRACE] dag/walk: upstream errored, not walking "provider.acme (close)"
2019/07/05 16:11:02 [TRACE] dag/walk: upstream errored, not walking "output.acme_certificate"
2019/07/05 16:11:02 [TRACE] dag/walk: upstream errored, not walking "meta.count-boundary (count boundary fixup)"
2019/07/05 16:11:02 [TRACE] dag/walk: upstream errored, not walking "root"
2019/07/05 16:11:02 [TRACE] Preserving existing state lineage "374b2ccd-61d7-0c29-f41c-03ffa14f79b6"
2019/07/05 16:11:02 [TRACE] Preserving existing state lineage "374b2ccd-61d7-0c29-f41c-03ffa14f79b6"
2019/07/05 16:11:02 [TRACE] Preserving existing state lineage "374b2ccd-61d7-0c29-f41c-03ffa14f79b6"
2019/07/05 16:11:02 [DEBUG] PUT REDACTED
2019/07/05 16:11:02 [DEBUG] plugin: waiting for all plugin processes to complete...
2019-07-05T16:11:02.614Z [WARN ] plugin: error closing client during Kill: err="connection is shut down"



!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!

Terraform crashed! This is always indicative of a bug within Terraform.
A crash log has been placed at "crash.log" relative to your current
working directory. It would be immensely helpful if you could please
report the crash with Terraform[1] so that we can fix this.

When reporting bugs, please include your terraform version. That
information is available on the first line of crash.log. You can also
get it by running 'terraform --version' on the command line.

[1]: https://github.com/hashicorp/terraform/issues

!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!
�
State versions created:
REDACTED#sv-VcJZP62tMCfA9HyL (Jul 05, 2019 09:11:01 am)
REDACTED#sv-5bpKVUsefPJRS41k (Jul 05, 2019 09:11:02 am)

I'm sure this has something to do with reading the certificate and maybe calculating a negative time remaining on the certificate in the provider. Of course the trace shows hints of this being lower down in lego so not sure if this is a dependency problem either.

Changing p12 password doesn't cause the p12 cert to be regenerated.

Hi All,

Sorry of the back of the #32 I believe an additional change is required.

When changing the p12 password the p12 (pfx) isn't regenerated due to a check in the update method that looks to see if the certificate_pem has changed. If it hasn't it ignores all other changes. See here

Expected Outcome

Changing the attribute certificate_p12_password should update the certificate_p12 to be a new base64 encoded certificate using the existing pem

Actual Outcome

The password is updated in the state but the base64 encoded certificated is the same as the existing one using the previous password.

acme_certificate renewal fails with "First certificate is a CA certificate"

The certificate renewal (with latest terraform 0.11.14) with the acme provider (latest version 1.3.0) consistently fails during the terraform plan stage with the error:

Error: Error running plan: 1 error occurred:
	* acme_certificate.cc_acme_certificate: 1 error occurred:
	* acme_certificate.cc_acme_certificate: unable to calculate time to certificate expiry: First certificate is a CA certificate

Below is the configuration that causes the problem:

resource "tls_private_key" "private_staging_key" {
  algorithm = "RSA"
  rsa_bits = 4096
  lifecycle {
    create_before_destroy = true
  }
}

resource "tls_private_key" "private_prod_key" {
  algorithm = "RSA"
  rsa_bits = 4096
  lifecycle {
    create_before_destroy = true
  }
}

resource "acme_registration" "cc_staging_registration" {
  account_key_pem = "${tls_private_key.private_staging_key.private_key_pem}"
  email_address   = "[email protected]"
  provider = "acme.staging"
  lifecycle {
    create_before_destroy = true
  }
}

resource "acme_registration" "cc_prod_registration" {
  account_key_pem = "${tls_private_key.private_prod_key.private_key_pem}"
  email_address   = "[email protected]"
  provider = "acme.prod"
  lifecycle {
    create_before_destroy = true
  }
}

resource "acme_certificate" "cc_acme_certificate" {
  account_key_pem           = "${acme_registration.cc_prod_registration.account_key_pem}"
  common_name               = "*.our-domain.com"
  provider = "acme.prod"
  dns_challenge {
    provider = "route53"
  }
  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_acm_certificate" "cc_ssl_certificate" {
  private_key = "${acme_certificate.cc_acme_certificate.private_key_pem}"
  certificate_body = "${acme_certificate.cc_acme_certificate.certificate_pem}"
  certificate_chain = "${acme_certificate.cc_acme_certificate.issuer_pem}"
}

The acme provider is configured as follows:

provider "acme" {
  alias = "prod"
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
}

provider "acme" {
  alias = "staging"
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

External Account Binding

The request is to support ‘external account binding’ as specified in RFC8555 for ACME support in Terraform. This will enable enterprise customers to obtain certificates from CAs that implement this feature at the server side as they may have an existing account with them. Popular ACME clients, e.g., Certbot, have implemented this feature already.

If interested in completing this work under contract for NRE, please contact me at [email protected].

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble

vancluever / terraform-provider-acme Goto Github PK

terraform-provider-acme's Introduction

Terraform ACME Provider

Documentation

License

terraform-provider-acme's People

Contributors

Stargazers

Watchers

Forkers

terraform-provider-acme's Issues

Config

Apply Log

Terraform Version

Terraform Configuration Files

Debug Output

Crash Output

Expected Behavior

Actual Behavior

Steps to Reproduce

Additional Context

References

Terraform Version

Expected Output

Partial debug output

How to repro

Terraform Version

Terraform Configuration Files

Debug Output

Crash Output

Expected Behavior

Actual Behavior

Steps to Reproduce

Terraform / ACME version

Terraform Version

Terraform Configuration Files

Debug Output

Crash Output

Steps to Reproduce

Community Note

Terraform (and ACME Provider) Version

Affected Resource(s)

Terraform Configuration Files

Expected Behavior

Actual Behavior

Steps to Reproduce

References

Expected Outcome

Actual Outcome

Recommend Projects

Recommend Topics

Recommend Org

Jobs