We have run into the following issue trying to upload a “staging” letsencrypt certificate acquired using the acme_certificate provider to azure. It happens both from terrafrom (automated) and also from the azure portal (manual) and the error is the same “Expired certificate is not allowed”. The issue doesnt apply to “production” letsencrypt certificates.
…
2021-03-02T20:18:29.494Z [DEBUG] plugin.terraform-provider-azurerm_v2.49.0_x5: [DEBUG] AzureRM Response for https://management.azure.com/subscriptions//resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/certificates/?api-version=2020-06-01:
2021-03-02T20:18:29.494Z [DEBUG] plugin.terraform-provider-azurerm_v2.49.0_x5: HTTP/2.0 400 Bad Request
…
2021-03-02T20:18:29.494Z [DEBUG] plugin.terraform-provider-azurerm_v2.49.0_x5: {"Code":“BadRequest”,“Message”:“Expired certificate is not allowed.”,“Target”:null,“Details”:[{"Message":“Expired certificate is not allowed.”},{"Code":“BadRequest”},{"ErrorEntity":{"ExtendedCode":“04038”,“MessageTemplate”:“Expired certificate is not allowed.”,“Parameters”:,“Code”:“BadRequest”,“Message”:“Expired certificate is not allowed.”}}],“Innererror”:null}
…
A ticket opened with Microsoft (#121030226004947) determined their validation process was detecting an expired root certificate.
So over to the letsencrypt community and this thread (STAGING) Doctored Durian Root CA X3 is expired (breaks test environment) - #17 by schoen - Help - Let's Encrypt Community Support explaining that one of the two staging root certificates has expired. The certificate chain that azure is using to validate our upload contains the expired root certificate.
In terms of a solution moving forward we’ve been advised that those who dont want the expired cert should “request for an alternative chain” and that this needs to be developed within the acme_certificate provider.
Has anyone got any further information if this is the case?