Vault Troubleshooting Runbook

vault status

Sealed          true
Unseal Progress 0/2

vault operator unseal $(gopass show -o v3/domains/d000/vault/unseal-key-1)

vault operator unseal $(gopass show -o v3/domains/d000/vault/unseal-key-2)

vault status

Sealed          false

vault-ssh-sign

vault-ssh-test

Attempting to renew cert (guest.domusdigitalis.dev) from /etc/letsencrypt/renewal/guest.domusdigitalis.dev.conf produced an unexpected error:
dns_cloudflare_credentials: /root/.secrets/cloudflare.ini: No such file or directory

# 1. Check current config
sudo cat /etc/letsencrypt/renewal/guest.domusdigitalis.dev.conf | grep cloudflare

# 2. Edit the renewal config
sudo vim /etc/letsencrypt/renewal/guest.domusdigitalis.dev.conf

# 3. Change:
#    dns_cloudflare_credentials = /root/.secrets/cloudflare.ini
# To:
#    dns_cloudflare_credentials = /home/ansible/.secrets/cloudflare.ini

# 4. Test renewal
sudo certbot renew --cert-name guest.domusdigitalis.dev --dry-run

# 5. If successful, force renewal
sudo certbot renew --cert-name guest.domusdigitalis.dev --force-renewal

certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /home/ansible/.secrets/cloudflare.ini \
  -d guest.domusdigitalis.dev

Encountered NXDOMAIN when looking up TXT record: _acme-challenge.kvm-01.inside.domusdigitalis.dev

# Edit renewal config
sudo vim /etc/letsencrypt/renewal/kvm-01.inside.domusdigitalis.dev.conf

# Add or increase:
dns_cloudflare_propagation_seconds = 60

# Check API token permissions
# Token needs: Zone:DNS:Edit for domusdigitalis.dev

# List zones accessible by token
curl -X GET "https://api.cloudflare.com/client/v4/zones" \
  -H "Authorization: Bearer $(cat /home/ansible/.secrets/cloudflare.ini | grep api_token | cut -d= -f2 | tr -d ' ')" \
  -H "Content-Type: application/json"

# Consider using wildcard for *.inside.domusdigitalis.dev
# This reduces individual cert management

certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /home/ansible/.secrets/cloudflare.ini \
  -d "*.inside.domusdigitalis.dev" \
  -d "inside.domusdigitalis.dev"

/etc/letsencrypt/renewal-hooks/deploy/deploy-certs.sh

# Run deploy hook manually with debug
sudo bash -x /etc/letsencrypt/renewal-hooks/deploy/deploy-certs.sh

# Check what certificates triggered the hook
echo $RENEWED_LINEAGE
echo $RENEWED_DOMAINS

# Force renewal immediately
sudo certbot renew --force-renewal

# If renewal fails, issue new cert
sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /home/ansible/.secrets/cloudflare.ini \
  -d [domain]

# Manually deploy after renewal
export RENEWED_LINEAGE="/etc/letsencrypt/live/[cert-name]"
export RENEWED_DOMAINS="[domain]"
sudo -E /etc/letsencrypt/renewal-hooks/deploy/deploy-certs.sh

# 1. Renew cert
sudo certbot renew --cert-name guest.domusdigitalis.dev --force-renewal

# 2. Manual deployment to ISE if hook fails
# Use netapi or direct API call
source <(dsec source d000 dev/network)
curl -sk -X POST "https://$<ise-pan-ip>/api/v1/certs/system-certificate/import" \
  -H "Authorization: Basic $<ise-api-token>" \
  -H "Content-Type: application/json" \
  -d @- << EOF
{
  "admin": false,
  "eap": false,
  "portal": true,
  "portalGroupTag": "Default Portal Certificate Group",
  "data": "$(base64 -w0 /etc/letsencrypt/live/guest.domusdigitalis.dev/fullchain.pem)",
  "privateKeyData": "$(base64 -w0 /etc/letsencrypt/live/guest.domusdigitalis.dev/privkey.pem)"
}
EOF