Update Loadbalancer SSL Certificate

[nightmare-rg]

TL;DR

I have a simple shell script for updating loadbalancer certificates with renewed lets encrypt certs. My script works with v1.36 and now I got an error.

Expected behavior

/tmp/hcloud version
hcloud 1.36.0
/tmp/hcloud load-balancer update-service staging-keycloak --http-certificates 1261648 --listen-port 443
500ms [==================================] 100.00%
Service 443 on Load Balancer 1550279 was updated

Observed behavior

/usr/local/bin/hcloud version
hcloud 1.42.0
/usr/local/bin/hcloud load-balancer update-service staging-keycloak --http-certificates 1261648 --listen-port 443
hcloud: invalid input in field 'health_check' (invalid_input)

Minimal working example

#!/bin/bash

# Set your Hetzner API token
export HCLOUD_TOKEN="XXXXXX"

# Set the name of your load balancers
LB_NAME=('staging-keycloak')

# Set the name of the certificate you want to replace
CERT_NAME="example-wildcart-cert-"$(date +"%Y%m%d-%H%M%S")

# Set the path to your new certificate and private key files
CERT_FILE="/etc/letsencrypt/live/example.de/fullchain.pem"
KEY_FILE="/etc/letsencrypt/live/example.de/privkey.pem"

# Upload the new certificate
CERT_ID=$(/usr/local/bin/hcloud certificate create --name $CERT_NAME --cert-file $CERT_FILE --key-file $KEY_FILE | grep -oP '(?<=Certificate )\d+')

echo $CERT_ID

for lb in "${LB_NAME[@]}";
do
    # Update the load balancer to use the new certificate
    echo "/usr/local/bin/hcloud load-balancer update-service $lb --http-certificates $CERT_ID --listen-port 443"
    /usr/local/bin/hcloud load-balancer update-service $lb --http-certificates $CERT_ID --listen-port 443
done

Log output

hcloud: invalid input in field 'health_check' (invalid_input)

Additional information

[apricote]

I can reproduce this. Looks like we now sent (broken) empty options in the request.

Request from CLI 1.36.0:

--- Request:
POST /v1/load_balancers/1710364/actions/update_service HTTP/1.1
Host: api.hetzner.cloud
User-Agent: hcloud-cli/unknown hcloud-go/1.47.0
Content-Length: 80
Authorization: REDACTED
Content-Type: application/json
Accept-Encoding: gzip

{"listen_port":443,"destination_port":8080,"http":{},"health_check":{"http":{}}}

--- Response:
HTTP/2.0 201 Created

Request from CLI v1.42.0:

--- Request:
POST /v1/load_balancers/1710364/actions/update_service HTTP/1.1
Host: api.hetzner.cloud
User-Agent: hcloud-cli/1.42.0-dev hcloud-go/2.6.0
Content-Length: 118
Authorization: REDACTED
Content-Type: application/json
Accept-Encoding: gzip

{"listen_port":443,"destination_port":8080,"http":{"certificates":null},"health_check":{"http":{"status_codes":null}}}

--- Response:
HTTP/2.0 422 Unprocessable Entity

[apricote]

By bisecting I found out that is is broken since commit 59d73f4, which bumped us to hcloud-go v2.5.0. Further bisecting hcloud-go it looks like this commit is at the root of it: hetznercloud/hcloud-go@6feda4d. This makes sense, we overhauled the way we convert our public Go Types and the API Schema types.

Will take a look into fixing this.

[phm07]

Should be fixed with #720.

Can you please confirm that it works for you with

• go install github.com/hetznercloud/cli/cmd/hcloud@6cea4cd
• or go run github.com/hetznercloud/cli/cmd/hcloud@6cea4cd load-balancer update-service staging-keycloak --http-certificates 1261648 --listen-port 443

[nightmare-rg]

@phm07 it works fine with newest go version. Thank you!

go run github.com/hetznercloud/cli/cmd/hcloud@6cea4cd load-balancer update-service staging-keycloak --http-certificates 1261648 --listen-port 443
1.1s [===================================] 100.00%
Service 443 on Load Balancer 1550279 was updated
root@keycloak-1:~#
go version
go version go1.22.2 linux/amd64