search

EngineerBetter / concourse-up

Deprecated - used Control Tower instead
https://github.com/EngineerBetter/control-tower
Apache License 2.0
203 stars 28 forks source link

Don't re-generate let's encrypt certificates on every run, only when needed. #76

Open jschaul opened 5 years ago

jschaul commented 5 years ago

Due to some issues with concourse-up / my local setup, I ran concourse-up multiple times. Since the certificate request code using let's encrypt does not keep track of already-requested certificates, this leads to errors caused by rate-limiting:

GENERATING BOSH DIRECTOR CERTIFICATE (<redacted-ips>)
2018/11/21 16:58:23 [INFO] acme: Registering account for nobody@madeupemailaddress.com
2018/11/21 16:58:24 [INFO][<redacted-domain>] acme: Obtaining bundled SAN certificate
2018/11/21 16:58:24 [INFO][<redacted-domain>] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/<redacted>
2018/11/21 16:58:24 [INFO][<redacted-domain>] acme: Could not find solver for: tls-alpn-01
2018/11/21 16:58:24 [INFO][<redacted-domain>] acme: Trying to solve DNS-01
2018/11/21 16:58:59 [INFO][<redacted-domain>] Checking DNS record propagation using [8.8.8.8:53]
2018/11/21 16:59:03 [INFO][<redacted-domain>] The server validated our request
2018/11/21 16:59:38 [INFO][<redacted-domain>] acme: Validations succeeded; requesting certificates
map[<redacted-domain>:acme: Error 429 - urn:acme:error:rateLimited - Error creating new cert :: too many certificates already issued for exact set of domains: <redacted-domain>: see https://letsencrypt.org/docs/rate-limits/]

The only workaround is to change the domain name, or wait a day/week, which is not great. Is there any way to only request a new certificate if needed (i.e. the old one is about to expire or there isn't one for that domain yet)? How/where is the let'sencrypt state saved?

irbekrm commented 5 years ago

Hi @jschaul, Sorry to hear you had trouble with the deployment. You could probably reuse the last already generated certificate. You can find that in the S3 bucket named concourse-up-<deployment-name>-<region>-config. Pass the value of concourse_cert as a value for the --tls-cert and the value of concourse_key as a value for --tls-key

Let us know how it goes.

jschaul commented 5 years ago

Hi,

thanks for providing this workaround, this worked for me. I would like to keep this issue open however, as I believe automating the "check if a recently-created let's encrypt certificate is available in the config and if so, re-use it automatically" is still worthwhile for other users and should be part of concourse-up.

In case anyone else comes across this issue: ensure your TLS certificates and keys have correct line breaks before passing it as an argument to concourse-up. (Passing a one-line string containing \n characters to --tls-cert or --tls-key will be incorrectly written to disk on the concourse web instance, leading to the ATC and grafana not starting up).