Closed dpadron closed 4 years ago
ACMEv1 has reached EOL in November. I think we need to update the certbot.
hi @dpadron could you kindly test to replace https://github.com/GeoNode/geonode/blob/master/scripts/spcgeonode/letsencrypt/docker-entrypoint.sh
with this updated version https://gist.github.com/t-book/339c58c889025a08696f2166628c046c
don't forget to rebuild your containers and let me know if it works.
Hi t-book, I performed the test and the following error is generated:
Solved Updated FROM alpine: 3.8
in /docker/letsencrypt/Dockerfile
Thanks t-book for the help
great! this is what I actually just planned to try :))
the reason is the acme2 protocol has been added in certbot 22+ the current alpine image has certbot below:
/ # certbot --version
certbot 0.14.0
As I currently do not use spc can you do me a favour and test alpine 3.8 image with the original entrypoint? the question is if the newer certbot already respects acme2 without the --server option.
@dpadron okay tested it. it looks we need the --server for acme2
Hi t-book, I tried it in geonode-project -master Mode: Docker S.O. Ubuntu 18.04
Directory: /docker/letsencrypt/ Edit: docker-entrypoint.sh and Dockerfile
Everything worked correctly
I'm going to do tests in SPC and I tell you
I attach content files Dockerfile and docker-entrypoint.sh
FROM alpine:3.8
# 1-2. Install system dependencies
RUN apk add --no-cache certbot py-pip && pip install pyopenssl==16.0.0 # Need to downgrade PyOpenSSL to 16.0.0 to avoid conflicts and solve the cryptography error : https://github.com/plesk/letsencrypt-plesk/issues/117
# Installing scripts
ADD docker-entrypoint.sh /docker-entrypoint.sh
RUN chmod +x /docker-entrypoint.sh
# Installing cronjobs
ADD crontab /crontab
RUN /usr/bin/crontab /crontab && \
rm /crontab
# Setup the entrypoint
ENTRYPOINT ["./docker-entrypoint.sh"]
# We run cron in foreground to update the certificates
CMD /usr/sbin/crond -f
#!/bin/sh
# Exit script in case of error
set -e
echo $"\n\n\n"
echo "-----------------------------------------------------"
echo "STARTING LETSENCRYPT ENTRYPOINT ---------------------"
date
# We make the config dir
mkdir -p "/geonode-certificates/$LETSENCRYPT_MODE"
# Do not exit script in case of error
set +e
# We run the command
if [ "$LETSENCRYPT_MODE" == "staging" ]; then
printf "\nTrying to get STAGING certificate\n"
certbot --config-dir "/geonode-certificates/$LETSENCRYPT_MODE" certonly certonly --webroot -w "/geonode-certificates" -d "$HTTPS_HOST" -m "$ADMIN_EMAIL" --agree-tos --non-interactive --staging --server https://acme-v02.api.letsencrypt.org/directory
elif [ "$LETSENCRYPT_MODE" == "production" ]; then
printf "\nTrying to get PRODUCTION certificate\n"
certbot --config-dir "/geonode-certificates/$LETSENCRYPT_MODE" certonly --webroot -w "/geonode-certificates" -d "$HTTPS_HOST" -m "$ADMIN_EMAIL" --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory
else
printf "\nNot trying to get certificate (simulating failure, because LETSENCRYPT_MODE variable was neither staging nor production\n"
/bin/false
fi
# If the certbot comand failed, we will create a placeholder certificate
if [ ! $? -eq 0 ]; then
# Exit script in case of error
set -e
printf "\nFailed to get the certificates !\n"
printf "\nWaiting 30s to avoid hitting Letsencrypt rate limits before it's even possible to react\n"
sleep 30
exit 1
fi
printf "\nCertificate have been created/renewed successfully\n"
echo "-----------------------------------------------------"
echo "FINISHED LETSENCRYPT ENTRYPOINT ---------------------"
echo "-----------------------------------------------------"
# Run the CMD
exec "$@"
Has this solution been merged into the main geonode docker install? If not, where do I find the updated file t-book mentioned?
Log for Container letsencrypt_1
End of life plan for ACMEv1 Any solution to use ACMEv2?
STARTING LETSENCRYPT ENTRYPOINT ---------------------
Wed Nov 13 15:03:38 UTC 2019
Trying to get PRODUCTION certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log An unexpected error occurred
The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
Please see the logfiles in /var/log/letsencrypt for more details. Failed to get the certificates !
Specifications