search

Kong / kong-plugin-acme

Let's Encrypt and ACMEv2 integration with Kong - this plugin has been moved into https://github.com/Kong/kong, please open issues and PRs in that repo
Apache License 2.0
36 stars 10 forks source link

acme error on docker-kong #39

Closed lukasa1993 closed 4 years ago

lukasa1993 commented 4 years ago

hello i am running kong from official docker :latest and :2.1 trying to set acme plugin i have dummy service and route and when i am trying to invoke domain with curl -k i get this :

 handler.lua:104 failed to update certificate: acme directory request failed: 18: self signed certificate

db is postgres:9 have this KONG_LUA_SSL_TRUSTED_CERTIFICATE: /etc/ssl/certs/ca-certificates.crt in env

it seems that it doesn't like /etc/ssl/certs/ca-certificates.crt i checked file is there…

fffonion commented 4 years ago

Hi @lukasa1993, can you share the full kong.conf or any other environment variables you are passing to the container?

lukasa1993 commented 4 years ago

@fffonion 

kong:
    image: kong:2.1
    container_name: kong
    environment:
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_ADMIN_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG: /dev/stderr
      KONG_ADMIN_ERROR_LOG: /dev/stderr
      KONG_ADMIN_LISTEN: '0.0.0.0:8001'
      KONG_LUA_SSL_TRUSTED_CERTIFICATE: /etc/ssl/certs/ca-certificates.crt
      KONG_CASSANDRA_CONTACT_POINTS: db
      KONG_DATABASE: 1
      KONG_PG_DATABASE: 2
      KONG_PG_HOST: 3
      KONG_PG_USER: 4
      KONG_PG_PASSWORD: 5
    networks:
      - kong
    ports:
      - "80:8000/tcp"
      - "127.0.0.1:8001:8001/tcp"
      - "443:8443/tcp"
      - "127.0.0.1:8444:8444/tcp"
    healthcheck:
      test: ["CMD", "kong", "health"]
      interval: 10s
      timeout: 10s
      retries: 10
    restart: always

this is all i don't have custom kong.conf

i tried :latest as well same error

fffonion commented 4 years ago

thanks for sharing that. now i realize the error is self signed certificate. if it's indeed the KONG_LUA_SSL_TRUSTED_CERTIFICATE not taking effect, the error will be unable to verify local issuer certificate. so my next question will be what's the api_url you set for the acme plugin? is it an internal CA other than let's encrypt?

lukasa1993 commented 4 years ago

@fffonion what you mean api_url ? i used exact same samples as in readme i have acme-dummy service and rout CA cert is whatever comes in docker img i haven't put it my self

fffonion commented 4 years ago

@lukasa1993 do you have any other config fields other than those when adding the plugin?

$ curl http://localhost:8001/plugins \
        -d name=acme \
        -d config.account_email=yourname@yourdomain.com \
        -d config.tos_accepted=true \
        -d config.domains[]=my.secret.domains.com \
        -d config.domains[]=my.anoother.secret.domains.com
lukasa1993 commented 4 years ago

i changed storage to KONG but not in same command otherwise its same

lukasa1993 commented 4 years ago

but i changed storage to kong after it wasn't working already

fffonion commented 4 years ago

emm i can't reproduce that error on my side. could you send me the docker image ID/hash you are using? it can be viewed by running docker images

fffonion commented 4 years ago

please also share the localhost:8001/plugins endpoint output

lukasa1993 commented 4 years ago

kong latest 6cd6bc3dc612 6 days ago 146MB kong 2.1 0d03308d3ec7 6 days ago 147MB

{"next":null,"data":[{"created_at":1594839403,"id":"974d46cd-0ae2-4770-a832-2d2d1972ed3e","tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"acme","consumer":null,"service":null,"route":null,"config":{"storage_config":{"redis":{"auth":null,"port":null,"database":null,"host":null},"shm":{"shm_name":"kong"},"vault":{"host":null,"port":null,"token":null,"timeout":null,"https":false,"tls_server_name":null,"kv_path":null,"tls_verify":true},"kong":{},"consul":{"host":null,"port":null,"token":null,"timeout":null,"https":false,"kv_path":null}},"cert_type":"rsa","tos_accepted":true,"storage":"kong","domains":["example.com"],"api_uri":"https:\/\/acme-v02.api.letsencrypt.org\/directory","account_email":"example@gmail.com","renew_threshold_days":14}},{"created_at":1595156003,"id":"fced96c8-dced-46cd-b07c-9338e0efc8f2","tags":null,"enabled":false,"protocols":["grpc","grpcs","http","https"],"name":"basic-auth","consumer":null,"service":null,"route":{"id":"e931b780-fe8b-4c1b-8dda-364554c78321"},"config":{"hide_credentials":true,"anonymous":null}}]}

@fffonion i swapped actual email and domain but rest is exact same

fffonion commented 4 years ago

those looks good to me. thanks! let's try this: create this file under /tmp/a.lua

local http = require "resty.http"

local hc = http.new()
local a, err = hc:request_uri("https://acme-v02.api.letsencrypt.org/directory")

ngx.say(err)
ngx.say(a and a.body)

run

docker run --rm -it -v /tmp/a.lua:/tmp/a.lua kong:2.1 \
 /usr/local/openresty/bin/resty \
 --http-conf "lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;" \
/tmp/a.lua
lukasa1993 commented 4 years ago 
1@2:~$ vim /tmp/a.lua
1@2:~$ docker run --rm -it -v /tmp/a.lua:/tmp/a.lua kong:2.1 \
>  /usr/local/openresty/bin/resty \
>  --http-conf "lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;" \
> /tmp/a.lua

{
  "_KAgDpY3LBc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

@fffonion seems this worked

lukasa1993 commented 4 years ago

didn't meant it solve problem :) it just returned something

fffonion commented 4 years ago

@lukasa1993 yeah that at least verifies the environment is sane. btw you are still seeing that error log right, meaning it's not an ephemeral thing from let's encrypt side.

lukasa1993 commented 4 years ago

@fffonion still there i am trying every day same error

lukasa1993 commented 4 years ago

atm i am using letsencypt cert from certbot on same server and domain without issue

fffonion commented 4 years ago

i still suspect the issue is not related to trusted certificate, as the error message indicates otherwise. okay let's try to see if the network kong lives is behaving correctly: 1) docker exec into the created kong container, and run a wget https://acme-v02.api.letsencrypt.org/directory -O - 2) try use a different network in the docker compose file, probably the default bridge or host network. is there a custom DNS responder in the kong network you are using?

lukasa1993 commented 4 years ago 
docker exec -it kong bash
bash-5.0$ wget https://acme-v02.api.letsencrypt.org/directory -O -
Connecting to acme-v02.api.letsencrypt.org (172.65.32.248:443)
writing to stdout
{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "xPXvcw5Zpwc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
-                    100% |******************************************************************|   658  0:00:00 ETA
written to stdout
bash-5.0$

@fffonion i use bridge network no dns setup that i have done its all default

lukasa1993 commented 4 years ago

umm it worked just now for no apparent reason :(

fffonion commented 4 years ago

emmm okay this is really weird

lukasa1993 commented 4 years ago

@fffonion issue came back after restart… no idea what fixed it and why its back

fffonion commented 4 years ago

@lukasa1993 I would still put my 5 cents on the network/environment you are running but not plugin itself. Since the let's encrypt API is not likely a self-signed certificate. But it could also be some deeper bug from connection reuse or something.

I have a super hacky idea for debugging this 😂 on kong/plugins/acme/client.lua before Line 93:

  local err = acme_client:init()
  if err then
     -- add following
    local http = require "resty.http"
    local httpc = http.new()
    local res, err = httpc:request_uri("https://acme-v02.api.letsencrypt.org/directory", {
        method = "GET",
        ssl_verify = false,
    })
    ngx.log(ngx.ERR, "response without ssl_verify: ", res and res.body, " error: ", err)

    return nil, nil, err
  end

you can modify the file in host and bind mount into container, try to capture the error log when you saw the error again.

fffonion commented 4 years ago

Closing for inactivity, @lukasa1993 feel free to reopen or create a new issue if you are still seeing issues.

lukasa1993 commented 4 years ago

Closing for inactivity, @lukasa1993 feel free to reopen or create a new issue if you are still seeing issues.

hard to replicate still chasing when that happens seems random