search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.76k stars 4.92k forks source link

Using docker deploy hook in podman shows 500 when copy the cert #4977

Open cubesky opened 8 months ago

cubesky commented 8 months ago

Steps to reproduce

  1. Create the container following the deploy hook docker. But using podman and podman.sock as instead with volume -v /run/user/0/podman/podman.sock:/var/run/docker.sock.
  2. Issue a cert
  3. run deploy hook with --deploy-hook docker

Debug log

docker exec -e DEPLOY_DOCKER_CONTAINER_LABEL=sh.acme.autoload.domain=liyin.cloud -e DEPLOY_DOCKER_CONTAINER_KEY_FILE="/etc/nginx/ssl/liyin.cloud/key.pem" -e DEPLOY_DOCKER_CONTAINER_CERT_FILE="/etc/nginx/ssl/liyin.cloud/cert.pem" -e DEPLOY_DOCKER_CONTAINER_CA_FILE="/etc/nginx/ssl/liyin.cloud/ca.pem" -e DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/etc/nginx/ssl/liyin.cloud/full.pem" -e DEPLOY_DOCKER_CONTAINER_RELOD_CMD="service nginx force-reload" acme acme.sh --deploy -d liyin.cloud --debug 2 --deploy-hook docker
[Tue Jan 30 21:47:18 UTC 2024] Lets find script dir.
[Tue Jan 30 21:47:18 UTC 2024] _SCRIPT_='/usr/local/bin/acme.sh'
[Tue Jan 30 21:47:18 UTC 2024] _script='/root/.acme.sh/acme.sh'
[Tue Jan 30 21:47:18 UTC 2024] _script_home='/root/.acme.sh'
[Tue Jan 30 21:47:18 UTC 2024] Using default home:/root/.acme.sh
[Tue Jan 30 21:47:18 UTC 2024] Using config home:/acme.sh
[Tue Jan 30 21:47:18 UTC 2024] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Tue Jan 30 21:47:18 UTC 2024] Running cmd: deploy
[Tue Jan 30 21:47:18 UTC 2024] Using config home:/acme.sh
[Tue Jan 30 21:47:18 UTC 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Tue Jan 30 21:47:18 UTC 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Jan 30 21:47:18 UTC 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Tue Jan 30 21:47:18 UTC 2024] _ACME_SERVER_PATH='directory'
[Tue Jan 30 21:47:18 UTC 2024] The domain 'liyin.cloud' seems to have a ECC cert already, lets use ecc cert.
[Tue Jan 30 21:47:18 UTC 2024] DOMAIN_PATH='/acme.sh/liyin.cloud_ecc'
[Tue Jan 30 21:47:18 UTC 2024] DOMAIN_CONF='/acme.sh/liyin.cloud_ecc/liyin.cloud.conf'
[Tue Jan 30 21:47:18 UTC 2024] _deployApi='/root/.acme.sh/deploy/docker.sh'
[Tue Jan 30 21:47:18 UTC 2024] _cdomain='liyin.cloud'
[Tue Jan 30 21:47:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_LABEL='sh.acme.autoload.domain=liyin.cloud'
[Tue Jan 30 21:47:18 UTC 2024] Try use /var/run/docker.sock
[Tue Jan 30 21:47:18 UTC 2024] _cversion='8.4.0'
[Tue Jan 30 21:47:18 UTC 2024] _major='8'
[Tue Jan 30 21:47:18 UTC 2024] _minor='4'
[Tue Jan 30 21:47:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_KEY_FILE='/etc/nginx/ssl/liyin.cloud/key.pem'
[Tue Jan 30 21:47:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_CERT_FILE='/etc/nginx/ssl/liyin.cloud/cert.pem'
[Tue Jan 30 21:47:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_CA_FILE='/etc/nginx/ssl/liyin.cloud/ca.pem'
[Tue Jan 30 21:47:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE='/etc/nginx/ssl/liyin.cloud/full.pem'
[Tue Jan 30 21:47:18 UTC 2024] trim quotation marks
[Tue Jan 30 21:47:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_RELOAD_CMD='service nginx force-reload'
[Tue Jan 30 21:47:18 UTC 2024] _req='{"label":["sh.acme.autoload.domain=liyin.cloud"]}'
[Tue Jan 30 21:47:18 UTC 2024] _req='%7b%22label%22%3a%5b%22sh.acme.autoload.domain%3dliyin.cloud%22%5d%7d'
[Tue Jan 30 21:47:18 UTC 2024] _data
[Tue Jan 30 21:47:18 UTC 2024] url='http://localhost/containers/json?filters=%7b%22label%22%3a%5b%22sh.acme.autoload.domain%3dliyin.cloud%22%5d%7d'
*   Trying /var/run/docker.sock:0...
* Connected to localhost (/run/user/0/podman/podman.sock) port 80
> GET /containers/json?filters=%7b%22label%22%3a%5b%22sh.acme.autoload.domain%3dliyin.cloud%22%5d%7d HTTP/1.1
> Host: localhost
> User-Agent: curl/8.4.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 0
>
< HTTP/1.1 200 OK
< Api-Version: 1.41
< Content-Type: application/json
< Libpod-Api-Version: 4.9.0
< Server: Libpod/4.9.0 (linux)
< X-Reference-Id: 0xc00011eeb8
< Date: Tue, 30 Jan 2024 21:47:18 GMT
< Transfer-Encoding: chunked
<
{ [3639 bytes data]
* Connection #0 to host localhost left intact
[Tue Jan 30 21:47:18 UTC 2024] listjson='[{"Id":"210b7073f1d3799544db012c5a59922209e4af8fd841cbcf63c9c943e18de64f","Names":["/nginx_openresty_1"],"Image":"docker.io/openresty/openresty:alpine","ImageID":"sha256:ad05e721dd2965825d5a6583b9a1af3e3f3c15b9cacfce4e3543cca812390566","Command":"/usr/local/openresty/bin/openresty -g daemon off;","Created":1706650231,"Ports":[{"PrivatePort":80,"PublicPort":80,"Type":"tcp"},{"PrivatePort":443,"PublicPort":443,"Type":"tcp"}],"Labels":{"PODMAN_SYSTEMD_UNIT":"podman-compose@nginx.service","com.docker.compose.container-number":"1","com.docker.compose.project":"nginx","com.docker.compose.project.config_files":"docker-compose.yml","com.docker.compose.project.working_dir":"/mnt/data/container/nginx","com.docker.compose.service":"openresty","io.podman.compose.config-hash":"b629713c17cf66615ff8605e9087229fb25929744d4e2410f9af0951dce4eec8","io.podman.compose.project":"nginx","io.podman.compose.version":"1.0.6","maintainer":"Evan Wies \u003cevan@neomantra.net\u003e","resty_add_package_builddeps":"","resty_add_package_rundeps":"","resty_config_deps":"--with-pcre     --with-cc-opt='-DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include'     --with-ld-opt='-L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib'     ","resty_config_options":"    --with-compat     --with-file-aio     --with-http_addition_module     --with-http_auth_request_module     --with-http_dav_module     --with-http_flv_module     --with-http_geoip_module=dynamic     --with-http_gunzip_module     --with-http_gzip_static_module     --with-http_image_filter_module=dynamic     --with-http_mp4_module     --with-http_random_index_module     --with-http_realip_module     --with-http_secure_link_module     --with-http_slice_module     --with-http_ssl_module     --with-http_stub_status_module     --with-http_sub_module     --with-http_v2_module     --with-http_v3_module     --with-http_xslt_module=dynamic     --with-ipv6     --with-mail     --with-mail_ssl_module     --with-md5-asm     --with-sha1-asm     --with-stream     --with-stream_ssl_module     --with-threads     ","resty_config_options_more":"","resty_eval_post_download_pre_configure":"","resty_eval_post_make":"","resty_eval_pre_configure":"","resty_image_base":"alpine","resty_image_tag":"3.19","resty_luajit_options":"--with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT'","resty_openssl_patch_version":"1.1.1f","resty_openssl_url_base":"https://www.openssl.org/source","resty_openssl_version":"1.1.1w","resty_pcre_build_options":"--enable-jit","resty_pcre_options":"--with-pcre-jit","resty_pcre_sha256":"4e6ce03e0336e8b4a3d6c2b70b1c5e18590a5673a98186da90d4f33c23defc09","resty_pcre_version":"8.45","resty_version":"1.25.3.1","sh.acme.autoload.domain":"liyin.cloud"},"State":"running","Status":"Up 2 minutes","NetworkSettings":{"Networks":{"nginx_default":{"IPAMConfig":null,"Links":null,"Aliases":["openresty","210b7073f1d3"],"NetworkID":"nginx_default","EndpointID":"","Gateway":"10.89.3.1","IPAddress":"10.89.3.4","IPPrefixLen":24,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"d2:2b:88:c6:be:6f","DriverOpts":null}}},"Mounts":[{"Type":"bind","Source":"/mnt/data/container/nginx/cert","Destination":"/etc/nginx/ssl","Mode":"","RW":true,"Propagation":"rprivate"},{"Type":"bind","Source":"/mnt/data/container/nginx/conf.d","Destination":"/etc/nginx/conf.d","Mode":"","RW":true,"Propagation":"rprivate"}],"Name":"","Config":null,"NetworkingConfig":null,"Platform":null,"AdjustCPUShares":false}]'
[Tue Jan 30 21:47:18 UTC 2024] Container id: 210b7073f1d3799544db012c5a59922209e4af8fd841cbcf63c9c943e18de64f
[Tue Jan 30 21:47:18 UTC 2024] Copying file from /acme.sh/liyin.cloud_ecc/liyin.cloud.key to /etc/nginx/ssl/liyin.cloud/key.pem
[Tue Jan 30 21:47:18 UTC 2024] _dir='/etc/nginx/ssl/liyin.cloud'
[Tue Jan 30 21:47:18 UTC 2024] _docker_exec 210b7073f1d3799544db012c5a59922209e4af8fd841cbcf63c9c943e18de64f mkdir -p /etc/nginx/ssl/liyin.cloud
[Tue Jan 30 21:47:18 UTC 2024] _cmd='mkdir -p /etc/nginx/ssl/liyin.cloud'
[Tue Jan 30 21:47:18 UTC 2024] _data='{"Cmd": ["sh", "-c", "mkdir -p /etc/nginx/ssl/liyin.cloud"]}'
[Tue Jan 30 21:47:18 UTC 2024] url='http://localhost/containers/210b7073f1d3799544db012c5a59922209e4af8fd841cbcf63c9c943e18de64f/exec'
*   Trying /var/run/docker.sock:0...
* Connected to localhost (/run/user/0/podman/podman.sock) port 80
> POST /containers/210b7073f1d3799544db012c5a59922209e4af8fd841cbcf63c9c943e18de64f/exec HTTP/1.1
> Host: localhost
> User-Agent: curl/8.4.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 60
>
} [60 bytes data]
< HTTP/1.1 201 Created
< Api-Version: 1.41
< Content-Type: application/json
< Libpod-Api-Version: 4.9.0
< Server: Libpod/4.9.0 (linux)
< X-Reference-Id: 0xc000880010
< Date: Tue, 30 Jan 2024 21:47:18 GMT
< Content-Length: 74
<
{ [74 bytes data]
* Connection #0 to host localhost left intact
[Tue Jan 30 21:47:18 UTC 2024] cjson='{"Id":"e9bfa78b557680d0f3d71aaefcd3ca1c7ff7efe460574e8a29842584cd621305"}'
[Tue Jan 30 21:47:18 UTC 2024] execid='e9bfa78b557680d0f3d71aaefcd3ca1c7ff7efe460574e8a29842584cd621305'
[Tue Jan 30 21:47:18 UTC 2024] _data='{"Detach": false,"Tty": false}'
[Tue Jan 30 21:47:18 UTC 2024] url='http://localhost/exec/e9bfa78b557680d0f3d71aaefcd3ca1c7ff7efe460574e8a29842584cd621305/start'
*   Trying /var/run/docker.sock:0...
* Connected to localhost (/run/user/0/podman/podman.sock) port 80
> POST /exec/e9bfa78b557680d0f3d71aaefcd3ca1c7ff7efe460574e8a29842584cd621305/start HTTP/1.1
> Host: localhost
> User-Agent: curl/8.4.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 30
>
} [30 bytes data]
< HTTP/1.1 500 Internal Server Error
< Api-Version: 1.41
< Content-Type: application/json
< Libpod-Api-Version: 4.9.0
< Server: Libpod/4.9.0 (linux)
< X-Reference-Id: 0xc000880c58
< Date: Tue, 30 Jan 2024 21:47:18 GMT
< Content-Length: 120
<
{ [120 bytes data]
* Connection #0 to host localhost left intact
[Tue Jan 30 21:47:18 UTC 2024] ejson='{"cause":"invalid argument","message":"must provide at least one stream to attach to: invalid argument","response":500}'
[Tue Jan 30 21:47:18 UTC 2024] {"cause":"invalid argument","message":"must provide at least one stream to attach to: invalid argument","response":500}
[Tue Jan 30 21:47:18 UTC 2024] Can not create dir: /etc/nginx/ssl/liyin.cloud
[Tue Jan 30 21:47:18 UTC 2024] Error deploy for domain:liyin.cloud
[Tue Jan 30 21:47:18 UTC 2024] Deploy error.

Other infomation

https://github.com/testcontainers/testcontainers-go/issues/336

FeelTheLemon commented 4 months ago

After changing Detach to true here, deploy works for podman, but i don't have docker installed to test.

VergilGao commented 1 month ago

After changing Detach to true here, deploy works for podman, but i don't have docker installed to test.

i had test this and it works well:

[Fri Aug  2 14:37:01 CST 2024] The domain 'www.example.com' seems to already have an ECC cert, let's use it.
[Fri Aug  2 14:37:02 CST 2024] Container id: 38471aad49dc030f5e374f38ea3a4045a3300f5fc0e706bf354aecb0cb5f5239
[Fri Aug  2 14:37:02 CST 2024] Copying file from /acme.sh/www.example.com_ecc/www.example.com.key to /etc/nginx/ssl/www.example.com/key.pem
[Fri Aug  2 14:37:02 CST 2024] Copying file from /acme.sh/www.example.com_ecc/www.example.com.cer to /etc/nginx/ssl/www.example.com/cert.pem
[Fri Aug  2 14:37:02 CST 2024] Copying file from /acme.sh/www.example.com_ecc/ca.cer to /etc/nginx/ssl/www.example.com/ca.pem
[Fri Aug  2 14:37:02 CST 2024] Copying file from /acme.sh/www.example.com_ecc/fullchain.cer to /etc/nginx/ssl/www.example.com/full.pem
[Fri Aug  2 14:37:02 CST 2024] Reloading: nginx -s reload
[Fri Aug  2 14:37:02 CST 2024] Success

and my podman paramters:

#!/bin/sh

podman pod create \
        --name webapp \
        --hostname webapp \
        --network slirp4netns:port_handler=slirp4netns \
        --publish 80:80 \
        --publish 443:443 \
        --replace

podman pod start webapp

podman create \
    --name nginx \
    --pod webapp \
    --systemd false \
    --label app=nginx \
    --volume /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro \
    --volume /root/webapp/data/nginx/www/:/usr/share/nginx/html:ro \
    --volume /root/webapp/data/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
    --volume /root/webapp/data/nginx/ssl.conf:/etc/nginx/ssl.conf:ro \
    --volume /root/webapp/data/nginx/proxy.conf:/etc/nginx/proxy.conf:ro \
    --volume /root/webapp/data/nginx/error_pages.conf:/etc/nginx/error_pages.conf:ro \
    --volume /root/webapp/data/nginx/dhparams.pem:/etc/nginx/dhparams.pem:ro \
    --volume /root/webapp/data/nginx/conf.d/:/etc/nginx/conf.d/:ro \
    --volume /root/webapp/log/nginx/:/var/log/nginx/ \
    --volume /root/webapp/data/ssl:/etc/nginx/ssl/ \
    --replace \
    docker.io/library/nginx:latest

podman start nginx

podman create \
    --name acme \
    --pod webapp \
    --systemd false \
    --volume /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro \
    --volume /run/podman/podman.sock:/var/run/docker.sock:ro \
    --volume /root/webapp/data/acme.sh:/acme.sh \
    -e DEPLOY_DOCKER_CONTAINER_LABEL="app=nginx" \
    -e DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="nginx -s reload" \
    --replace \
    docker.io/neilpang/acme.sh:latest daemon

podman start acme

my deploy function:

acmedp()
{
    for i ($*)
    {
        mkdir -p "/root/webapp/data/ssl/$i"
        podman exec \
            -e DEPLOY_DOCKER_CONTAINER_KEY_FILE="/etc/nginx/ssl/$i/key.pem" \
            -e DEPLOY_DOCKER_CONTAINER_CERT_FILE="/etc/nginx/ssl/$i/cert.pem" \
            -e DEPLOY_DOCKER_CONTAINER_CA_FILE="/etc/nginx/ssl/$i/ca.pem" \
            -e DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE="/etc/nginx/ssl/$i/full.pem" \
            -it acme acme.sh \
            --deploy-hook docker \
            --deploy -d $i
    }
}

before this issue fix, i just download the raw file of docker.sh and change the Detach to true, the append this line after podman start acme

podman cp /root/webapp/patches/acme.sh/docker.sh acme:/root/.acme.sh/deploy/docker.sh