search

adi90x / rancher-active-proxy

All in one active reverse proxy for Rancher ! For Kubernetes : https://github.com/adi90x/kube-active-proxy
MIT License
156 stars 55 forks source link

Well Known Acme Challenge Fails when AWS Classic Load Balancer is in Front of Host #60

Open Jdesk opened 6 years ago

Jdesk commented 6 years ago

So I have an application that needs to be accessible from both port 443 and port 7000. When starting the application these are the labels I use:

`

rap.proto = https rap.port = 7000 rap.le_host = devc.domain.com rap.le_email = foo@bar.com rap.host = devc.domain.com rap.cert_name = devc.domain.com

` I have an ELB which my domain is pointing at. SSL Is configured at the loadbalancer level.

The reason I am doing it this way is because I want to be able to scaled the application stack across multiple instances so it made sense to put a Loadbalancer in front of the your active-proxy.

When I point the domain directly at the host, ssl cert creation works fine. However when I point the domain at the load balancer then start my app, cert creation fails. Here is my log output:

1/2018 3:31:00 PMcrond[47]: wakeup dt=60 5/11/2018 3:31:00 PMcrond[47]: file root: 5/11/2018 3:31:00 PMcrond[47]: line /app/letsencrypt.sh 5/11/2018 3:31:17 PMnginx.1 | _ 10.2.0.17 - - [11/May/2018:19:31:17 +0000] "PROXY TCP4 64.78.149.164 10.2.0.17 40226 80" 400 173 "-" "-" 5/11/2018 3:31:18 PMnginx.1 | _ 10.2.0.17 - - [11/May/2018:19:31:18 +0000] "PROXY TCP4 10.2.0.17 10.2.0.17 12711 80" 400 173 "-" "-" 5/11/2018 3:31:18 PMnginx.1 | _ 10.2.3.36 - - [11/May/2018:19:31:18 +0000] "PROXY TCP4 10.2.3.36 10.2.3.36 56270 80" 400 173 "-" "-" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"Sleep 30s before Using Acme server https://acme-v01.api.letsencrypt.org/directory\"" 5/11/2018 3:31:20 PMranchergen.1 | 10\"" 5/11/2018 3:31:20 PMranchergen.1 | "Account loading problem\"" 5/11/2018 3:31:20 PMranchergen.1 | at.backends.openssl.rsa._RSAPublicKey object at 0x7f2310fdecd0>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/34800475', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 8221b1a227f213651b3b3ff72a6aeb38, Meta(creation_host=u'015701a969e0', creation_dt=datetime.datetime(2018, 5, 11, 19, 6, 27, tzinfo=<UTC>)))>\"" 5/11/2018 3:31:20 PMranchergen.1 | json\"" 5/11/2018 3:31:20 PMranchergen.1 | ange\\\",\"" 5/11/2018 3:31:20 PMranchergen.1 | .api.letsencrypt.org/acme/revoke-cert\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | 19:31:17 GMT\"" 5/11/2018 3:31:20 PMranchergen.1 | crypt.org/acme/new-authz:\"" 5/11/2018 3:31:20 PMranchergen.1 | \\"signature\\\": \\\"UJJg85HwKUtkqd67Q6td08Rua_RBqbDp3JFHo9SoEK-BUKPAPz91ZFSjzdYI3IA-cwZD8UJ9hk92kPv_YWiCFOy7dG3CrWOc2Ws2fHS70fVn3Oe-jVGoIpvLCbAyXx2qj-RyZbgniNYxxf72V1dTwHad9eZqPYwpb5pDN0D5OMPYx-NTkIPTyG0zmJn9dqMu390Z8gAjYQhgqSdcm6-vSLZh1Vw-chQoK73RRhqu9EhoJPDr0w9Hxf8pl-s2Q5GdpZaFgkFaGNgY3XXGH5iL_J-ebgN_E3OrJ_BC-d1NNxHFNJANwqOvVGytwlJHDnm3OF0LsrV2aT9EUK3AwJGyXw\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | new-cert>;rel=\\\"next\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | sencrypt.sh]: \" \\\"value\\\": \\\"devc.acsplayon.com\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | \"type\\\": \\\"dns-01\\\",\"" 5/11/2018 3:31:20 PMranchergen.1 | ng nonce: 3uvILb8pV8ZdctjN3txp9g8CvCy1UynZQCbGnJgwZwM\"" 5/11/2018 3:31:20 PMranchergen.1 | sh]: \" \\\"type\\\": \\\"http-01\\\", \"" 5/11/2018 3:31:20 PMranchergen.1 | NjB1WVZBZ3NnMTBzRkdNUW5SRXdqWFBLUWo2LVdKU1dRIn19\\\", \"" 5/11/2018 3:31:20 PMranchergen.1 | tsencrypt.sh]: \"Received response:\"" 5/11/2018 3:31:20 PMranchergen.1 | fo msg="[/app/letsencrypt.sh]: \"Date: Fri, 11 May 2018 19:31:17 GMT\"" 5/11/2018 3:31:20 PMranchergen.1 | v01.api.letsencrypt.org/acme/authz/LP0w5-0zWuvI0PQSfFz933CvV4a5iVnQ7qKEChO_4OU.\"" 5/11/2018 3:31:20 PMranchergen.1 | 5/11/2018 3:31:20 PMranchergen.1 | ncrypt.sh]: \" \\\"status\\\": \\\"invalid\\\",\"" 5/11/2018 3:31:20 PMranchergen.1 | acme/challenge/LP0w5-0zWuvI0PQSfFz933CvV4a5iVnQ7qKEChO_4OU/4600600532\\\",\"" 5/11/2018 3:31:20 PMranchergen.1 | fo msg="[/app/letsencrypt.sh]: \" \\\"18.216.38.180\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | h]: \" \\\"combinations\\\": [\"" 5/11/2018 3:31:20 PMranchergen.1 | \\\">\\r\"" 5/11/2018 3:31:20 PMranchergen.1 | , 'console_scripts', 'certbot')()\"" 5/11/2018 3:31:20 PMranchergen.1 | info msg="[/app/letsencrypt.sh]: \" File \\\"/usr/lib/python2.7/site-packages/certbot/client.py\\\", line 318, in obtain_certificate\"" 5/11/2018 3:31:20 PMranchergen.1 | c.acsplayon.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://devc.domain.com/.well-known/acme-challenge/3s-lM4B2a90DNF844MT_d17BuMTLb8fohIF4WRumejU: \\\"<html>\\r\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"<center><h1>400 Bad Request</h1></center>\\r\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"<hr><cen\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"Failed authorization procedure. devc.acsplayon.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://devc.acsplayon.com/.well-known/acme-challenge/3s-lM4B2a90DNF844MT_d17BuMTLb8fohIF4WRumejU: \\\"<html>\\r\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"<head><title>400 Bad Request</title></head>\\r\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"<body bgcolor=\\\"white\\\">\\r\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"<center><h1>400 Bad Request</h1></center>\\r\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"<hr><cen\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"IMPORTANT NOTES:\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" - The following errors were reported by the server:\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" Domain: devc.acsplayon.com\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" Type: unauthorized\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" Detail: Invalid response from\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" http://devc.acsplayon.com/.well-known/acme-challenge/3s-lM4B2a90DNF844MT_d17BuMTLb8fohIF4WRumejU:\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" \\\"<html>\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" <head><title>400 Bad Request</title></head>\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" <body bgcolor=\\\"white\\\">\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" <center><h1>400 Bad Request</h1></center>\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" <hr><cen\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" To fix these errors, please make sure that your domain name was\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" entered correctly and the DNS A/AAAA record(s) for that domain\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" contain(s) the right IP address.\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \" \"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"level=info msg=\\\"Starting rancher-gen RAP Edition master (5ea1c30cbf36e05fc24e72e0de0db820aa84d37a)\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"level=info msg=\\\"Initializing Rancher Metadata client (version latest)\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"level=info msg=\\\"Processing all templates once.\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"level=info msg=\\\"Destination file %s has been updated/etc/nginx/conf.d/default.conf\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"level=info msg=\\\"Executing notify command 'nginx -s reload'\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="[/app/letsencrypt.sh]: \"level=info msg=\\\"All templates processed. Exiting.\\\"\"" 5/11/2018 3:31:20 PMranchergen.1 | level=info msg="All templates processed. Waiting for changes in Metadata..."