Fix SSL certificate error

alan-turing-institute / data-safe-haven

https://data-safe-haven.readthedocs.io

BSD 3-Clause "New" or "Revised" License

57 stars 15 forks source link

Fix SSL certificate error #1939

Closed jemrobinson closed 3 months ago

jemrobinson commented 3 months ago

:white_check_mark: Checklist

[x] You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
[x] You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
[x] Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

:vertical_traffic_light: Depends on

n/a

:arrow_heading_up: Summary

Workaround for an issue where Let's Encrypt refused to provide certificates for uppercase FQDNs

:closed_umbrella: Related issues

Closes #1938

:microscope: Tests

~Tested inside function but not more widely. Waiting for a test report from original bug report provider.~ Now confirmed that this fixes #1938.

craddm commented 3 months ago

Testing was held up by #1947

jemrobinson commented 3 months ago

@craddm @JimMadge : should we merge this and fix #1947 in another PR to latest?

craddm commented 3 months ago

I'm still running through a test deployment. Hit this error now:

Submit-ChallengeValidation: Authorization invalid for guacamole-sre-t2caps.blue.develop.turingsafehaven.ac.uk: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.guacamole-sre-t2caps.blue.develop.turingsafehaven.ac.uk - check that a DNS record exists for this domain
2024-06-20 21:49:53 [SUCCESS]: [✔] Certificate creation succeeded                               
2024-06-20 21:49:53 [   INFO]: Importing signed certificate into Key Vault 'kv-blue-sre-t2caps'...
2024-06-20 21:49:53 [FAILURE]: [x] Certificate import failed!
Import-AzKeyVaultCertificate: /workspaces/data-safe-haven/deployment/secure_research_environment/setup/Update_SRE_SSL_Certificate.ps1:225:125
Line |
 225 |  … lt.name -Name $certificateName -FilePath $certificateFilePath -ErrorA …
     |                                             ~~~~~~~~~~~~~~~~~~~~
     | Cannot bind argument to parameter 'FilePath' because it is an empty string.

jemrobinson commented 3 months ago

This is actually very adjacent to the original error! Can you post a bit more context?

JimMadge commented 3 months ago

Looks like maybe there is another bug to fix here?

jemrobinson commented 3 months ago

Looks like the blue.develop.turingsafehaven.ac.uk DNS zone is missing. Can you re-run the SHM deploy scripts @craddm ?

jemrobinson commented 3 months ago

I'm merging this into release-v4.2.2 as the original problem is fixed. I'll open a new release-candidate PR from that branch.