search

auto-ssl / lua-resty-auto-ssl

On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let's Encrypt.
MIT License
1.93k stars 182 forks source link

Outdated dehydrated & Step-CA interoperability #253

Open kiler129 opened 3 years ago

kiler129 commented 3 years ago

It seems like lua-resty-auto-ssl uses an outdated version of dehydrated. This causes issues with proper decoding of JSON responses which in turn fails ACME request:

web_1  | 2021/03/17 06:29:52 [error] 19#19: *3 [lua] lets_encrypt.lua:40: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=.... HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain example.com --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
web_1  | startup_hook
web_1  | Processing example.com
web_1  |  + Signing domains...
web_1  |  + Generating private key...
web_1  |  + Generating signing request...
web_1  |  + Requesting new certificate order from CA...
web_1  |  err:   + ERROR: An error occurred while sending post-request to https://ca:9000/acme/acme/new-order (Status 400)
web_1  | 
web_1  | Details:
web_1  | HTTP/2 400 
web_1  | cache-control: no-store
web_1  | content-type: application/problem+json
web_1  | link: <https://ca:9000/acme/acme/directory>;rel="index"
web_1  | replay-nonce: ...
web_1  | content-length: 186
web_1  | date: Wed, 17 Mar 2021 06:29:52 GMT
web_1  | 
web_1  | {"type":"urn:ietf:params:acme:error:malformed","detail":"kid does not have required prefix; expected https://ca:9000/acme/acme/account/, but got https://ca:9000/acme/acme/new-account/"}
web_1  | 
web_1  | 
web_1  | , context: ssl_certificate_by_lua*, client: 172.20.0.1, server: 0.0.0.0:443
web_1  | 2021/03/17 06:29:52 [error] 19#19: *3 [lua] ssl_certificate.lua:97: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 172.20.0.1, server: 0.0.0.0:443
web_1  | 2021/03/17 06:29:52 [error] 19#19: *3 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for example.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 172.20.0.1, server: 0.0.0.0:443

I traced this to https://github.com/dehydrated-io/dehydrated/issues/689 which pointed me to https://github.com/dehydrated-io/dehydrated/issues/731. Indeed, using new version of dehydrated by replacing /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated in the container (tested with #0094147) fixes the problem.

I believe dehydrated needs to be updated. WDYT?