search

bsyk / cf-letsencrypt

Let's Encrypt wrapper for Cloud-Foundry
MIT License
27 stars 22 forks source link

Locations reported incorrectly for cf files commands #3

Closed bsyk closed 8 years ago

bsyk commented 8 years ago

Mentioned by @jlstack in https://github.com/bsyk/cf-letsencrypt/issues/1#issuecomment-216531822

My domains.yml has the following:

"domains": [
  {
    "domain": "mydomain.com",
    "hosts": [
      "www"
    ]
  } 
]

The logs at the end say:

Fetch the certs and logs via cf files ... You can get them with these commands: cf files letsencrypt app/conf/live/mydomain.com/cert.pem cf files letsencrypt app/conf/live/mydomain.com/chain.pem cf files letsencrypt app/conf/live/mydomain.com/fullchain.pem cf files letsencrypt app/conf/live/mydomain.com/privkey.pem

The files are actually located at the following locations:

cf files letsencrypt app/conf/live/www.mydomain.com/cert.pem cf files letsencrypt app/conf/live/www.mydomain.com/chain.pem cf files letsencrypt app/conf/live/www.mydomain.com/fullchain.pem cf files letsencrypt app/conf/live/www.mydomain.com/privkey.pem

lmsurpre commented 8 years ago

I'm seeing a similar issue where the tool is only creating certificates for the first host specified in domains.yml

Example:

"domains": [
  {
    "domain": "mydomain.com",
    "hosts": [
      "www",
      "sample"
    ]
  } 
]

Using this will result in only a single certificate, for www.mydomain.com, in a directory by the same name (none for sample.mydomain.com).

It looks like this issue may be a result of an underlying issue with certbot (the letsencrypt client): https://github.com/certbot/certbot/issues/2752 Unfortunately, there's not much detail there and so I'm not positive.

bsyk commented 8 years ago

Do you have correct DNS entries for all hosts pointing at your CF provider? I have used this with multiple hosts and domains. I'm on mobile right now so can't check, but will test when I'm connected again.

lmsurpre commented 8 years ago

Yeah, I'm pretty sure I've got the DNS entries correct. Possibly they introduced a new bug in certbot?! That one I referenced is from April and so I think you would have seen it...

I guess I should open a separate issue for it since it might not be related to the printing of the locations.

BTW: How would you feel about us writing up the steps for using cf-letsencrypt with Bluemix and publishing it on the official blog at https://developer.ibm.com/bluemix/blog ?

bsyk commented 8 years ago

I just ran with some sample domains. Here's my domains.yml file (I am using LE staging to avoid generation limits)

{
  "email": "git@bsyk.es",
  "staging": true,
  "domains": [
    {
      "domain": "bsyk.es",
      "hosts": [
        ".",
        "sample",
        "www"
      ]
    },
    {
      "domain": "bsyk.uk",
      "hosts": [
        "host"
      ]
    }
  ]
}

I did a clean python setup-app.py without an existing letsencrypt app deployed.

This generated 1 set of certificates which I got with cf files letsencrypt app/conf/live/bsyk.es/cert.pem

Here's the alternate name section from the obtained certificate:

X509v3 Subject Alternative Name: 
                DNS:bsyk.es, DNS:host.bsyk.uk, DNS:sample.bsyk.es, DNS:www.bsyk.es
bsyk commented 8 years ago

@lmsurpre I'd be happy to help write an article for the bluemix blog. Let me know how I can help.

lmsurpre commented 8 years ago

I see. I guess I was thinking that I would get a different certificate (in a different directory) for each domain in the domains.yml file (although the sample I posted doesn't really show that). Now I realize it just sets a different SAN entry for each host.domain entry and so I think its working fine. I've updated the fork that @jlstack made in order to reflect our new understanding...just let us know if you'd like an updated pull request (the changes are pretty minor).

Regarding the article, we've already drafted it, but would love a quick review before posting...maybe you could email me at my username @us.ibm.com if you're interested.