Closed royvandongen closed 4 months ago
Hello,
Did you try with previous versions of Traefik?
The implementation is using the official API client.
The error:
could not get token from authenticator: could not decode private key
comes from:
Your problem seems to be related to your configuration.
I think the file's content defined with TRANSIP_PRIVATE_KEY_PATH
has a problem.
This was indeed the first thing i suspected, however the key is readable from the docker container. Unfortunatly i am not aware how i could get more logging from inside the process itself
Hello,
Did you try with previous versions of Traefik?
Now i have, same outcome. I am now comparing a working and a non-working setup but can not find differences about the above references file.
Since i have multiple installations i even tried using the api key from a working machine, but it results in the same issue (also testen on v2.11 and v2.10 of traefik)
I have tested some more, and by changing the TRANSIP_PRIVATE_KEY_PATH
to TRANSIP_PRIVATE_KEY_PATH_FILE
i got this output:
time="2024-02-22T15:57:55Z" level=error msg="Unable to obtain ACME certificate for domains \"vps01.*****.net\"" routerName=api@docker error="cannot get ACME client transip: error while opening private key file: open \ufeff-----BEGIN PRIVATE KEY-----\nMIIEvQIBA*************TvPQ=\n-----END PRIVATE KEY-----\n: no such file or directory" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme rule="Host(`vps01.*****.net`) && PathPrefix(`/api`)"
This clearly proves the file can be read, however i am not sure what the "\ufeff" part means before the private key.
For transparency, this is how i mention the variables in my docker-compose.yml file:
environment:
- TRANSIP_ACCOUNT_NAME=*****
- TRANSIP_PRIVATE_KEY_PATH=/transip.apikey
I don't think the problem comes from the fact to open the file. I think it's related to the content, as I said previously.
The error could not decode private key
is about the content.
There is something invalid with the content of this file.
I understand why you would say that, however to test what is going on here, i have deleted the contents of the file multiple times and pasted new (and even currently working) keys in the file in order to test if this would be the issue.
I guess i'm a bit lost here now.. Strange, this is the first time this exact config does not work for me
Strange, this is the first time this exact config does not work for me
what was the context when this was working? What's changed since that?
It's a completely new server, but i used the same basic templates for my docker-compose.yml file as before. That's why i'm so surprised it does not have the same outcome.
To doublecheck, i created a new api key without any ip-restrictions on the TransIP side, just to exclude that too.
As shown in the log output above, the file is exactly a private key, with 0600 file permissions, it's just the same over multiple servers here.
When it was working, what was the exact Traefik version?
Because the code of the API client hasn't changed for a long time for the parts that lego uses.
One of the working servers is running Traefik 2.5.3, so i ran that specific version, issue resides.. I'll trash everything and start over completely blank to see if that changes anything
If you can create a temporary file, can you send me one by email? Like that, I will be able to just test the file.
Your private key file works, I run tests of the API client with it there is no error and I can sign a request. So the problem is not here :thinking: I can be on the mounting point or related to system encoding :thinking:
Thank you so much for excluding those specifics, i'll continue to test here
I could not test more with the information you provided, because:
transip: could not get token from authenticator: error requesting token: Your key signature is invalid or API is not enabled in your account
That makes sense, because i put in a placeholder account. I fixed the issue, i'll post separatly what it was so it can be pinned/marked as solution.
Hi all,
This is the solution, it is crazy and far fetched but with the awesome help if @ldez it was found and fixed!
On a non-functional server:
root@vps01:/opt/deployment/webserver# file -i traefik/transip.apikey
traefik/transip.apikey: text/plain; charset=utf-8
On a functional server:
root@lb-01:/opt/traefik$ file -i transip.apikey
transip.apikey: text/plain; charset=us-ascii
The encoding was off, and me beeing a total dumbss i copied the file contents to Idez, instead of the exact file which i could not retrieve natively*.
Apparently the error "acme: error presenting token: transip: could not get token from authenticator: could not decode private key" also shows when the file encoding is not correct.
Since the file was created by an automation system, i will try to find why this happened in the first place, but for future people who experience this issue, Either try to convert your file to ascii with the command:
iconv -f UTF-8 -t ASCII transip.apikey -o transip.apikey
or just write a new file with the same contents.
Once again Thanks @ldez for helping out, i would never found this myself!
Encoding problems, the hidden problems that can spend you hours on them :smile_cat:
FYI, I deleted all the information you provided from my computer and my mailbox.
Sponsoring is a good way to sustain open source maintainers: sponsor me
Welcome
What did you expect to see?
Valid certificate issuance
What did you see instead?
How do you use lego?
Through Traefik
Reproduction steps
Docker Compose config:
Version of lego
Logs
Go environment (if applicable)