TransIP verification fails because of token error

[royvandongen]

Welcome

• [X] Yes, I'm using a binary release within 2 latest releases.
• [X] Yes, I've searched similar issues on GitHub and didn't find any.
• [X] Yes, I've included all information below (version, config, etc).

What did you expect to see?

Valid certificate issuance

What did you see instead?

time="2024-02-22T14:27:15Z" level=error msg="Unable to obtain ACME certificate for domains \"vps01.*****.net\"" providerName=letsencrypt.acme routerName=api@docker rule="Host(`vps01.*****.net`) && PathPrefix(`/api`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="unable to generate a certificate for the domains [vps01.*****.net]: error: one or more domains had a problem:\n[vps01.*****.net] [vps01.*****.net] acme: error presenting token: transip: could not get token from authenticator: could not decode private key\n"

How do you use lego?

Through Traefik

Reproduction steps

Docker Compose config:

      - --certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=transip
      - --certificatesresolvers.letsencrypt.acme.dnsChallenge.resolvers="ns0.transip.net,ns1.transip.nl,ns2.transip.eu"
      - --certificatesresolvers.letsencrypt.acme.dnsChallenge.delayBeforeCheck=60
      - --certificatesresolvers.letsencrypt.acme.email=*****@*****
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --log.level=DEBUG

Version of lego

According to Traefik V2.11.0 release:

github.com/go-acme/lego/v4 v4.15.0 h1:A7MHEU3b+TDFqhC/HmzMJnzPbyeaYvMZQBbqgvbThhU=
github.com/go-acme/lego/v4 v4.15.0/go.mod h1:eeGhjW4zWT7Ccqa3sY7ayEqFLCAICx+mXgkMHKIkLxg=

Logs

```console time="2024-02-22T14:27:13Z" level=debug msg="Building ACME client..." providerName=letsencrypt.acme time="2024-02-22T14:27:13Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme time="2024-02-22T14:27:14Z" level=info msg=Register... providerName=letsencrypt.acme time="2024-02-22T14:27:14Z" level=debug msg="legolog: [INFO] acme: Registering account for *****@*****" time="2024-02-22T14:27:14Z" level=debug msg="Using DNS Challenge provider: transip" providerName=letsencrypt.acme time="2024-02-22T14:27:14Z" level=debug msg="legolog: [INFO] [vps01.*****.net] acme: Obtaining bundled SAN certificate" time="2024-02-22T14:27:14Z" level=debug msg="legolog: [INFO] [vps01.*****.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/*****" time="2024-02-22T14:27:14Z" level=debug msg="legolog: [INFO] [vps01.*****.net] acme: Could not find solver for: tls-alpn-01" time="2024-02-22T14:27:14Z" level=debug msg="legolog: [INFO] [vps01.*****.net] acme: Could not find solver for: http-01" time="2024-02-22T14:27:14Z" level=debug msg="legolog: [INFO] [vps01.*****.net] acme: use dns-01 solver" time="2024-02-22T14:27:14Z" level=debug msg="legolog: [INFO] [vps01.*****.net] acme: Preparing to solve DNS-01" time="2024-02-22T14:27:15Z" level=debug msg="legolog: [INFO] [vps01.*****.net] acme: Cleaning DNS-01 challenge" time="2024-02-22T14:27:15Z" level=debug msg="legolog: [WARN] [vps01.*****.net] acme: cleaning up failed: transip: error for _acme-challenge.vps01.*****.net. in CleanUp: could not get token from authenticator: could not decode private key " time="2024-02-22T14:27:15Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/*****" time="2024-02-22T14:27:15Z" level=error msg="Unable to obtain ACME certificate for domains \"vps01.*****.net\"" providerName=letsencrypt.acme routerName=api@docker rule="Host(`vps01.*****.net`) && PathPrefix(`/api`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" error="unable to generate a certificate for the domains [vps01.*****.net]: error: one or more domains had a problem:\n[vps01.*****.net] [vps01.*****.net] acme: error presenting token: transip: could not get token from authenticator: could not decode private key\n" ```

Go environment (if applicable)

```console $ go version && go env # paste output here ```

[ldez]

Hello,

Did you try with previous versions of Traefik?

[ldez]

The implementation is using the official API client.

The error:

could not get token from authenticator: could not decode private key

comes from:

• https://github.com/transip/gotransip/blob/9dc7354effdfe25646fd159601bf44d52dc9a697/client.go#L126
• https://github.com/transip/gotransip/blob/9dc7354effdfe25646fd159601bf44d52dc9a697/authenticator/authenticator.go#L92

Your problem seems to be related to your configuration. I think the file's content defined with TRANSIP_PRIVATE_KEY_PATH has a problem.

[royvandongen]

This was indeed the first thing i suspected, however the key is readable from the docker container. Unfortunatly i am not aware how i could get more logging from inside the process itself

[royvandongen]

Hello,

Did you try with previous versions of Traefik?

Now i have, same outcome. I am now comparing a working and a non-working setup but can not find differences about the above references file.

Since i have multiple installations i even tried using the api key from a working machine, but it results in the same issue (also testen on v2.11 and v2.10 of traefik)

[royvandongen]

I have tested some more, and by changing the TRANSIP_PRIVATE_KEY_PATH to TRANSIP_PRIVATE_KEY_PATH_FILE i got this output:

time="2024-02-22T15:57:55Z" level=error msg="Unable to obtain ACME certificate for domains \"vps01.*****.net\"" routerName=api@docker error="cannot get ACME client transip: error while opening private key file: open \ufeff-----BEGIN PRIVATE KEY-----\nMIIEvQIBA*************TvPQ=\n-----END PRIVATE KEY-----\n: no such file or directory" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme rule="Host(`vps01.*****.net`) && PathPrefix(`/api`)"

This clearly proves the file can be read, however i am not sure what the "\ufeff" part means before the private key.

For transparency, this is how i mention the variables in my docker-compose.yml file:

environment:
  - TRANSIP_ACCOUNT_NAME=*****
  - TRANSIP_PRIVATE_KEY_PATH=/transip.apikey

[ldez]

I don't think the problem comes from the fact to open the file. I think it's related to the content, as I said previously.

The error could not decode private key is about the content. There is something invalid with the content of this file.

[royvandongen]

I understand why you would say that, however to test what is going on here, i have deleted the contents of the file multiple times and pasted new (and even currently working) keys in the file in order to test if this would be the issue.

I guess i'm a bit lost here now.. Strange, this is the first time this exact config does not work for me

[ldez]

Strange, this is the first time this exact config does not work for me

what was the context when this was working? What's changed since that?

[royvandongen]

It's a completely new server, but i used the same basic templates for my docker-compose.yml file as before. That's why i'm so surprised it does not have the same outcome.

To doublecheck, i created a new api key without any ip-restrictions on the TransIP side, just to exclude that too.

As shown in the log output above, the file is exactly a private key, with 0600 file permissions, it's just the same over multiple servers here.

[ldez]

When it was working, what was the exact Traefik version?

Because the code of the API client hasn't changed for a long time for the parts that lego uses.

[royvandongen]

One of the working servers is running Traefik 2.5.3, so i ran that specific version, issue resides.. I'll trash everything and start over completely blank to see if that changes anything

[ldez]

If you can create a temporary file, can you send me one by email? Like that, I will be able to just test the file.

[ldez]

Your private key file works, I run tests of the API client with it there is no error and I can sign a request. So the problem is not here :thinking: I can be on the mounting point or related to system encoding :thinking:

[royvandongen]

Thank you so much for excluding those specifics, i'll continue to test here

[ldez]

I could not test more with the information you provided, because:

transip: could not get token from authenticator: error requesting token: Your key signature is invalid or API is not enabled in your account

[royvandongen]

That makes sense, because i put in a placeholder account. I fixed the issue, i'll post separatly what it was so it can be pinned/marked as solution.

[royvandongen]

Hi all,

This is the solution, it is crazy and far fetched but with the awesome help if @ldez it was found and fixed!

On a non-functional server:

root@vps01:/opt/deployment/webserver# file -i traefik/transip.apikey 
traefik/transip.apikey: text/plain; charset=utf-8

On a functional server:

root@lb-01:/opt/traefik$ file -i transip.apikey 
transip.apikey: text/plain; charset=us-ascii

The encoding was off, and me beeing a total dumbss i copied the file contents to Idez, instead of the exact file which i could not retrieve natively*.

Apparently the error "acme: error presenting token: transip: could not get token from authenticator: could not decode private key" also shows when the file encoding is not correct.

Since the file was created by an automation system, i will try to find why this happened in the first place, but for future people who experience this issue, Either try to convert your file to ascii with the command:

 iconv -f UTF-8 -t ASCII transip.apikey -o transip.apikey

or just write a new file with the same contents.

Once again Thanks @ldez for helping out, i would never found this myself!

[ldez]

Encoding problems, the hidden problems that can spend you hours on them :smile_cat:

FYI, I deleted all the information you provided from my computer and my mailbox.

---

Sponsoring is a good way to sustain open source maintainers: sponsor me