gregtwallace / certwarden

Cert Warden is a centralized ACME Client. It provides an API for certificate consumers to fetch their individual keys and certs with API keys.
https://www.certwarden.com/
Other
231 stars 7 forks source link

Provide a working reverse proxy sample configuration #24

Closed UnclePhil closed 10 months ago

UnclePhil commented 1 year ago

Can you provide a working combination of config.yaml and reverse proxy (nginx, traefik or caddy) configuration. I'll try many combination on my docker swarm implementation and i'm facing 50x errors, even if the docker logs seems correct.

logs

[rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:03.955Z info app/logger.go:135 init logging started (log level: debug) [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:03.955Z info app/app_create.go:38 starting LeGo CertHub v0.12.5 [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:03.967Z info app/logger.go:137 main logging started (log level: info) [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:03.968Z warn sqlite/setup.go:63 database file does not exist, creating a new one [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:03.969Z info sqlite/setup.go:101 populating new database file [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.254Z info acme/directory.go:102 starting acme directory refresh service (https://acme-staging-v02.api.letsencrypt.org/directory) [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.254Z info acme/directory.go:102 starting acme directory refresh service (https://acme-v02.api.letsencrypt.org/directory) [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.254Z info acme/directory.go:76 updating directory from https://acme-staging-v02.api.letsencrypt.org/directory [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.254Z info http01internal/server.go:37 starting http-01 challenge server on :4060. [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.254Z warn http01internal/server.go:39 http-01 challenge server is not running on port 80; internet facing port 80 must be proxied to port 4060 to function. [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.254Z info acme/directory.go:76 updating directory from https://acme-v02.api.letsencrypt.org/directory [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.375Z error app/app_create.go:158 failed to configure https cert: no such record found in storage [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.375Z error app/app_create.go:161 certain functionality (e.g. pem downloads via API keys) will be disabled until the server is run in https mode [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.375Z info updater/checker.go:107 starting updater service [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.375Z info auth/session_manager.go:115 starting auth session cleaner service [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.375Z info orders/auto_ordering.go:27 starting automatic certificate ordering service; 40 day expiration threshold; orders will be placed every day at 3:12 [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.375Z info app/routes.go:120 frontend hosting enabled and available at: /legocerthub/app [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.376Z warn app/run.go:166 starting insecure lego-certhub (http) bound to :4050 [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.733Z info acme/directory.go:91 directory https://acme-v02.api.letsencrypt.org/directory updated succesfully [rqnf8 ](http://192.168.1.6:8888/#/tasks/rqnf891juyp5hrr2ooio2i5qy?log=1) 2023-08-16T09:25:04.771Z info acme/directory.go:91 directory https://acme-staging-v02.api.letsencrypt.org/directory updated succesfully

gregtwallace commented 1 year ago

2023-08-16T09:25:04.375Z error app/app_create.go:158 failed to configure https cert: no such record found in storage [rqnf8 ] The first thing you need to do is create (or import) a production account. Once you do that you need to issue a certificate for the LeGo hostname. After that, ensure the certificate name is specified in the config and restart LeGo to enable https. Some functionality is disabled until https is configured.

If that's not the 5xx errors you're receiving, let me know what task(s) you're doing, which specific errors you're receiving, and ideally the logs surrounding the error(s).

KodySalak commented 1 year ago

The following is how I have my certhub allowed through my main firewall. I am not using HTTP checking for verification, I am using DNS with Cloudflare (you should too... it's completely free and it's so much easier (and in my case better) than using your domain servers for nameservers).

Keep in mind, this config is basically letting anyone from the outside world connect unless you keep and modify the "allow" and "deny all" lines in, and provide the IP addresses you want to be able to connect to your certhub instance. This is provided with NO WARRANTY and I AM NOT RESPONSIBLE FOR ANYTHING THAT MAY HAPPEN!!!

#MAIN SITE

server {
    listen      80;
    server_name certhub.mysite.com;
    return 302 https://certhub.mysite.com$request_uri;
}

server {
    listen 443 ssl;
    server_name certhub.mysite.com;
    allow 10.0.0.0/16;
    allow YOUR.IP.ADDRESS.HERE;
    deny all;

error_page 502 /502err/index.html;
    location /502err/ {
        root /usr/share/nginx/html;
    }

    ssl_certificate         /etc/certs/letsencrypt/prod/certchainCerthub.pem;
    ssl_certificate_key     /etc/certs/letsencrypt/prod/keyCerthub.key;
    ssl_session_timeout     5m;

    location / {
        proxy_pass https://10.0.10.26:4055;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}