search

gregtwallace / certwarden

Cert Warden is a centralized ACME Client. It provides an API for certificate consumers to fetch their individual keys and certs with API keys.
https://www.certwarden.com/
Other
231 stars 7 forks source link

oathtool missing inside the docker image #64

Closed DunklerPhoenix closed 1 week ago

DunklerPhoenix commented 1 month ago

Heyho Can you please add oathtool to the docker image? acme.sh needs it for providers that use 2fa.

gregtwallace commented 1 month ago

What provider are you trying to use?

If I post a test build would you be able to provide feedback?

DunklerPhoenix commented 1 month ago

acme.sh with inwx dns

Yes I can test a test build 😄

gregtwallace commented 3 weeks ago

Give this build a shot. I added the oath-toolkit-oathtool package and also updated acme.sh to the latest version.

File was too big for GitHub to accept: https://file.io/EZcNS3q079eb

Unzip the file to get the .tar and then you should be able to import the tar file into docker (https://docs.docker.com/reference/cli/docker/image/import/).

DunklerPhoenix commented 3 weeks ago

Did you use docker export?

https://serverfault.com/questions/757210/no-command-specified-from-re-imported-docker-image-container

Are the changes in a github branch? Maybe I can build it from the repo locally. If not, I'll try to use the config from the original image

gregtwallace commented 3 weeks ago

Yes that’s the export. You can also build it yourself from the master branches.

DunklerPhoenix commented 1 week ago

soooooo. My servers are running again. What a pain.

I installed the oauth tool directly into the normal docker image and the error message is gone. But the certificate can still not be created because of other errors:

I also disabled 2FA for testing. With 2FA the error is:

[Sun Nov 10 15:03:29 CET 2024] INWX API: Mobile TAN not correct.

without:

[Sun Nov 10 15:10:42 CET 2024] invalid domain

11/10/2024, 3:10:42 PM, debug, job_manager/manager.go:78, order fulfilling worker 2: end high priority job (order id: 10)
11/10/2024, 3:10:42 PM, info, orders/fulfilling_do.go:100, orders: fulfilling worker 2: order 10 done
11/10/2024, 3:10:42 PM, error, orders/fulfilling_do.go:99, orders: fulfilling worker 2: fulfill auths error: exit status 1
11/10/2024, 3:10:42 PM, error, challenges/solver.go:65, challenges: deprovision failed (exit status 1)
11/10/2024, 3:10:42 PM, debug, challenges/provisioning.go:87, challenges: removed resource for downloaders.domain.net from work tracker
11/10/2024, 3:10:42 PM, error, dns01acmesh/resources.go:52, acme.sh dns delete script error: exit status 1
11/10/2024, 3:10:42 PM, error, dns01acmesh/resources.go:49, acme.sh dns create script std err: grep: : No such file or directory
[Sun Nov 10 15:10:42 CET 2024] config file is empty, can not save SAVED_INWX_Cookie=Cookie: 
[Sun Nov 10 15:10:42 CET 2024] config file is empty, can not clear
[Sun Nov 10 15:10:42 CET 2024] invalid domain

11/10/2024, 3:10:42 PM, error, dns01acmesh/resources.go:27, acme.sh dns create script error: exit status 1
11/10/2024, 3:10:42 PM, error, dns01acmesh/resources.go:24, acme.sh dns create script std err: [Sun Nov 10 15:10:41 CET 2024] config file is empty, can not save SAVED_INWX_User=my_user
[Sun Nov 10 15:10:41 CET 2024] config file is empty, can not clear
[Sun Nov 10 15:10:41 CET 2024] config file is empty, can not save SAVED_INWX_Password=my_password
[Sun Nov 10 15:10:41 CET 2024] config file is empty, can not clear
[Sun Nov 10 15:10:41 CET 2024] config file is empty, can not save SAVED_INWX_Shared_Secret=
[Sun Nov 10 15:10:41 CET 2024] config file is empty, can not clear
grep: : No such file or directory
[Sun Nov 10 15:10:42 CET 2024] config file is empty, can not save SAVED_INWX_Cookie=Cookie: 
[Sun Nov 10 15:10:42 CET 2024] config file is empty, can not clear
[Sun Nov 10 15:10:42 CET 2024] invalid domain

11/10/2024, 3:10:41 PM, debug, challenges/provisioning.go:26, challenges: added resource for downloaders.domain.net to work tracker
11/10/2024, 3:10:41 PM, debug, acme/post_signed.go:147, acme signed post response code: 200 ; body: {
    "identifier": {
        "type": "dns",
        "value": "downloaders.domain.net"
    },
    "status": "pending",
    "expires": "2024-11-17T14:02:14Z",
    "challenges": [
        {
            "type": "http-01",
            "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/more/random",
            "status": "pending",
            "token": "vyHbXxxX9odE_some_random_stuff"
        },
        {
            "type": "tls-alpn-01",
            "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/more/random",
            "status": "pending",
            "token": "vyHbXxxX9odE_some_random_stuff"
        },
        {
            "type": "dns-01",
            "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/more/random",
            "status": "pending",
            "token": "vyHbXxxX9odE_some_random_stuff"
        }
    ]
}
11/10/2024, 3:10:41 PM, debug, acme/post_signed.go:84, sending acme signed post to: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/more_random ; unencoded payload: ""
11/10/2024, 3:10:41 PM, debug, acme/post_signed.go:147, acme signed post response code: 200 ; body: {
    "status": "pending",
    "expires": "2024-11-17T14:02:14Z",
    "identifiers": [
        {
            "type": "dns",
            "value": "downloaders.domain.net"
        }
    ],
    "authorizations": [
        "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/more_random"
    ],
    "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/more/random"
}
11/10/2024, 3:10:41 PM, debug, acme/post_signed.go:84, sending acme signed post to: https://acme-staging-v02.api.letsencrypt.org/acme/order/more/random ; unencoded payload: ""
11/10/2024, 3:10:41 PM, info, orders/fulfilling_do.go:24, orders: fulfilling worker 2: ordering order id 10 (certificate name: downloaders.domain.net, subject: downloaders.domain.net)
11/10/2024, 3:10:41 PM, debug, job_manager/manager.go:76, order fulfilling worker 2: start high priority job (order id: 10)
11/10/2024, 3:10:35 PM, info, auth/handlers.go:146, client 172.20.0.17:60568: access token refresh for user 'admin' succeeded
11/10/2024, 3:10:35 PM, info, auth/handlers.go:108, client 172.20.0.17:60568: attempting access token refresh
11/10/2024, 3:10:35 PM, debug, app/middleware_returnval_handling.go:76, client 172.20.0.17:60568: PUT /api/v1/certificates/9 205.618µs: served err response
11/10/2024, 3:10:35 PM, debug, auth/validate.go:36, client 172.20.0.17:60568: PUT /api/v1/certificates/9 failed (token is expired by 2.7593547s)

It is funny because with go acme it's working.

PS: Could you please add better error messages? Me stupid added first "inwx" as dns and not "dns_inwx" and got only error 400. After turning debug on I saw my mistake :D

gregtwallace commented 1 week ago

I have a separate issue open to make the error messages friendlier, without having to enable debug.

Glad to hear it is working with go-acme. My best guess for why acme.sh isn't working is that the script requires some sort of local storage, which isn't supported with the implementation here.