search

hakwerk / labca

A private Certificate Authority for internal (lab) use, based on the open source ACME Automated Certificate Management Environment implementation from Let's Encrypt (tm).
https://lab-ca.net
Other
374 stars 39 forks source link

Failing to validate CAA record in last restart of setup #102

Closed mangusbrother closed 11 months ago

mangusbrother commented 1 year ago

I have setup lam on my vm with the following docker-compose (removed some other services) :

version: "3.8"
services:
#
#
#    CERTIFICATE AUTHORITY
#
#
#

  boulder:
    # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
    image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
    environment:
      # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
      # to the IP address where your ACME client's solver is listening.
      # FAKE_DNS: 172.17.0.1
      FAKE_DNS: 10.77.77.77
      BOULDER_CONFIG_DIR: &boulder_config_dir labca/config
      GOFLAGS: -mod=vendor
      # Forward the parent env's GOEXPERIMENT value into the container.
      GOEXPERIMENT: ${GOEXPERIMENT:-}
    volumes:
      - boulder_data:/opt/boulder/labca
      - nginx_html:/opt/wwwstatic
      - softhsm:/var/lib/softhsm/tokens:cached
    networks:
      bluenet:
        ipv4_address: 10.77.77.77
      rednet:
        ipv4_address: 10.88.88.88
      consulnet:
        ipv4_address: 10.55.55.55
    # Use consul as a backup to Docker's embedded DNS server. If there's a name
    # Docker's DNS server doesn't know about, it will forward the query to this
    # IP (running consul).
    # (https://docs.docker.com/config/containers/container-networking/#dns-services).
    # This is used to look up service names via A records (like ra.service.consul) that
    # are configured via the ServerAddress field of cmd.GRPCClientConfig.
    # TODO: Remove this when ServerAddress is deprecated in favor of SRV records
    # and DNSAuthority.
    dns: 192.168.4.9
    expose:
      - 4001 # ACMEv2
      - 4002 # OCSP
      - 4003 # OCSP
    depends_on:
      - bmysql
      - bconsul
      - control
    entrypoint: labca/entrypoint.sh
    working_dir: &boulder_working_dir /opt/boulder
    logging:
      driver: "json-file"
      options:
        max-size: "500k"
        max-file: "5"
    restart: always

  bmysql:
    image: mariadb:10.5
    volumes:
      - dbdata:/var/lib/mysql
    networks:
      bluenet:
        aliases:
          - boulder-mysql
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
    # Send slow queries to a table so we can check for them in the
    # integration tests. For now we ignore queries not using indexes,
    # because that seems to trigger based on the optimizer's choice to not
    # use an index for certain queries, particularly when tables are still
    # small.
    command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
    logging:
      driver: "json-file"
      options:
        max-size: "500k"
        max-file: "5"
    restart: always

  bconsul:
    image: hashicorp/consul:1.15.4
    depends_on:
      - control
    volumes:
      - boulder_data:/opt/boulder/labca
    networks:
      consulnet:
        ipv4_address: 10.55.55.10
      bluenet:
        ipv4_address: 10.77.77.10
      rednet:
        ipv4_address: 10.88.88.10
    command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
    working_dir: /opt/boulder
    restart: always

  gui:
    image: ghcr.io/hakwerk/labca-gui:${LABCA_IMAGE_VERSION:-latest}
    networks:
      - bluenet
      - sec01
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./docker-compose.yaml:/opt/boulder/docker-compose.yaml
      - ldata:/opt/labca/data
      - nginx_html:/opt/wwwstatic
      - backup:/opt/backup
      - boulder_data:/opt/boulder/labca
    expose:
      - 3000
    depends_on:
      - bmysql
      - control
    working_dir: /opt/labca
    command: bin/labca-gui
    logging:
      driver: "json-file"
      options:
        max-size: "500k"
        max-file: "5"
    restart: always

  ca-nginx:
    image: nginx:1.25.3
    restart: always
    container_name: ca-nginx
    networks:
      - bluenet
      - sec01
    ports:
      - 81:80
      - 444:443
      - 80:80
      - 443:443
    volumes:
      - nginx_conf:/etc/nginx/conf.d
      - nginx_ssl:/etc/nginx/ssl
      - nginx_html:/var/www/html
    depends_on:
      - control

  control:
    image: ghcr.io/hakwerk/labca-control:${LABCA_IMAGE_VERSION:-latest}
    networks:
      - bluenet
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./docker-compose.yaml:/opt/boulder/docker-compose.yaml
      - ldata:/opt/labca/data
      - backup:/opt/backup
      - logs:/opt/logs
      - boulder_data:/opt/boulder/labca
      - nginx_conf:/etc/nginx/conf.d
      - nginx_ssl:/etc/nginx/ssl
      - nginx_html:/var/www/html
    expose:
      - 3030
    environment:
      LABCA_FQDN: ca.aaron.home
    working_dir: /opt/labca
    command: ./control.sh
    restart: always

#
#
#    Volumes
#
#
#

volumes:
  dbdata:
  nginx_conf:
  nginx_ssl:
  nginx_html:
  boulder_data:
  ldata:
  backup:
  logs:
  softhsm:

networks:
  sec01:
  bluenet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.77.77.0/24

  rednet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.88.88.0/24

  consulnet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.55.55.0/24

labCA is available at ca.aaron.home

My system dns is available at 192.168.4.9 I have tried changing both boulder's dns and FAKE_DNS to point to my dns record to no avail.

On my dns i have this record in the aaron.home zone:

CAA ca 0 issue ca.aaron.home

In the logs, I have this error:

acme_tiny.log


Sun Nov 12 17:03:06 UTC 2023
Parsing account key...
Parsing CSR...
Found domains: ca.aaron.home
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: http://boulder:4001/acme/acct/1
Creating new order...
Order created!
Verifying ca.aaron.home...
Traceback (most recent call last):
  File "/opt/labca/acme_tiny.py", line 199, in <module>
    main(sys.argv[1:])
  File "/opt/labca/acme_tiny.py", line 195, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
  File "/opt/labca/acme_tiny.py", line 153, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for ca.aaron.home: {'identifier': {'type': 'dns', 'value': 'ca.aaron.home'}, 'status': 'invalid', 'expires': '2023-11-19T17:03:07Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:dns', 'detail': 'DNS problem: NXDOMAIN looking up CAA for home - check that a DNS record exists for this domain', 'status': 400}, 'url': 'http://boulder:4001/acme/chall-v3/6/A7yyjQ', 'token': 'gNzkBS_OnqLkY7yWIqDoe97tMPr7iyVh0epU5y6udFo', 'validationRecord': [{'url': 'http://ca.aaron.home/.well-known/acme-challenge/gNzkBS_OnqLkY7yWIqDoe97tMPr7iyVh0epU5y6udFo', 'hostname': 'ca.aaron.home', 'port': '80', 'addressesResolved': ['192.168.4.11'], 'addressUsed': '192.168.4.11'}], 'validated': '2023-11-12T17:03:07Z'}]}

commander.log

FAILED to get 21 of bin/boulder (only have 0)
curl: (7) Failed to connect to boulder port 4001: Connection refused
FAILED to get 21 of bin/boulder (only have 0)
curl: (7) Failed to connect to boulder port 4001: Connection refused
FAILED to get 21 of bin/boulder (only have 1)
curl: (7) Failed to connect to boulder port 4001: Connection refused
hakwerk commented 1 year ago

In that error the relevant part is:

'DNS problem: NXDOMAIN looking up CAA for home - check that a DNS record exists for this domain'

Maybe the comments in this ticket https://github.com/hakwerk/labca/issues/23 can be of help? It looks like the CAA record needs to be on the domain, not on the hostname. And the value should also be the domain name, not the hostname. Something like

aaron.home. CAA 0 issue "aaron.home"
mangusbrother commented 1 year ago

So this seems to have fixed it, however DNS resolution for this record sems to have taken a while So what I imagine happened is that I had originally had the wrong one and while trying to fix it, i know i had set it to this at some point but it didn't realise it was changed yet for a longer-than-expected moment. So yes the config mentioned above is the correct one. Just make sure to give it quite a while...