hakwerk / labca

A private Certificate Authority for internal (lab) use, based on the open source ACME Automated Certificate Management Environment implementation from Let's Encrypt (tm).
https://lab-ca.net
Other
366 stars 39 forks source link

non tld domains work? #120

Closed ihatecerts closed 2 months ago

ihatecerts commented 7 months ago

if i had a domain such as dakota.home, would that work with this service?

OOPS Some unexpected error occurred!

control-1 | Verifying acme-certmanager.nd.dakota.home... control-1 | Traceback (most recent call last): control-1 | File "/opt/labca/acme_tiny.py", line 199, in control-1 | main(sys.argv[1:]) control-1 | File "/opt/labca/acme_tiny.py", line 195, in main control-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) control-1 | File "/opt/labca/acme_tiny.py", line 153, in get_crt control-1 | raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) control-1 | ValueError: Challenge did not pass for acme-certmanager.nd.dakota.home: {'identifier': {'type': 'dns', 'value': 'acme-certmanager.nd.dakota.home'}, 'status': 'invalid', 'expires': '2024-03-18T14:46:01Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:dns', 'detail': "DNS problem: SERVFAIL looking up CAA for home - the domain's nameservers may be malfunctioning", 'status': 400}, 'url': 'http://boulder:4001/acme/chall-v3/1/zAND0Q', 'token': 'rp1CRhAn6YF9CTPHg_jRmYO5FzMRgB0zePt23WN12nY', 'validationRecord': [{'url': acme-certmanager.nd.dakota.home/.well-known/acme-challenge/rp1CRhAn6YF9CTPHg_jRmYO5FzMRgB0zePt23WN12nY', 'hostname': 'acme-certmanager.nd.dakota.home', 'port': '80', 'addressesResolved': ['198.19.155.252'], 'addressUsed': '198.19.155.252', 'resolverAddrs': ['A:198.19.189.86:53', 'AAAA:198.19.189.86:53']}], 'validated': '2024-03-11T14:46:01Z'}]} ok

hakwerk commented 7 months ago

Well, first of all, if your hostname is acme-certmanager.nd.dakota.home, then the domain name is "nd.dakota.home" and not just "dakota.home". Yes, LabCA should work with either of those domains.

The system is doing DNS lookups to look for a CAA record on the domain itself (nd.dakota.home) and if it cannot find one, on the parent domain(s), in your case on dakota.home and then home. Your DNS is not setup properly if the home domain is not defined. The solution is either adding a CAA record in a (sub)domain that does exist in your DNS, or setup the home zone.

Also see https://github.com/hakwerk/labca?tab=readme-ov-file#common-error-messages for some tips on these errors and more background on CAA.

ihatecerts commented 7 months ago

make sense. if i have a root domain dakota.home but i also deploy two sub domains across datacenters like nd.dakota | sd.dakota, does that mean lab-ca needs to be created for only the root domain. I listed all root and subdoamins in my initial whitelist but if thats cause, i dont see a way to roll back my config so i can change the common name and domain whitelist. Is that not possible? Would i need to remove the install and reinstall

hakwerk commented 7 months ago

You did correct in including all three values (the root and both sub domains) in the whitelist! If you only added the root domain you would probably hit the ratelimit issue as described in #117 for hosts within the subdomains. So no need to reinstall LabCA with the info that I see now.

You "just" need to take care of the CAA record to make the validation check happy

ihatecerts commented 7 months ago

sounds good one last question, my domain is on a windows server environment. I stumbled upon a guide to add a CAA entry however it appears to reference a unique record value (see below). Would it be wrong to assume any value would work for lab-ca or lab-ca require a specific value?

Add-DnsServerResourceRecord -name your_own_name -RecordData 00056973737565656E74727573742E6E6574 -Type 257 -ZoneName your_zone_name

hakwerk commented 7 months ago

The value does matter, it should be the value of the "issuerDomain" from file /home/labca/boulder_labca/config/va.json (or docker compose exec boulder cat labca/config/va.json if you used the docker-only setup). So that is the domain part of your LabCA server fqdn.

I think in your case you want to end up with this in DNS:

dakota.home. 0 IN CAA 0 issue "nd.dakota.home"

That would say that the issuer on domain nd.dakota.home (in your example the machine acme-certmanager.nd.dakota.home) is allowed to issue certificates for the whole of dakota.home

The RecordData is some hex encoded value according to https://serverfault.com/questions/914108/how-to-add-a-caa-record-to-dnsmasq. It seems to always start with 00056973737565 and then using https://cryptii.com/pipes/hex-decoder to replace several values from https://sslmate.com/caa/, I think that in your case the RecordData would be 000569737375656E642E64616B6F74612E686F6D65 or if it should be "dakota.home" instead of "nd.dakota.home" then it would be 0005697373756564616B6F74612E686F6D65

ihatecerts commented 7 months ago

thanks so much i was able to install!

ihatecerts commented 7 months ago

2024-03-26T09:10:21-04:00 acme.sh [Tue Mar 26 09:10:21 EDT 2024] Sleep 10 and retry. 2024-03-26T09:10:21-04:00 acme.sh [Tue Mar 26 09:10:21 EDT 2024] Can not init api for: https://acme-certmanager0.dakota.home/directory. 2024-03-26T09:10:21-04:00 acme.sh [Tue Mar 26 09:10:21 EDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60 2024-03-26T09:10:20-04:00 acme.sh [Tue Mar 26 09:10:20 EDT 2024] Could not get nonce, let's try again. 2024-03-26T09:10:20-04:00 acme.sh [Tue Mar 26 09:10:20 EDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60 2024-03-26T09:10:18-04:00 acme.sh [Tue Mar 26 09:10:18 EDT 2024] Could not get nonce, let's try again. 2024-03-26T09:10:18-04:00 acme.sh [Tue Mar 26 09:10:18 EDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60 2024-03-26T09:10:18-04:00 acme.sh [Tue Mar 26 09:10:18 EDT 2024] Registering account: https://acme-certmanager0.dakota.home/directory 2024-03-26T09:10:17-04:00 acme.sh [Tue Mar 26 09:10:17 EDT 2024] Can not init api, for https://acme-certmanager0.dakota.home/directory 2024-03-26T09:10:07-04:00 acme.sh [Tue Mar 26 09:10:07 EDT 2024] Sleep 10 and retry. 2024-03-26T09:10:07-04:00 acme.sh [Tue Mar 26 09:10:07 EDT 2024] Can not init api for: https://acme-certmanager0.dakota.home/directory. 2024-03-26T09:10:07-04:00 acme.sh [Tue Mar 26 09:10:07 EDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60 2024-03-26T09:09:57-04:00 acme.sh [Tue Mar 26 09:09:57 EDT 2024] Sleep 10 and retry. 2024-03-26T09:09:57-04:00 acme.sh [Tue Mar 26 09:09:57 EDT 2024] Can not init api for: https://acme-certmanager0.dakota.home/directory.

i am trying to use an opnsense appliance as the acme-client. The opnsense instance consistently fails to register to labca. Is there any specific external account binding creds (key identifier or hmac key or email address) needed for a client to register to lab ca?

hakwerk commented 7 months ago

You'll need to trust the LabCA root certificate first on the opnsense instance.

Opnsense tries to communicate with https://acme-certmanager0.dakota.home but the certificate of LabCA is not trusted until you explicitly add it to the opnsense trust store. Also any clients (browsers) on your network that will be using the website(s) on opnsense need to explicitly install the root CA certificate to be able to trust the certificates that they will send.