search

hakwerk / labca

A private Certificate Authority for internal (lab) use, based on the open source ACME Automated Certificate Management Environment implementation from Let's Encrypt (tm).
https://lab-ca.net
Other
343 stars 39 forks source link

Cannot finalize the installation process - Response Code: 308 #125

Closed JueFri closed 5 months ago

JueFri commented 5 months ago

First of all i would like to say thank you for creating this software.

I used a Debian 12 Bookworm unprivileged LXC container on Proxmox and installed the software (v24.03) based on the Install section of the README file on GitHub with the command 

curl -sSL https://raw.githubusercontent.com/hakwerk/labca/master/install | bash

Everything seems to be ok and the 6 docker containers started up and running fine.

I prepared the my nameserver und the reverse proxy Caddy to access the application via the browser.

After the base install i went through the setup in my browser to finalize the installation process and i got the following error message " OOPS - Some unexpected error occurred! ..." and the Response Code: 308.

ValueError: Wrote file to /var/www/html/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w, but couldn't download http://pki.hds12.de/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w: Error:
Url: http://pki.hds12.de/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w
Data: None
Response Code: 308

I am not shure if 308 stands for Permanent Redirect and what that could mean in this context.

Any help is appriciated.

Best regards Jürgen

Diagnostic information.

/home/labca/nginx_data/ssl/acme_tiny.log

Mon Apr  8 08:10:03 UTC 2024
Parsing account key...
Parsing CSR...
Found domains: pki.hds12.de
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: http://boulder:4001/acme/acct/1
Updated contact details:
mailto:juergen.friemann@hds12.de
Creating new order...
Order created!
Verifying pki.hds12.de...
Traceback (most recent call last):
  File "/opt/labca/acme_tiny.py", line 145, in get_crt
    assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization)
  File "/opt/labca/acme_tiny.py", line 46, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error:
Url: http://pki.hds12.de/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w
Data: None
Response Code: 308
Response: 

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/labca/acme_tiny.py", line 199, in <module>
    main(sys.argv[1:])
  File "/opt/labca/acme_tiny.py", line 195, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
  File "/opt/labca/acme_tiny.py", line 147, in get_crt
    raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /var/www/html/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w, but couldn't download http://pki.hds12.de/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w: Error:
Url: http://pki.hds12.de/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w
Data: None
Response Code: 308
Response:

(control)/logs/commander.log

time="2024-04-04T14:23:05Z" level=warning msg="/opt/boulder/docker-compose.yml: `version` is obsolete"
 Container labca-nginx-1  Restarting
 Container labca-bmysql-1  Restarting
 Container labca-bconsul-1  Restarting
 Container labca-boulder-1  Restarting
 Container labca-gui-1  Restarting
 Container labca-bconsul-1  Started
 Container labca-bmysql-1  Started
 Container labca-gui-1  Started
 Container labca-nginx-1  Started
 Container labca-boulder-1  Started

docker compose logs control

control-1  | Reading state information...
control-1  | ucspi-tcp is already the newest version (1:0.88-6).
control-1  | 0 upgraded, 0 newly installed, 0 to remove and 6 not upgraded.
control-1  | read EC key
control-1  | writing EC key
control-1  | read EC key
control-1  | writing EC key
control-1  | /opt/labca
control-1  | Start serving commander script...
control-1  | Parsing account key...
control-1  | Parsing CSR...
control-1  | Found domains: pki.hds12.de
control-1  | Getting directory...
control-1  | Directory found!
control-1  | Registering account...
control-1  | Already registered! Account ID: http://boulder:4001/acme/acct/1
control-1  | Updated contact details:
control-1  | mailto:juergen.friemann@hds12.de
control-1  | Creating new order...
control-1  | Order created!
control-1  | Verifying pki.hds12.de...
control-1  | Traceback (most recent call last):
control-1  |   File "/opt/labca/acme_tiny.py", line 145, in get_crt
control-1  |     assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization)
control-1  |   File "/opt/labca/acme_tiny.py", line 46, in _do_request
control-1  |     raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
control-1  | ValueError: Error:
control-1  | Url: http://pki.hds12.de/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w
control-1  | Data: None
control-1  | Response Code: 308
control-1  | Response: 
control-1  | 
control-1  | During handling of the above exception, another exception occurred:
control-1  | 
control-1  | Traceback (most recent call last):
control-1  |   File "/opt/labca/acme_tiny.py", line 199, in <module>
control-1  |     main(sys.argv[1:])
control-1  |   File "/opt/labca/acme_tiny.py", line 195, in main
control-1  |     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
control-1  |   File "/opt/labca/acme_tiny.py", line 147, in get_crt
control-1  |     raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
control-1  | ValueError: Wrote file to /var/www/html/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w, but couldn't download http://pki.hds12.de/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w: Error:
control-1  | Url: http://pki.hds12.de/.well-known/acme-challenge/Nwm-boiute2Aq2X8Yknrf07RHyXCeqP7B5jJd-5pf2w
control-1  | Data: None
control-1  | Response Code: 308
control-1  | Response: 
control-1  | time="2024-04-08T08:10:04Z" level=warning msg="/opt/boulder/docker-compose.yml: `version` is obsolete"
control-1  | time="2024-04-08T08:10:04Z" level=warning msg="/opt/boulder/docker-compose.yml: `version` is obsolete"
control-1  | time="2024-04-08T08:10:04Z" level=warning msg="/opt/boulder/docker-compose.yml: `version` is obsolete"
control-1  | time="2024-04-08T08:10:08Z" level=warning msg="/opt/boulder/docker-compose.yml: `version` is obsolete"
ok

docker compose logs boulder

boulder-1  | 2024-04-08T07:49:43.191582+00:00Z boulder-ca[574]: 6 boulder-ca o_WN0wc Loaded an ECDSA allow list with 1 entries
boulder-1  | 2024-04-08T07:49:43.193535+00:00Z boulder-ca[574]: 6 boulder-ca -6LaLAA grpc listening on :9393
boulder-1  | health checking ca.boulder (localhost:9393)
boulder-1  | 2024-04-08T07:49:44.151597+00:00Z boulder-ca[588]: 6 boulder-ca iZrV2AI Debug server listening on :8101
boulder-1  | 2024-04-08T07:49:44.151647+00:00Z boulder-ca[588]: 6 boulder-ca kcfl8AM Versions: boulder-ca=(Unspecified Unspecified) Golang=(go1.21.5) BuildHost=(Unspecified)
boulder-1  | 2024-04-08T07:49:44.151974+00:00Z boulder-ca[588]: 6 boulder-ca _sCF8Qg loading hostname policy, sha256: fe85ca8dac8d3e45158c32c75c129c1dc63fc495985b818225031bd4dc515beb
boulder-1  | 2024-04-08T07:49:44.164145+00:00Z boulder-ca[588]: 6 boulder-ca o_WN0wc Loaded an ECDSA allow list with 1 entries
boulder-1  | 2024-04-08T07:49:44.165259+00:00Z boulder-ca[588]: 6 boulder-ca _o_mBgA grpc listening on :9493
boulder-1  | health checking ca.boulder (localhost:9493)
boulder-1  | 2024-04-08T07:49:45.177021+00:00Z boulder-va[603]: 6 boulder-va saf31QU Debug server listening on :8004
boulder-1  | 2024-04-08T07:49:45.177341+00:00Z boulder-va[603]: 6 boulder-va 4NKI_QQ Versions: boulder-va=(Unspecified Unspecified) Golang=(go1.21.5) BuildHost=(Unspecified)
boulder-1  | 2024-04-08T07:49:45.178320+00:00Z boulder-va[603]: 6 boulder-va 7cPGlAc grpc listening on :9392
boulder-1  | health checking va.boulder (localhost:9392)
boulder-1  | 2024-04-08T07:49:46.207446+00:00Z crl-updater[617]: 6 crl-updater vIuFxwE Debug server listening on :8021
boulder-1  | 2024-04-08T07:49:46.207621+00:00Z crl-updater[617]: 6 crl-updater uZGv7AY Versions: crl-updater=(Unspecified Unspecified) Golang=(go1.21.5) BuildHost=(Unspecified)
boulder-1  | 2024-04-08T07:49:46.310309+00:00Z boulder-ra[625]: 6 boulder-ra s7nwkAs Debug server listening on :8102
boulder-1  | 2024-04-08T07:49:46.310461+00:00Z boulder-ra[625]: 6 boulder-ra jZ2vig8 Versions: boulder-ra=(Unspecified Unspecified) Golang=(go1.21.5) BuildHost=(Unspecified)
boulder-1  | 2024-04-08T07:49:46.310753+00:00Z boulder-ra[625]: 6 boulder-ra _sCF8Qg loading hostname policy, sha256: fe85ca8dac8d3e45158c32c75c129c1dc63fc495985b818225031bd4dc515beb
boulder-1  | 2024-04-08T07:49:46.316073+00:00Z boulder-ra[625]: 6 boulder-ra 3aT09Qk grpc listening on :9494
boulder-1  | health checking ra.boulder (localhost:9494)
boulder-1  | 2024-04-08T07:49:47.333000+00:00Z boulder-ra[639]: 6 boulder-ra hO35ngs Debug server listening on :8002
boulder-1  | 2024-04-08T07:49:47.333197+00:00Z boulder-ra[639]: 6 boulder-ra jZ2vig8 Versions: boulder-ra=(Unspecified Unspecified) Golang=(go1.21.5) BuildHost=(Unspecified)
boulder-1  | 2024-04-08T07:49:47.333351+00:00Z boulder-ra[639]: 6 boulder-ra _sCF8Qg loading hostname policy, sha256: fe85ca8dac8d3e45158c32c75c129c1dc63fc495985b818225031bd4dc515beb
boulder-1  | 2024-04-08T07:49:47.339273+00:00Z boulder-ra[639]: 6 boulder-ra 2InI3wk grpc listening on :9394
boulder-1  | health checking ra.boulder (localhost:9394)
boulder-1  | 2024-04-08T07:49:48.353661+00:00Z ocsp-responder[651]: 6 ocsp-responder p8br7QI Debug server listening on :8005
boulder-1  | 2024-04-08T07:49:48.353711+00:00Z ocsp-responder[651]: 6 ocsp-responder w5LIxAk Versions: ocsp-responder=(Unspecified Unspecified) Golang=(go1.21.5) BuildHost=(Unspecified)
boulder-1  | 2024-04-08T07:49:48.356190+00:00Z ocsp-responder[651]: 6 ocsp-responder gduRtgc HTTP server listening on :4002
boulder-1  | 2024-04-08T07:51:46.230150+00:00Z crl-updater[617]: 3 crl-updater oOL2wgI [AUDIT] Generating CRL failed: id=[{"issuerID":6785675654209236,"shardIdx":1,"crlNumber":1712562706222927334}] err=[computing shardmap: rpc error: code = Unknown desc = certificateStatus table notAfter column is empty]
boulder-1  | 2024-04-08T08:04:34.884298+00:00Z boulder-sa[412]: 6 boulder-sa vMmt-gY time=2024-04-08T08:04:34.884226233Z
boulder-1  | 2024-04-08T08:04:36.022274+00:00Z log-validator[432]: 6 log-validator n-_2jww time=2024-04-08T08:04:36.022182217Z
boulder-1  | 2024-04-08T08:04:36.334499+00:00Z nonce-service[454]: 6 nonce-service rtnWqg4 time=2024-04-08T08:04:36.334399727Z
boulder-1  | 2024-04-08T08:04:36.449573+00:00Z boulder-publisher[460]: 6 boulder-publisher 0qXwsgY time=2024-04-08T08:04:36.449456547Z
boulder-1  | 2024-04-08T08:04:37.474636+00:00Z boulder-publisher[473]: 6 boulder-publisher oPrD6A4 time=2024-04-08T08:04:37.47454809Z
boulder-1  | 2024-04-08T08:04:38.501758+00:00Z boulder-remoteva[486]: 6 boulder-remoteva -7LArAg time=2024-04-08T08:04:38.501610292Z
boulder-1  | 2024-04-08T08:04:39.519041+00:00Z mail-test-srv[499]: 6 mail-test-srv pa_42Qo time=2024-04-08T08:04:39.518927156Z
boulder-1  | 2024-04-08T08:04:39.630286+00:00Z nonce-service[505]: 6 nonce-service 6ubKmgc time=2024-04-08T08:04:39.630186827Z
boulder-1  | 2024-04-08T08:04:39.732579+00:00Z crl-storer[512]: 6 crl-storer 786MlgE time=2024-04-08T08:04:39.732479687Z
boulder-1  | 2024-04-08T08:04:39.834495+00:00Z nonce-service[518]: 6 nonce-service lOqe3QM time=2024-04-08T08:04:39.834422429Z
boulder-1  | 2024-04-08T08:04:39.936573+00:00Z boulder-remoteva[525]: 6 boulder-remoteva 94K-ogs time=2024-04-08T08:04:39.936431415Z
boulder-1  | 2024-04-08T08:04:40.963662+00:00Z boulder-sa[539]: 6 boulder-sa u7XZgwI time=2024-04-08T08:04:40.963573437Z
boulder-1  | 2024-04-08T08:04:41.994888+00:00Z boulder-va[553]: 6 boulder-va tPiPogQ time=2024-04-08T08:04:41.994790898Z
boulder-1  | 2024-04-08T08:04:43.020983+00:00Z akamai-purger[567]: 6 akamai-purger 1ePm0As time=2024-04-08T08:04:43.020893357Z
boulder-1  | 2024-04-08T08:04:43.124289+00:00Z boulder-ca[574]: 6 boulder-ca k_yhlgU time=2024-04-08T08:04:43.124184957Z
boulder-1  | 2024-04-08T08:04:44.152619+00:00Z boulder-ca[588]: 6 boulder-ca qvrt6g4 time=2024-04-08T08:04:44.152540571Z
boulder-1  | 2024-04-08T08:04:45.177449+00:00Z boulder-va[603]: 6 boulder-va ipeIpQM time=2024-04-08T08:04:45.177319927Z
boulder-1  | 2024-04-08T08:04:46.207744+00:00Z crl-updater[617]: 6 crl-updater j8rQjQY time=2024-04-08T08:04:46.207682252Z
boulder-1  | 2024-04-08T08:04:46.310462+00:00Z boulder-ra[625]: 6 boulder-ra -8XrmwU time=2024-04-08T08:04:46.310342055Z
boulder-1  | 2024-04-08T08:04:47.333383+00:00Z boulder-ra[639]: 6 boulder-ra j6Kosgo time=2024-04-08T08:04:47.333279698Z
boulder-1  | 2024-04-08T08:04:48.353951+00:00Z ocsp-responder[651]: 6 ocsp-responder 5Znc8wc time=2024-04-08T08:04:48.353832128Z
ok

docker compose logs labca

gui-1  | 2024/04/08 08:09:13 GET /
gui-1  | 2024/04/08 08:09:13 GET /login
gui-1  | 2024/04/08 08:09:22 POST /login
gui-1  | 2024/04/08 08:09:22 GET /
gui-1  | 2024/04/08 08:09:22 GET /setup
gui-1  | 2024/04/08 08:09:53 GET /final
gui-1  | 2024/04/08 08:09:58 GET /final
gui-1  | 2024/04/08 08:10:03 GET /final
gui-1  | 2024/04/08 08:10:04 ERROR: Message from server: 'ERROR! On line 68 in commander script
gui-1  | '
gui-1  | 2024/04/08 08:10:04 errorHandler: err=ERROR! On line 68 in commander script
gui-1  | 
gui-1  | main._hostCommand({0x1398458, 0xc000340000}, 0x0?, {0xe51c8f, 0xc}, {0x0, 0x0, 0xc1359c?})
gui-1  |    /go/src/labca/main.go:2264 +0x67a
gui-1  | main.finalHandler({0x1398458?, 0xc000340000}, 0xc000690b00)
gui-1  |    /go/src/labca/main.go:2813 +0x62f
gui-1  | net/http.HandlerFunc.ServeHTTP(0xd2cc40?, {0x1398458?, 0xc000340000?}, 0xc000340000?)
gui-1  |    /usr/local/go/src/net/http/server.go:2136 +0x29
gui-1  | main.authorized.func1({0x1398458, 0xc000340000}, 0xc000690b00)
gui-1  |    /go/src/labca/main.go:3289 +0x337
gui-1  | net/http.HandlerFunc.ServeHTTP(0xc000690400?, {0x1398458?, 0xc000340000?}, 0x7de33ded5d60?)
gui-1  |    /usr/local/go/src/net/http/server.go:2136 +0x29
gui-1  | github.com/gorilla/mux.(*Router).ServeHTTP(0xc00016c6c0, {0x1398458, 0xc000340000}, 0xc000690000)
gui-1  |    /root/go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 +0x1c5
gui-1  | net/http.serverHandler.ServeHTTP({0xc000334750?}, {0x1398458?, 0xc000340000?}, 0x6?)
gui-1  |    /usr/local/go/src/net/http/server.go:2938 +0x8e
gui-1  | net/http.(*conn).serve(0xc0000ca5a0, {0x139b0f8, 0xc0008287b0})
gui-1  |    /usr/local/go/src/net/http/server.go:2009 +0x5f4
gui-1  | created by net/http.(*Server).Serve in goroutine 1
gui-1  |    /usr/local/go/src/net/http/server.go:3086 +0x5cb
gui-1  | 2024/04/08 08:10:04 http: superfluous response.WriteHeader call from main.finalHandler (main.go:2816)
gui-1  | 2024/04/08 08:10:08 GET /final
gui-1  | 2024/04/08 08:10:08 GET /error
gui-1  | 2024/04/08 08:10:08 errorHandler: err=<nil>
gui-1  | main.showErrorHandler({0x1398458?, 0xc00014c700?}, 0xc0004cb988?)
gui-1  |    /go/src/labca/main.go:2842 +0x27
gui-1  | net/http.HandlerFunc.ServeHTTP(0xd2cc40?, {0x1398458?, 0xc00014c700?}, 0xc00014c700?)
gui-1  |    /usr/local/go/src/net/http/server.go:2136 +0x29
gui-1  | main.authorized.func1({0x1398458, 0xc00014c700}, 0xc0000bc500)
gui-1  |    /go/src/labca/main.go:3289 +0x337
gui-1  | net/http.HandlerFunc.ServeHTTP(0xc0000bc400?, {0x1398458?, 0xc00014c700?}, 0x7de33ded5b70?)
gui-1  |    /usr/local/go/src/net/http/server.go:2136 +0x29
gui-1  | github.com/gorilla/mux.(*Router).ServeHTTP(0xc00016c6c0, {0x1398458, 0xc00014c700}, 0xc0000bc300)
gui-1  |    /root/go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 +0x1c5
gui-1  | net/http.serverHandler.ServeHTTP({0xc00050c1b0?}, {0x1398458?, 0xc00014c700?}, 0x6?)
gui-1  |    /usr/local/go/src/net/http/server.go:2938 +0x8e
gui-1  | net/http.(*conn).serve(0xc000868990, {0x139b0f8, 0xc0008287b0})
gui-1  |    /usr/local/go/src/net/http/server.go:2009 +0x5f4
gui-1  | created by net/http.(*Server).Serve in goroutine 1
gui-1  |    /usr/local/go/src/net/http/server.go:3086 +0x5cb
ok
hakwerk commented 5 months ago

I think the 308 is indeed Caddy redirecting from plain HTTP to HTTPS. The acme_tiny.py client is trying to read the .well-known file using HTTP, but Caddy seems to redirect to HTTPS which acme_tiny.py does not follow.

You should try configuring Caddy so that it does not redirect if the path starts with "/.well-known/acme-challenge" or so. The acme_tiny.py seems to be hardcoded to use plain HTTP only.

JueFri commented 5 months ago

Thank you very much for your quick reply.

Currently i dont known how to follow your recommendation but i will start to research and then i will report back.

JueFri commented 5 months ago

Your thought was correct - redirecting from HTTP to HTTPS through Caddy Reverse Proxy resulted in Response Code 308.

I was able to completely avoid using the Caddy Reverse Proxy for the website pki.hds12.de.

Now I can access the LabCA website without any errors.

Many thanks for your support.

Sincerely Jürgen