search

ibotty / openshift-letsencrypt

MIT License
59 stars 31 forks source link

Dehydrate and certs not found #6

Closed andrelillvede closed 7 years ago

andrelillvede commented 7 years ago

Hi! First off, fantastic work!

I tried running the pod on openshift origin 1.3 and directly ran into a problem. The dehydrate script hadn't been downloaded when creating the docker image but after changing the commit hash to the one of the latest commit, building the image and pushing it to our own repo on dockerhub everything seemed fine.

But then common.sh couldn't find the certs in 

keyfile() {
    echo "$LETSENCRYPT_DATADIR/$1/key"
}

certfile() {
    echo "$LETSENCRYPT_DATADIR/$1/crt"
}

fullchainfile() {
    echo "$LETSENCRYPT_DATADIR/$1/fullchain"
}

Had to change to: 


keyfile() {
    echo "$LETSENCRYPT_DATADIR/$1/privkey.pem"
}

certfile() {
    echo "$LETSENCRYPT_DATADIR/$1/cert.pem"
}

fullchainfile() {
    echo "$LETSENCRYPT_DATADIR/$1/fullchain.pem"
}

Do you think the change of dehydrated commit hash was the cause of pem files not found? Are they supposed to be copied to e.g. $LETSENCRYPT_DATADIR/$1/crt after retrieving them with dehydrate?

I have created new routes after the change and everything seems to work just fine.

ibotty commented 7 years ago

The certificates' names really should be as above. The dehydrated given names will not persist a container redeployment! There is a bug right now you might have been run into: sometimes, it will not generate the secrets in dehydrated-hook. I'll have to get to investigate that!

Regarding the dehydrated commit hash, I am sure that worked before, because I have been continuously building the container... Maybe the dehydrated repo has been force-pushed. I don't know. I will update to the latest dehydrated later today.

andrelillvede commented 7 years ago

Ok, cool! I totally missed your update to this issue as github notifications went to my spam folder :/

Yeah you are right, the secret is not created. Have you made any progress on that or do you have a workaround?

andrelillvede commented 7 years ago

The dehydrate release now used gives me a "challenge is invalid". After changing it to a later commit hash and building own images it works.

But as expected, no secret is created. This is from the log file after the challenge succeded.

+ . /usr/share/letsencrypt-container/common.sh
++ export LETSENCRYPT_SERVICE_NAME=letsencrypt
++ LETSENCRYPT_SERVICE_NAME=letsencrypt
++ export LETSENCRYPT_ACME_SECRET_NAME=letsencrypt-creds
++ LETSENCRYPT_ACME_SECRET_NAME=letsencrypt-creds
++ export LETSENCRYPT_DEFAULT_INSECURE_EDGE_TERMINATION_POLICY=Redirect
++ LETSENCRYPT_DEFAULT_INSECURE_EDGE_TERMINATION_POLICY=Redirect
++ export LETSENCRYPT_ROUTE_SELECTOR=butter.sh/letsencrypt-managed=yes
++ LETSENCRYPT_ROUTE_SELECTOR=butter.sh/letsencrypt-managed=yes
++ export LETSENCRYPT_KEYTYPE=rsa
++ LETSENCRYPT_KEYTYPE=rsa
++ export LETSENCRYPT_RENEW_BEFORE_DAYS=14
++ LETSENCRYPT_RENEW_BEFORE_DAYS=14
++ export LETSENCRYPT_VERBOSE=yes
++ LETSENCRYPT_VERBOSE=yes
++ export LETSENCRYPT_CA=https://acme-v01.api.letsencrypt.org/directory
++ LETSENCRYPT_CA=https://acme-v01.api.letsencrypt.org/directory
++ export LETSENCRYPT_KEYTYPE=rsa
++ LETSENCRYPT_KEYTYPE=rsa
++ export LETSENCRYPT_KEYSIZE=4096
++ LETSENCRYPT_KEYSIZE=4096
++ PATH=/usr/libexec/letsencrypt-container:/usr/libexec/letsencrypt-container:/usr/libexec/letsencrypt-container:/usr/libexec/letsencrypt-container:/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
++ OPENSHIFT_API_HOST=openshift.default
++ SA_TOKEN=<REMOVED>
++ OWN_NAMESPACE=andre
++ CA_CRT_FILE=/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ HANDLER=deploy_cert
+ shift
+ deploy_cert nodejs-mongodb-example-andre.test.castleb.se /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/privkey.pem /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/cert.pem /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/fullchain.pem /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/chain.pem 1477380723
+ local DOMAIN=nodejs-mongodb-example-andre.test.castleb.se KEYFILE=/var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/privkey.pem CERTFILE=/var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/cert.pem
+ local FULLCHAINFILE=/var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/fullchain.pem CHAINFILE=/var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/chain.pem TIMESTAMP=1477380723
+ log 'Create new certificate secret.'
+ is_true yes
+ case "$1" in
+ true
+ echo 'Create new certificate secret.'
Create new certificate secret.
+ new_cert_secret nodejs-mongodb-example-andre.test.castleb.se /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/privkey.pem /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/cert.pem /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/fullchain.pem
+ local domainname=nodejs-mongodb-example-andre.test.castleb.se keyfile_=/var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/privkey.pem crtfile_=/var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/cert.pem fullchainfile_=/var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/fullchain.pem
+ local secret_name
++ random_chars
++ local count=5
++ tr -dc a-z0-9
++ head -c 5
+ secret_name=letsencrypt-nodejs-mongodb-example-andre.test.castleb.se-3sjtz
Error opening Certificate /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/crt
140653504853920:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/crt','r')
140653504853920:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
/usr/share/letsencrypt-container/common.sh: line 219: /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/key: No such file or directory
/usr/share/letsencrypt-container/common.sh: line 219: /var/lib/letsencrypt-container/nodejs-mongodb-example-andre.test.castleb.se/fullchain: No such file or directory
ibotty commented 7 years ago

This should really use https://github.com/diafygi/acme-tiny instead of dehydrated. We are only using one thing not provided with acme-tiny anyway. I'll have a look at it tomorrow or later that week.

ibotty commented 7 years ago

I could not get to the bottom of not being able to create the secrets (sometimes), so I made the container store secrets only in the routes. Care to give it a try? I could not reliably reproduce the issue, so please report any failure (as separate bug). Thanks!

andrelillvede commented 7 years ago

Cool! I'll give it a try.