icing / mod_md

Let's Encrypt (ACME) in Apache httpd
https://icing.github.io/mod_md/
Apache License 2.0
339 stars 27 forks source link

DNS challenge on Windows with binary executable "acme-setup-dns" #314

Closed sci-ripper closed 1 year ago

sci-ripper commented 1 year ago

Hello,

I'm trying to use Apache mod_md to get certificates for my sites using the DNS challenge because I want to use the wildcard on my domains (I know how to do it with HTTP challenge and it works fine).

So I wrote my own "acme-setup-dns" program in C (full source code can be found here: https://apaste.info/kNu4)

I tried it as a stand alone program and it does the job:

acme-setup-dns.exe setup mydomain.com challenge-data creates a TXT record with the name _acme-challenge and the value challenge-data for the domain mydomain.com

acme-setup-dns.exe teardown mydomain.com deletes the previously generated TXT record

it also always return 0 (and being a binary, it is executable)

I then wrote the Apache configuration file for one of my domain name to try it out (stripped down version with bare minimum can be found here: https://apaste.info/D5I8)

Note that I'm forcing it to only use dns-01 challenge by using MDCAChallenges dns-01.

When I run the script I get the following error log in my Apache ErrorLog file for the domain

[Fri Jun 16 18:06:19.417390 2023] [ssl:info] [pid 25100:tid 352] AH01914: Configuring server subdomain.example.com:443 for SSL protocol [Fri Jun 16 18:06:19.820970 2023] [ssl:warn] [pid 25100:tid 352] AH10085: Init: subdomain.example.com:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any. [Fri Jun 16 18:06:19.823967 2023] [ssl:info] [pid 25100:tid 352] AH02568: Certificate and private key subdomain.example.com:443:0 configured from Y:/Jobs/Programs/WWW/system/mod_md/domains/example.com/fallback-pubcert.pem and Y:/Jobs/Programs/WWW/system/mod_md/domains/example.com/fallback-privkey.pem

Usually, with http-01 challenge, '503 Service Unavailable' is perfectly normal the first time I run Apache with no certificate using mod_md. But there is that new third line I don't recall seeing when I did HTTP challenge. As I do with the HTTP challenge, I added the following lines to my vhost:

SSLCertificateFile "${WWWROOT}/system/mod_md/domains/example.com/fallback-pubcert.pem" SSLCertificateKeyFile "${WWWROOT}/system/mod_md/domains/example.com/fallback-privkey.pem"

but this time, unlike when I use the HTTP challenge, the fallback certificate and key did not get replaced by the final certificate and key.

I checked the job.json file in the staging directory and I get the following message among other things:

{
"status": 720002,
"problem": "challenge-setup-failure",
"detail": "None of the offered challenge types example.com offered for domain dns-01 could be setup successfully. Please check the log for errors.",
"activity": "Setting up challenge 'dns-01' for domain example.com"
} 

Also, md.json in the staging directory yield the following info among other:

"state-descr": "certificate(rsa) is missing"

I don't know it yield the same thing when using HTTP challenge since I never checked thouroughly md.json in the past.

My Apache config is as follows:

Windows 11 Server version: Apache/2.4.57 (Win64) Apache Lounge VS17 Server built: May 31 2023 10:48:22 mod_md version : 2.4.21 (2023-03-02)

Also note that this is a repost from the Apache Lounge Forum (Someone there, told me to ask directly to Mr. Stefan Eissing).

Thanks in advance for the help!

icing commented 1 year ago

Have you checked your server log for errors as mentioned in the "detail" field?

sci-ripper commented 1 year ago

Have you checked your server log for errors as mentioned in the "detail" field?

Thanks for the reply,

When I check the error log listed in the *.conf file with the ErrorLog statement I get the following repeating errors:

[Mon Jun 19 16:10:29.616388 2023] [ssl:info] [pid 20676:tid 360] AH01914: Configuring server subdomain.example.com:443 for SSL protocol [Mon Jun 19 16:10:29.764442 2023] [ssl:warn] [pid 20676:tid 360] AH10085: Init: subdomain.example.com:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any. [Mon Jun 19 16:10:29.766452 2023] [ssl:info] [pid 20676:tid 360] AH02568: Certificate and private key subdomain.example.com:443:0 configured from Y:/Jobs/Programs/WWW/system/mod_md/domains/example.com/fallback-pubcert.pem and Y:/Jobs/Programs/WWW/system/mod_md/domains/example.com/fallback-privkey.pem

If I try to access the site using the web browser, I get a warning from the browser and the following repeating errors in the ErrorLog:

[Mon Jun 19 16:12:42.409232 2023] [ssl:info] [pid 35464:tid 1344] [client 192.168.1.254:57509] AH01964: Connection to child 24 established (server subdomain.example.com:443) [Mon Jun 19 16:12:42.419248 2023] [ssl:info] [pid 35464:tid 1344] [client 192.168.1.254:57509] AH02008: SSL library error 1 in handshake (server subdomain.example.com:443) [Mon Jun 19 16:12:42.419248 2023] [ssl:info] [pid 35464:tid 1344] SSL Library Error: error:0A000412:SSL routines::sslv3 alert bad certificate (SSL alert number 42) [Mon Jun 19 16:12:42.419248 2023] [ssl:info] [pid 35464:tid 1344] [client 192.168.1.254:57509] AH01998: Connection closed to child 24 with abortive shutdown (server subdomain.example.com:443)

If I ignore the warning in the web browser and visit one of my subdomain, I get a "503 Service Unavailable" page

icing commented 1 year ago

Thanks. You should not configure SSLCertificateFile and SSLCertificateKeyFile for a https host managed by this module. The module's purpose is to supply the certificates to mod_ssl and, before it has obtained your real certs, it will add the fallbacks itself.

Please check the logs when an attempt is made to obtain ACME certs and your DNS01 executable is run. There seems to something going wrong with calling your comand and the log should give us a hint what that is.

sci-ripper commented 1 year ago

Thanks. You should not configure SSLCertificateFile and SSLCertificateKeyFile for a https host managed by this module. The module's purpose is to supply the certificates to mod_ssl and, before it has obtained your real certs, it will add the fallbacks itself.

Yes, I was told about that by someone in the ApacheLounge forum to never ever use SSLCertificateFile and SSLCertificateKeyFile for a https host managed by this module. And I see no issue with HTTP Challenge.

Please check the logs when an attempt is made to obtain ACME certs and your DNS01 executable is run. There seems to something going wrong with calling your comand and the log should give us a hint what that is.

Since I posted my apache vhost.conf file I had used absolute windows-style path to the executable. I've now replaced the backslashes in the path for the MDChallengeDns01 back to (forward) slashes. Now whenever I run httpd, a new terminal window pop up from time to time (title in the title bar is the path to acme-setup-dns.exe) but it is still failing.

I added instructions in my code so that acme-setup-dns creates a TXT record named _debug and its value is the arguments passed to acme-setup-dns when executing it. I tested it as a standalone program (with and without arguments) and it yields the expected result in the DNS record. But when I run httpd with the newly compiled acme-setup-dns, no _debug TXT record is being created in the DNS.

I'm thinking the fopen() instruction in my acme-setup-dns is the issue (not sure) :

FILE *f = fopen("config.cfg", "r");

Maybe the config.cfg file is being looked for in the same directory as Apache httpd (since it's the one executing acme-setup-dns) instead of the directory of acme-setup-dns.

I'm gonna hard code the API key and secret and try again to see if that's the case. But right now I have to wait at least 3 hours until I can try again since I got a "urn:ietf:params:acme:error:rateLimited" error in the job.json file.

{ "when": "Mon, 19 Jun 2023 09:23:25 GMT", "type": "renewal-error", "status": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/too-many-registrations-for-this-ip/" }

see you then.

sci-ripper commented 1 year ago

You sir are a true master!. The problem is resolved.

acme-setup-dns was crashing because, as I thought thanks to you, it was looking for its config.cfg at the wrong path (it was looking maybe at httpd's path).

Problem fixed. Thanks again 👍