search

j81blog / GenLeCertForNS

This script helps you to create a Let's Encrypt certificate for your NetScaler
GNU General Public License v3.0
39 stars 16 forks source link

Failed to unbind #4

Closed gbeifuss closed 1 year ago

gbeifuss commented 3 years ago

Hi John,

I hope I'm posting this appropriately in github.

I run Netscaler NS12.1 57.18.nc and the 2.6.3 production release of your code has been problematic - it can never properly unbind the rsp_letsencrypt_10 policy:

2020-11-12 06:27:02:1305    INFO    CONFIGUREADC    LB Service binding is OK
2020-11-12 06:27:02:5335    INFO    CONFIGUREADC    Checking if policy "rsp_letsencrypt_test" is bound to Load Balance VIP.
2020-11-12 06:27:02:6245    INFO    CONFIGUREADC    Trying to unbind "".
2020-11-12 06:27:02:7505    ERROR   INVOKE-ADCRESTAPI   Caught an error. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:02:7995    ERROR   CONFIGUREADC    Failed to unbind. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:02:8455    INFO    CONFIGUREADC    Trying to remove the Responder Policy "rsp_letsencrypt_test".
2020-11-12 06:27:02:9535    ERROR   INVOKE-ADCRESTAPI   Caught an error. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:02:9955    ERROR   CONFIGUREADC    Failed to remove. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:03:0325    INFO    CONFIGUREADC    Checking if policy "rsp_letsencrypt_10" is bound to Load Balance VIP.
2020-11-12 06:27:03:1305    INFO    CONFIGUREADC    Trying to unbind "".
2020-11-12 06:27:03:2315    ERROR   INVOKE-ADCRESTAPI   Caught an error. Exception Message: The remote server returned an error: (599) Netscaler specific error.
2020-11-12 06:27:03:2755    ERROR   CONFIGUREADC    Failed to unbind. Exception Message: The remote server returned an error: (599) Netscaler specific error.

According to the v.12 Citrix API documentation, all that's needed is the policy name when dealing with an unbind. The URI that's constructed needs to be of TYPE lbvserver_service_binding, not TYPE responderpolicy_binding, so I changed lines 1767-1769 as follows:

Write-ToLogFile -I -C ConfigureADC -M "Trying to unbind `"$($ResponderBinding.name)`"."
$arguments = @{"policyname" = "$($ResponderBinding.name)"; }
$response = Invoke-ADCRestApi -Session $ADCSession -Method DELETE -Type lbvserver_service_binding -Arguments $arguments -Resource $NSLbName

I took a look at your DEV branch which seems to be a significant rewrite. I don't see the syntax that's been problematic for me in there, so perhaps you've already revised this.

This has been a phenomenal script that's let me move to LE on our Netscaler - thanks!

j81blog commented 3 years ago

Thank you, I haven't run into this issue. Did you tried the dev version? I do will take a look to your remark.

bgre033 commented 3 years ago

Hi, I'm seeing this with NS13.0: Build 47.24.nc.

  1. I always use this script to renew a SAN cert which has 2 CNs (eg. site.domain.com and site2.domain.com).
  2. During renewal, I tried adding a 3rd (never before used CN, site3.domain.com) to the cert and renewing it. Running the script without the '-production' flag, the validation fails (not sure why, as DNS & firewall are configured).
2020-12-27 19:09:12:2855    INFO    ORDERVALIDATION Configuring the ADC Responder Policies/Actions required for the validation.
2020-12-27 19:09:12:3323    INFO    ORDERVALIDATION "site1.domain.com" is valid, nothing to configure.
2020-12-27 19:09:12:3480    INFO    ORDERVALIDATION "site2.domain.com" is valid, nothing to configure.
2020-12-27 19:09:12:3636    INFO    ORDERVALIDATION New validation required for "site3.domain.com", Start configuring the ADC.
2020-12-27 19:09:12:3792    INFO    ORDERVALIDATION Add Responder Action "rsa_letsencrypt_40" to return "HTTP/1.0 200 OK\r\n\r\na1GVU7-Z7XmncC_L46np_nZhwsoqgA6l0HlDjPT8rz8.Xzh8xW43k44K9UxF2dcmHXOPzesZ0zIt4qsUt-oNI8E".
2020-12-27 19:09:12:4261    INFO    ORDERVALIDATION Responder Action added successfully.
2020-12-27 19:09:12:4417    INFO    ORDERVALIDATION Add Responder Policy "rsp_letsencrypt_40" to: "HTTP.REQ.URL.CONTAINS(".well-known/acme-challenge/a1GVU7-Z7XmncC_L46np_nZhwsoqgA6l0HlDjPT8rz8")"
2020-12-27 19:09:12:4730    INFO    ORDERVALIDATION Responder Policy added successfully.
2020-12-27 19:09:12:4886    INFO    ORDERVALIDATION Trying to bind the Responder Policy "rsp_letsencrypt_40" to LoadBalance VIP: "lb_letsencrypt_cert"
2020-12-27 19:09:12:5198    INFO    ORDERVALIDATION Responder Policy successfully bound to Load Balance VIP.
2020-12-27 19:09:12:5511    INFO    ORDERVALIDATION Sending acknowledgment to Let's Encrypt.
2020-12-27 19:09:12:7386    INFO    ORDERVALIDATION Successfully send.
2020-12-27 19:09:12:7542    INFO    ORDERVALIDATION Retrieving validation status.
2020-12-27 19:09:13:4574    ERROR   ORDERVALIDATION Unfortunately there are invalid items.
2020-12-27 19:09:13:4730    ERROR   ORDERVALIDATION Failed Records: 
fqdn                   status  expires              HTTP01Status DNS01Status
----                   ------  -------              ------------ -----------
site3.domain.com pending 2021-01-03T06:09:19Z pending      pending
  1. If I then re-run the script (without manually deleting anything on the Netscaler), I get the errors as per the original post.
j81blog commented 3 years ago

I change a lot of things and I think I also fixed the original issue v2.9.0 Also made some improvements to see more about error's generated by LE when failing the validations.

j81blog commented 1 year ago

Can you check and validate if the issue still exists in latest dev version?

gbeifuss commented 1 year ago

Hi John, unfortunately, I'm now at a new organization, and I don't have a Netscaler to administer so I'm not able to test this out.

j81blog commented 1 year ago

Good luck on your new endeavor! For now I will close this issue.