Closed nkatsoulis closed 3 years ago
When you ran the initial certificate run, did it issue a certificate (presumably on feb 1)? It won't issue a certificate each time it runs, it only attempts to renew a certificate when in is >= 60 days old (LE certs have a 90 day lifetime, so we try to renew a little early just in case).
No it looks to be using the local cert still.
looking at the initial script it looks like the /lego directory is missing and some things of that sort are not working.
If you run /mnt/data/udm-le/udm-le.sh initial
you should be seeing something like this:
# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
2021/02/10 17:49:27 [INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
2021/02/10 17:49:27 [INFO] [mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10607132647
2021/02/10 17:49:27 [INFO] [mydomain.com] acme: authorization already valid; skipping challenge
2021/02/10 17:49:27 [INFO] [mydomain.com] acme: Validations succeeded; requesting certificates
2021/02/10 17:49:29 [INFO] [mydomain.com] Server responded with a certificate.
New certificate was generated, time to deploy it
unifi-os: Stopping unifi-os
unifi-os: dcb43282f0b04ffaee1875da3571d15fda805a6f5f9c3b83b188ec2cec508cbd
unifi-os: Stopping unifi-os SSH daemon... OK
unifi-os: Starting unifi-os
unifi-os: Stopping unifi-os SSH daemon... OK
unifi-os: Starting unifi-os SSH daemon... OK
unifi-os: unifi-os
#
If you don't see that, it should be spitting out whatever error it is you're encountering.
I blasted my lego directory (that error about not being able to stat it is normal the first time you run the script) and re-ran my initial run on my udmp and it seems to be working as expected on my end.
I got it working.
Can you add the base file contents for AWS as well? the secrets area didnt do anything I had to do the following in the env file. DNS_PROVIDER='route53' AWS_ACCESS_KEY_ID= AWS_SECRET_ACCESS_KEY= AWS_HOSTED_ZONE_ID=Z*
Ah, I know what the issue is. When we switched to using .secrets
it's mounting that into the container at ~/.secrets
not ~/.aws/
so Lego isn't seeing it. I'll have to see if I can't fix that.
If you edit the udm-le.sh file and change line 50 to DOCKER_VOLUMES="${DOCKER_VOLUMES} -v ${UDM_LE_PATH}/.secrets:/root/.aws/"
I bet it would work for you.
I just pushed a possible fix for this up, try this version of udm-le.sh
on for size please: https://github.com/kchristensen/udm-le/commit/9c50c3c5a217521726cd7fb1490719730bcda512
I was able to get it to work without using .secrets and putting the values I stated into the .env file for aws. It is working. I think initially I didn’t spell the initial command correctly.
On Wed, Feb 10, 2021 at 12:45 PM Kyle Christensen notifications@github.com wrote:
I just pushed a possible fix for this up, try this version of udm-le.sh on for size please: 9c50c3c https://github.com/kchristensen/udm-le/commit/9c50c3c5a217521726cd7fb1490719730bcda512
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kchristensen/udm-le/issues/28#issuecomment-776928043, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL7SZOE6TWHYIT7QOXDPBBDS6LH3PANCNFSM4XNLJYYA .
Right, I'm saying if you would prefer your secrets live in the .secrets directory in the config/credentials files as opposed to in the udm-le.env file, you should be able to do so with the version in the main branch now.
Thanks for the quick response
On Wed, Feb 10, 2021 at 12:57 PM Kyle Christensen notifications@github.com wrote:
Right, I'm saying if you would prefer your secrets live in the .secrets directory in the config/credentials files as opposed to in the udm-le.env file, you should be able to do so with the version in the main branch now.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kchristensen/udm-le/issues/28#issuecomment-776935558, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL7SZOBHKIDKJC3YX2RIEJTS6LJJVANCNFSM4XNLJYYA .
I can verify this works (since its still broken in the latest release).
Thanks for reminding me that I haven't cut a release lately, I'll get that out there in case people are downloading those instead of using HEAD.
I am trying to create this with route53 setup. I have a hosted zone configured which i use from my Synology to update the IP of my network. Where are the log files located when the script is running? I have checked the /var/log/messages and am not seeing anything. At this time when I run install it has setup the jobs. I do not see it performing any certificate updates as my files are from feb 1st.