Closed robkamp closed 2 years ago
Seems like when you added TRANSIP_ACCOUNT_NAME
to the udm-le.env you might have introduced a typo, it should look something like:
DNS_PROVIDER="transip"
TRANSIP_ACCOUNT_NAME="robkamp"
TRANSIP_PRIVATE_KEY_PATH="/root/.secrets/transip.key"
Then you'll copy the transip.key
file you got from your provider into the /mnt/data/udm-le/.secrets/
directory on your udmp.
Give that a shot, and report back if it works. If it does, I'll add it to the documentation when I get a few minutes.
I changed it. There was a space between the variable the = sign and the value. It looked like this: TRANSIP_ACCOUNT_NAME = "robkamp"
It does not handle that well.
DNS_PROVIDER="transip" TRANSIP_ACCOUNT_NAME="robkamp" TRANSIP_PRIVATE_KEY_PATH="/root/.secrets/transip.key"
The script now starts. The following occurs.
# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
Trying to pull docker.io/goacme/lego:v4.4.0-arm.v8...
Getting image source signatures
Copying blob 595b0fe564bb done
...
Writing manifest to image destination
Storing signatures
2021/10/27 12:48:08 transip: error while opening private key file: open "/root/.secrets/transip.key": no such file or directory
Did you mkdir /mnt/data/udm-le/.secrets/
and copy the key file from your DNS provider in there?
Did you
mkdir /mnt/data/udm-le/.secrets/
and copy the key file from your DNS provider in there?
Yes, I did. I also create /root/.secrets/ and copied the file there as well. When I remove that folder I still get the same error.
The /roots/.secrets/
directory is the directory IN the Lego container that /mnt/data/udm-le/.secrets/
gets mounted to, so you don't need to copy it there on the host system.
If you sh -x /mnt/data/udm-le/udm-le.sh initial
you should see in the output that the docker run command contains something like -v /mnt/data/udm-le/.secrets:/root/.secrets/
, which should make /root/.secrets/transip.key
available to Lego in the container when it runs.
If not, then you've got something amiss with the transip.key file, so you'll have to fiddle with that.
There is -v /mnt/data/udm-le/.secrets:/root/.secrets/
within the output of sh -x ...
.
And the output of ls -la /mnt/data/udm-le/.secrets/
is?
# ls -la /mnt/data/udm-le/.secrets/
total 12
drwxr-xr-x 2 root root 4096 Oct 27 14:29 .
drwxr-xr-x 5 root root 4096 Oct 27 16:06 ..
-rw-r--r-- 1 root root 1704 Oct 27 10:35 transip.key
Should the folder be readable by the avahi user and group?
Makes no difference if I chown then from root to avahi.
For reference. My udmpro version is UniFi OS UDM Pro 1.11.0-16.
Yeah, permissions shouldn't matter. I'm honestly not sure what this is mad about, although TransIP rung a bell and I remembered that someone else was having issues with this before but ended up giving up: https://github.com/kchristensen/udm-le/issues/35
Is there a way to list/debug the contents of the container while it runs?
You can exec yourself into the container via:
podman run '--env-file=/mnt/data/udm-le/udm-le.env' -it '--name=lego' '--network=host' --rm -v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/.aws/ -v /mnt/data/udm-le/.secrets:/root/.secrets/ --entrypoint /bin/sh docker.io/goacme/lego:v4.4.0-arm.v8
Which will drop you the shell as though you were going to run the lego binary in the container and poke around.
This shows me the files are there.
-rw-r--r-- 1 root root 1704 Oct 27 08:35 /root/.secrets/udmpro.key
-rw------- 1 root root 172 Oct 27 15:39 /root/.ash_history
-rw-r--r-- 1 root root 1704 Oct 27 08:35 /root/.aws/udmpro.key
I don't see the key there, shouldn't it be named transip.key
?
I changed the name of the file to /mnt/data/udm-le/.secrets/udmpro.key
and in the settings to TRANSIP_PRIVATE_KEY_PATH="/root/.secrets/udmpro.key"
in udm-le.sh
to check whether it had anything to do with the filename. It does not matter what name I give the file. It is available within the container but no matter what the file is named it cannot be found.
# podman run '--env-file=/mnt/data/udm-le/udm-le.env' -it '--name=lego' '--network=host' --rm -v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/.aws/ -v /mnt/data/udm-le/.secrets:/root/.secrets/
--entrypoint /bin/sh docker.io/goacme/lego:v4.4.0-arm.v8
/ # find /root/ -type f
/root/.secrets/transip.key
/root/.ash_history
/root/.aws/transip.key
# sh -x /mnt/data/udm-le/udm-le.sh initial
+ set -e
+ . /mnt/data/udm-le/udm-le.env
+ CERT_EMAIL=rob@kamp.nl.eu.org
+ CERT_HOSTS=umdpro.kamp-consultancy.it
+ ENABLE_CAPTIVE=no
+ ENABLE_RADIUS=no
+ DNS_PROVIDER=transip
+ TRANSIP_ACCOUNT_NAME=robkamp
+ TRANSIP_PRIVATE_KEY_PATH=/root/.secrets/transip.key
+ CONTAINER_IMAGE=docker.io/goacme/lego
+ CONTAINER_IMAGE_TAG=v4.4.0-arm.v8
+ DNS_RESOLVERS=
+ UDM_LE_PATH=/mnt/data/udm-le
+ CERT_IMPORT_CMD='java -jar /usr/lib/unifi/lib/ace.jar import_key_cert'
+ UBIOS_CONTROLLER_CERT_PATH=/mnt/data/unifi-os/unifi-core/config
+ UBIOS_RADIUS_CERT_PATH=/mnt/data/udapi-config/raddb/certs
+ UNIFIOS_CERT_PATH=/data/unifi-core/config
+ DOCKER_VOLUMES='-v /mnt/data/udm-le/lego/:/.lego/'
+ LEGO_ARGS='--dns transip --email rob@kamp.nl.eu.org --key-type rsa2048'
+ RESTART_SERVICES=false
+ '[' '!=' ]
+ echo umdpro.kamp-consultancy.it
+ tr , '\n'
+ '[' -z ]
+ CERT_NAME=umdpro.kamp-consultancy.it
+ LEGO_ARGS='--dns transip --email rob@kamp.nl.eu.org --key-type rsa2048 -d umdpro.kamp-consultancy.it'
+ '[' -d /mnt/data/udm-le/.secrets ]
+ DOCKER_VOLUMES='-v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/secrets/'
+ ON_BOOT_DIR=/mnt/data/on_boot.d
+ ON_BOOT_FILE=99-udm-le.sh
+ '[' -d /mnt/data/on_boot.d ]
+ '[' '!' -f /mnt/data/on_boot.d/99-udm-le.sh ]
+ CRON_FILE=/etc/cron.d/udm-le
+ '[' '!' -f /etc/cron.d/udm-le ]
+ PODMAN_CMD='podman run --env-file=/mnt/data/udm-le/udm-le.env -it --name=lego --network=host --rm -v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/secrets/ docker.io/goacme/lego:v4.4.0-arm.v8'
+ stat -c '%u:%g' /mnt/data/udm-le/lego
+ '[' 1000:1000 '!=' 1000:1000 ]
+ echo 'Attempting initial certificate generation'
Attempting initial certificate generation
+ podman run '--env-file=/mnt/data/udm-le/udm-le.env' -it '--name=lego' '--network=host' --rm -v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/secrets/ docker.io/goacme/lego:v4.4.0-arm.v8 --dns transip --email rob@kamp.nl.eu.org --key-type rsa2048 -d umdpro.kamp-consultancy.it --accept-tos run
2021/10/27 15:48:34 transip: error while opening private key file: open "/root/.secrets/transip.key" : no such file or directory
#
The only other thing I can think of is trying TRANSIP_PRIVATE_KEY_FILE="/root/.secrets/udmpro.key"
, that is using _FILE instead of _PATH. See docs here: https://go-acme.github.io/lego/dns/transip/
That did not work either. I had to factory reset the udmpro in the meantime as I messed up the set-up. I'll try again later.
I would like to use TransIP as a DNS provider. According to the LEGO documentation, this should work. However I run into an error on the first run. The error is as follows
# /mnt/data/udm-le/udm-le.sh initial /mnt/data/udm-le/udm-le.sh: /mnt/data/udm-le/udm-le.env: line 55: TRANSIP_ACCOUNT_NAME: not found
I tried adding transip to the DNS_RESOLVERS variable to no avail
Could transip be added to the list of DNS providers?