[BUG] Key file not found with transip as DNS provider

[robkamp]

I would like to use TransIP as a DNS provider. According to the LEGO documentation, this should work. However I run into an error on the first run. The error is as follows # /mnt/data/udm-le/udm-le.sh initial /mnt/data/udm-le/udm-le.sh: /mnt/data/udm-le/udm-le.env: line 55: TRANSIP_ACCOUNT_NAME: not found

I tried adding transip to the DNS_RESOLVERS variable to no avail

Could transip be added to the list of DNS providers?

[kchristensen]

Seems like when you added TRANSIP_ACCOUNT_NAME to the udm-le.env you might have introduced a typo, it should look something like:

DNS_PROVIDER="transip"
TRANSIP_ACCOUNT_NAME="robkamp"
TRANSIP_PRIVATE_KEY_PATH="/root/.secrets/transip.key"

Then you'll copy the transip.key file you got from your provider into the /mnt/data/udm-le/.secrets/ directory on your udmp.

Give that a shot, and report back if it works. If it does, I'll add it to the documentation when I get a few minutes.

[robkamp]

I changed it. There was a space between the variable the = sign and the value. It looked like this: TRANSIP_ACCOUNT_NAME = "robkamp"

It does not handle that well.

DNS_PROVIDER="transip" TRANSIP_ACCOUNT_NAME="robkamp" TRANSIP_PRIVATE_KEY_PATH="/root/.secrets/transip.key"

The script now starts. The following occurs.

# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
Trying to pull docker.io/goacme/lego:v4.4.0-arm.v8...
Getting image source signatures
Copying blob 595b0fe564bb done
...
Writing manifest to image destination
Storing signatures
2021/10/27 12:48:08 transip: error while opening private key file: open "/root/.secrets/transip.key": no such file or directory

[kchristensen]

Did you mkdir /mnt/data/udm-le/.secrets/ and copy the key file from your DNS provider in there?

[robkamp]

Did you mkdir /mnt/data/udm-le/.secrets/ and copy the key file from your DNS provider in there?

Yes, I did. I also create /root/.secrets/ and copied the file there as well. When I remove that folder I still get the same error.

[kchristensen]

The /roots/.secrets/ directory is the directory IN the Lego container that /mnt/data/udm-le/.secrets/ gets mounted to, so you don't need to copy it there on the host system.

If you sh -x /mnt/data/udm-le/udm-le.sh initial you should see in the output that the docker run command contains something like -v /mnt/data/udm-le/.secrets:/root/.secrets/, which should make /root/.secrets/transip.key available to Lego in the container when it runs.

If not, then you've got something amiss with the transip.key file, so you'll have to fiddle with that.

[robkamp]

There is -v /mnt/data/udm-le/.secrets:/root/.secrets/ within the output of sh -x ....

[kchristensen]

And the output of ls -la /mnt/data/udm-le/.secrets/ is?

[robkamp]

# ls -la /mnt/data/udm-le/.secrets/
total 12
drwxr-xr-x    2 root     root          4096 Oct 27 14:29 .
drwxr-xr-x    5 root     root          4096 Oct 27 16:06 ..
-rw-r--r--    1 root     root          1704 Oct 27 10:35 transip.key

[robkamp]

Should the folder be readable by the avahi user and group?

[robkamp]

Makes no difference if I chown then from root to avahi.

For reference. My udmpro version is UniFi OS UDM Pro 1.11.0-16.

[kchristensen]

Yeah, permissions shouldn't matter. I'm honestly not sure what this is mad about, although TransIP rung a bell and I remembered that someone else was having issues with this before but ended up giving up: https://github.com/kchristensen/udm-le/issues/35

[robkamp]

Is there a way to list/debug the contents of the container while it runs?

[kchristensen]

You can exec yourself into the container via:

podman run '--env-file=/mnt/data/udm-le/udm-le.env' -it '--name=lego' '--network=host' --rm -v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/.aws/ -v /mnt/data/udm-le/.secrets:/root/.secrets/ --entrypoint /bin/sh docker.io/goacme/lego:v4.4.0-arm.v8

Which will drop you the shell as though you were going to run the lego binary in the container and poke around.

[robkamp]

This shows me the files are there.

-rw-r--r--    1 root     root          1704 Oct 27 08:35 /root/.secrets/udmpro.key
-rw-------    1 root     root           172 Oct 27 15:39 /root/.ash_history
-rw-r--r--    1 root     root          1704 Oct 27 08:35 /root/.aws/udmpro.key

[kchristensen]

I don't see the key there, shouldn't it be named transip.key?

[robkamp]

I changed the name of the file to /mnt/data/udm-le/.secrets/udmpro.key and in the settings to TRANSIP_PRIVATE_KEY_PATH="/root/.secrets/udmpro.key" in udm-le.sh to check whether it had anything to do with the filename. It does not matter what name I give the file. It is available within the container but no matter what the file is named it cannot be found.

[robkamp]

# podman run '--env-file=/mnt/data/udm-le/udm-le.env' -it '--name=lego' '--network=host' --rm -v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/.aws/ -v /mnt/data/udm-le/.secrets:/root/.secrets/
--entrypoint /bin/sh docker.io/goacme/lego:v4.4.0-arm.v8
/ # find /root/ -type f
/root/.secrets/transip.key
/root/.ash_history
/root/.aws/transip.key

[robkamp]

# sh -x /mnt/data/udm-le/udm-le.sh initial
+ set -e
+ . /mnt/data/udm-le/udm-le.env
+ CERT_EMAIL=rob@kamp.nl.eu.org
+ CERT_HOSTS=umdpro.kamp-consultancy.it
+ ENABLE_CAPTIVE=no
+ ENABLE_RADIUS=no
+ DNS_PROVIDER=transip
+ TRANSIP_ACCOUNT_NAME=robkamp
+ TRANSIP_PRIVATE_KEY_PATH=/root/.secrets/transip.key
+ CONTAINER_IMAGE=docker.io/goacme/lego
+ CONTAINER_IMAGE_TAG=v4.4.0-arm.v8
+ DNS_RESOLVERS=
+ UDM_LE_PATH=/mnt/data/udm-le
+ CERT_IMPORT_CMD='java -jar /usr/lib/unifi/lib/ace.jar import_key_cert'
+ UBIOS_CONTROLLER_CERT_PATH=/mnt/data/unifi-os/unifi-core/config
+ UBIOS_RADIUS_CERT_PATH=/mnt/data/udapi-config/raddb/certs
+ UNIFIOS_CERT_PATH=/data/unifi-core/config
+ DOCKER_VOLUMES='-v /mnt/data/udm-le/lego/:/.lego/'
+ LEGO_ARGS='--dns transip --email rob@kamp.nl.eu.org --key-type rsa2048'
+ RESTART_SERVICES=false
+ '['  '!='  ]
+ echo umdpro.kamp-consultancy.it
+ tr , '\n'
+ '[' -z  ]
+ CERT_NAME=umdpro.kamp-consultancy.it
+ LEGO_ARGS='--dns transip --email rob@kamp.nl.eu.org --key-type rsa2048 -d umdpro.kamp-consultancy.it'
+ '[' -d /mnt/data/udm-le/.secrets ]
+ DOCKER_VOLUMES='-v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/secrets/'
+ ON_BOOT_DIR=/mnt/data/on_boot.d
+ ON_BOOT_FILE=99-udm-le.sh
+ '[' -d /mnt/data/on_boot.d ]
+ '[' '!' -f /mnt/data/on_boot.d/99-udm-le.sh ]
+ CRON_FILE=/etc/cron.d/udm-le
+ '[' '!' -f /etc/cron.d/udm-le ]
+ PODMAN_CMD='podman run --env-file=/mnt/data/udm-le/udm-le.env -it --name=lego --network=host --rm -v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/secrets/ docker.io/goacme/lego:v4.4.0-arm.v8'
+ stat -c '%u:%g' /mnt/data/udm-le/lego
+ '[' 1000:1000 '!=' 1000:1000 ]
+ echo 'Attempting initial certificate generation'
Attempting initial certificate generation
+ podman run '--env-file=/mnt/data/udm-le/udm-le.env' -it '--name=lego' '--network=host' --rm -v /mnt/data/udm-le/lego/:/.lego/ -v /mnt/data/udm-le/.secrets:/root/secrets/ docker.io/goacme/lego:v4.4.0-arm.v8 --dns transip --email rob@kamp.nl.eu.org --key-type rsa2048 -d umdpro.kamp-consultancy.it --accept-tos run
2021/10/27 15:48:34 transip: error while opening private key file: open "/root/.secrets/transip.key" : no such file or directory
#

[kchristensen]

The only other thing I can think of is trying TRANSIP_PRIVATE_KEY_FILE="/root/.secrets/udmpro.key", that is using _FILE instead of _PATH. See docs here: https://go-acme.github.io/lego/dns/transip/

[robkamp]

That did not work either. I had to factory reset the udmpro in the meantime as I messed up the set-up. I'll try again later.