Closed kcalmond closed 2 years ago
Your GCE_SERVICE_ACCOUNT_FILE variable should be pointed to a path IN the container, you're pointing to the path on the UDMP host itself. Try setting it to GCE_SERVICE_ACCOUNT_FILE=/root/.secrets/almondnet-3d4f08b80060.json
and see if it works.
Thank you @kchristensen that fixed the read problem. Now I'm hitting another issue, unrelated to udm-le. Not sure what to do about this one. I run my internal network dns using *.almond.lan. (".lan" is not a valid public suffix TLD). Any ideas?
# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
2022/01/04 20:09:18 [INFO] acme: Registering account for <redacted>@gmail.com
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2022/01/04 20:09:18 [INFO] [udmp.almond.lan, *.udmp.almond.lan] acme: Obtaining bundled SAN certificate
2022/01/04 20:09:18 Could not obtain certificates:
acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "*.udmp.almond.lan": Domain name does not end with a valid public suffix (TLD) (and 1 more problems. Refer to sub-problems for more information.), problem: "urn:ietf:params:acme:error:rejectedIdentifier" :: Error creating new order :: Domain name does not end with a valid public suffix (TLD), problem: "urn:ietf:params:acme:error:rejectedIdentifier" :: Error creating new order :: Domain name does not end with a valid public suffix (TLD)
#
Yeah, you're SOL. You can't issue anything but a self signed certificate for a domain you don't own (or one that doesn't exist). LetsEncrypt issues certificates they validate to be legitimate either by DNS or http challenges, and your domain doesn't qualify for that so none of this is going to be of use to you.
I'd suggest purchasing an actual domain and subdomain of that (home.somevaliddomain.com) etc.
Yep... https://community.letsencrypt.org/t/sign-certificate-for-lan-usage-lan-domain/131504/19 I'd have to redo my internal home network hostnames. Not worth the effort right now. Maybe later. Thx again :-)
Describe the bug I'm trying to initialize. CLI output below. I don't understand why the script cannot read the service account secret file. I don't see a problem w/the default permissions on the file. I'm using Google Cloud DNS.
Here is my provider section:
Version Information (please complete the following information):