Failing to read secret file - "no such file or directory"

[kcalmond]

Describe the bug I'm trying to initialize. CLI output below. I don't understand why the script cannot read the service account secret file. I don't see a problem w/the default permissions on the file. I'm using Google Cloud DNS.

# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
2022/01/04 19:40:05 Failed to read the file /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json (defined by env var GCE_SERVICE_ACCOUNT_FILE): open /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json: no such file or directory
2022/01/04 19:40:07 googlecloud: project name missing

# ls -al /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
-rw-r--r--    1 root     root          2298 Jan  4 11:22 /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
# stat /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
  File: /mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
  Size: 2298        Blocks: 8          IO Block: 4096   regular file
Device: 816h/2070d  Inode: 392472      Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-01-04 11:22:55.000000000
Modify: 2022-01-04 11:22:55.000000000
Change: 2022-01-04 11:22:55.00000000

Here is my provider section:

# Google Cloud DNS
# Note: The default path for the service account file is /root/.secrets
DNS_PROVIDER='gcloud'
GCE_SERVICE_ACCOUNT_FILE=/mnt/data/udm-le/.secrets/almondnet-3d4f08b80060.json
GCE_PROPAGATION_TIMEOUT=3600

Version Information (please complete the following information):

• UniFi OS: 1.11.0
• Hardware Type: UDMP

[kchristensen]

Your GCE_SERVICE_ACCOUNT_FILE variable should be pointed to a path IN the container, you're pointing to the path on the UDMP host itself. Try setting it to GCE_SERVICE_ACCOUNT_FILE=/root/.secrets/almondnet-3d4f08b80060.json and see if it works.

[kcalmond]

Thank you @kchristensen that fixed the read problem. Now I'm hitting another issue, unrelated to udm-le. Not sure what to do about this one. I run my internal network dns using *.almond.lan. (".lan" is not a valid public suffix TLD). Any ideas?

# /mnt/data/udm-le/udm-le.sh initial
Attempting initial certificate generation
2022/01/04 20:09:18 [INFO] acme: Registering account for <redacted>@gmail.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2022/01/04 20:09:18 [INFO] [udmp.almond.lan, *.udmp.almond.lan] acme: Obtaining bundled SAN certificate
2022/01/04 20:09:18 Could not obtain certificates:
    acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "*.udmp.almond.lan": Domain name does not end with a valid public suffix (TLD) (and 1 more problems. Refer to sub-problems for more information.), problem: "urn:ietf:params:acme:error:rejectedIdentifier" :: Error creating new order :: Domain name does not end with a valid public suffix (TLD), problem: "urn:ietf:params:acme:error:rejectedIdentifier" :: Error creating new order :: Domain name does not end with a valid public suffix (TLD)
#

[kchristensen]

Yeah, you're SOL. You can't issue anything but a self signed certificate for a domain you don't own (or one that doesn't exist). LetsEncrypt issues certificates they validate to be legitimate either by DNS or http challenges, and your domain doesn't qualify for that so none of this is going to be of use to you.

I'd suggest purchasing an actual domain and subdomain of that (home.somevaliddomain.com) etc.

[kcalmond]

Yep... https://community.letsencrypt.org/t/sign-certificate-for-lan-usage-lan-domain/131504/19 I'd have to redo my internal home network hostnames. Not worth the effort right now. Maybe later. Thx again :-)