search

kchristensen / udm-le

Let's Encrypt support for Ubiquiti UniFi OS
MIT License
565 stars 79 forks source link

[BUG] Can't open file from /root/.secrets #59

Closed Djelibeybi closed 2 years ago

Djelibeybi commented 2 years ago

Describe the bug I'm trying to configure OCI DNS which requires a client-side certificate which is stored in PEM format to be available. If I configure the environment variables in udm-le.env and run the script as documented, LEGO throws a "no such file or directory". However, if I override the entrypoint and run LEGO manually, it works just fine.

This is similar to https://github.com/kchristensen/udm-le/issues/51 but the OCI provider doesn't have a _PATH variant and running the command manually works.

To Reproduce Add the following to udm-le.env and run udm-le.sh initial:

DNS_PROVIDER='oraclecloud'
OCI_PRIVKEY_FILE='/root/.secrets/oci_api_key.pem'
OCI_PUBKEY_FINGERPRINT='00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00'
OCI_TENANCY_OCID='ocid1.tenancy.oc1..secret'
OCI_COMPARTMENT_OCID='ocid1.tenancy.oc1..secret'
OCI_USER_OCID='ocid1.user.oc1..secret'
OCI_REGION="us-ashburn-1"

If you launch the container and override the entrypoint and run this, it works just fine:

OCI_PRIVKEY_FILE="/root/.secrets/oci_api_key.pem" \
OCI_TENANCY_OCID="ocid1.tenancy.oc1..secret" \
OCI_USER_OCID="ocid1.user.oc1..secret" \
OCI_PUBKEY_FINGERPRINT='00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00' \
OCI_REGION="us-ashburn-1" \
OCI_COMPARTMENT_OCID="ocid1.compartment.oc1..secret" \
/usr/bin/lego --email my@email.adress --dns oraclecloud --key-type rsa2048 -d '*.example.com' --accept-tos run

Expected behavior I expected the script to work because it does manually. The only difference I can see is the use of single vs double quotes, so I'm going to try replacing the quote in udm-le.env to see if that fixes it.

Version Information (please complete the following information):

Djelibeybi commented 2 years ago

I tried changing the quotes to doubles and it still fails. I even tried hand-crafting the podman command and it didn't work. I've tried passing only the OCI vars in a custom env-file and it still fails. Adding --privileged, still fails.

This is really bizarre. I have no idea why it can read the file when the container runs a shell, but not if it runs lego. And I can't find any way to get any verbose or debug output from lego.

Djelibeybi commented 2 years ago

Ok, I finally worked it out. It works if the values are provided without any quotes at all, i.e. the udm-le.env file needs to have the OCI_* variables formatted like this:

OCI_PRIVKEY_FILE=/root/.secrets/oci_api_key.pem
OCI_PUBKEY_FINGERPRINT=00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
OCI_TENANCY_OCID=ocid1.tenancy.oc1..secret
OCI_COMPARTMENT_OCID=ocid1.tenancy.oc1..secret
OCI_USER_OCID=ocid1.user.oc1..secret
OCI_REGION=us-ashburn-1
Djelibeybi commented 2 years ago

I've documented this requirement for OCI in my PR to include docs for OCI: #60.