Error while executing makecert

[fermuch]

Formatted json:

letsencrypt-cert-service-1 | 2016-03-12T14:09:31.127470031Z {
    "name":"LetsEncrypt Cert Service",
    "hostname":"letsencrypt-cert-service-1",
    "pid":16,
    "level":50,
    "msg":"exec error: Error: Command failed: ./create-cert.sh debconf: delaying package configuration, since apt-utils is not installed\n/letsencrypt/letsencrypt auto: 1822: /letsencrypt/letsencrypt-auto: ------------------------------------------------------------------------: not found",
    "time":"2016-03-12T14:09:31.124Z",
    "v":0
}

[levino]

Could you please provide the stackfile or all enviroment parameters for the container and the loadbalancer?

[fermuch]

 CERT_DOMAINS               foobar.com,www.foobar.com,foo.foobar.com,certs.foobar.com
 CERT_EMAIL                 fermuch@ayvu.net
 CERT_SERVICE_PASSWORD      ••••••
 CERT_SERVICE_PRIVATE       true
 CERT_SERVICE_USERNAME      fermuch
 EXCLUDE_PORTS              443
 VIRTUAL_HOST               http://*/.well-known/*,certs.foobar.com
 VIRTUAL_HOST_WEIGHT        1
 NODE_VERSION               4.2.6
 NPM_CONFIG_LOGLEVEL        info
 PATH                       /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[levino]

This looks like a letsencrypt error more than an issue with my container image. All the service does is calling letstencrypt-auto on the command line. Are there more people with this issue?

Did you retry multiple times @fermuch?

[fermuch]

Yes, I tried several times.

Now I directly get the error: Cannot GET /makecert.

The full query:

➜ ~ curl -v http://certs.domain.com/makecert
*   Trying 111.222.333.444...
* Connected to certs.domain.com (111.222.333.444) port 80 (#0)
> GET /makecert HTTP/1.1
> Host: certs.domain.com
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< X-Powered-By: Express
< X-Content-Type-Options: nosniff
< Content-Type: text/html; charset=utf-8
< Content-Length: 21
< Date: Tue, 15 Mar 2016 12:34:02 GMT
< 
Cannot GET /makecert
* Connection #0 to host certs.escerca.com left intact

And I don't see anything more than what I already posted here on the logs.

[levino]

makecert will not be available after successful creation of the ssl certificates on HTTP but on HTTPS in the container. Open port 443 of the cert service and try to reach it from the outside. Dont hit /makecert any more though as you now have certificates in place. Did you link any volumes into the container from the host?

[fermuch]

Yes, I linked /etc/letsencrypt.

curl --user fermuch:suchPassword -k https://letsencrypt-cert-service-1.foo.server.com:32803/
Cannot GET /

Is there any other way I can help you debug? Maybe deleting the container, the volumes, and recreating everything?

[fermuch]

Oh I feel so stupid.

Now if I contact to /certs/foobar.com/bundle.pem everything seems to be working. Or, at least, I get a cert, and it is a valid one.

[levino]

hope you contact https://serverip/certs/foobar.com/bundle.com and not http. I need to update the FAQ a little. I am also wondering about how to improve the overall setup. Maybe one should have two containers, one slave one master or so. It is a shame that haproxy cannot route to multiple ports on the backend.

[levino]

For the record: the root route '/' is not defined, so the server will not answer queries to it.

[fermuch]

Your step-by-step instructions really helped me, since I was truly lost, but, not knowing how to contact the backend server was a huge problem.

Is it possible to add instructions in-code? For example, make HTTP /makecert answer something like are you looking for https://.../makecert ? Or force to redirect to HTTPS after the certs are created?

That way, if someone like me stood upon this same problem, he wouldn't think it is a problem within the service, but with how he is using it.

Just a last question: if I go to /makecert to update the certs, should I always use HTTPS? Will it work without SSL?

[levino]

If you have certificates in place the server will only reply to /makecert on port 443. This is in order to prevent spam attacks by script kiddies. If the /makecert route would be publice any fool could just rate limit you. This is why I only allow it once in the beginning "unencrypted" but once it was successful I require username and password to trigger the update.

Thanks for the suggestion. I will make an issue and introduce a warning "hey buddy, you already have certificates, call me again on port 443" or so when one goes to http://../makecert after having created certificates.

[levino]

Please reopen or ping when this has not been resolved. @fermuch