Closed JessicaMulein closed 2 years ago
Well. It would seem (https://github.com/natemcmaster/LettuceEncrypt/issues/1) my issue is using wildcard certs with LettuceEncrypt. Neither Http01 nor Tls methods support wildcards according to the letsencrypt challenge types page. DNS-01 is the only way, and that needs to be done interactively.
I am not closing the ticket as there does seem to at least be a bug not detecting this unsupported state and the fact that there seems to not exist any solution for this. I understand why DNS-01 isn't supported for automated, but I think we should be able to use a manual client to do that and then use a docker volume/mount to bring the saved state in?
Here's my workaround:
Do certbot manually, let docker create a couple containers:
$ docker run -it --rm -p 443:443 -p 80:80 --name certbot -v https:/etc/letsencrypt -v varhttps:/var/lib/letsencrypt certbot/certbot certonly --manual
{do dns steps}
$ docker run -it --rm -p 443:443 -p 80:80 --name certbot -v https:/etc/letsencrypt -v varhttps:/var/lib/letsencrypt certbot/certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.brightchain.net,brightchain.net,*.therevolution.network,therevolution.network
Requesting a certificate for *.brightchain.net and 3 more domains
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/brightchain.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/brightchain.net/privkey.pem
This certificate expires on 2021-12-11.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Add a LettuceEncryptStore as I did here and mount the volumes. Also see the changes to appSettings https://github.com/The-Revolution-Network/BrightChain.API/commit/2fb7182c438a87771976a17dfb2fe4fb016988bb
Run container:
C:\Users\JessicaMulein\source\repos\The-Revolution-Network\BrightChain\src\BrightChain.API>docker run --rm -itd --name=brightchainapi -v https:/etc/letsencrypt -v varhttps:/var/lib/letsencrypt --privileged -p 80:80 -p 443:443 -e ASPNETCORE_URLS="https://+;http://+" -e ASPNETCORE_HTTPS_PORT=443 -e DOMAIN_NAME=brightchain.net -e USE_STAGING_SERVER=false brightchainapi:splash
ea3db065b177d53c4ebda48ae59011dc5880fc86cdd29b888ef7d01cb4045a9f
C:\Users\JessicaMulein\source\repos\The-Revolution-Network\BrightChain\src\BrightChain.API>docker logs -f brightchainapi
{"EventId":60,"LogLevel":"Warning","Category":"Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository","Message":"Storing keys in a directory \u0027/root/.aspnet/DataProtection-Keys\u0027 that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.","State":{"Message":"Storing keys in a directory \u0027/root/.aspnet/DataProtection-Keys\u0027 that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed.","path":"/root/.aspnet/DataProtection-Keys","{OriginalFormat}":"Storing keys in a directory \u0027{path}\u0027 that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed."}}
{"EventId":35,"LogLevel":"Warning","Category":"Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager","Message":"No XML encryptor configured. Key {948b6bc3-25ee-4775-bacc-d30d1f2afb8d} may be persisted to storage in unencrypted form.","State":{"Message":"No XML encryptor configured. Key {948b6bc3-25ee-4775-bacc-d30d1f2afb8d} may be persisted to storage in unencrypted form.","KeyId":"948b6bc3-25ee-4775-bacc-d30d1f2afb8d","{OriginalFormat}":"No XML encryptor configured. Key {KeyId:B} may be persisted to storage in unencrypted form."}}
{"EventId":0,"LogLevel":"Trace","Category":"LettuceEncrypt.Internal.CertificateSelector","Message":"Successfully tested certificate chain for *.brightchain.net","State":{"Message":"Successfully tested certificate chain for *.brightchain.net","commonName":"*.brightchain.net","{OriginalFormat}":"Successfully tested certificate chain for {commonName}"}}
{"EventId":0,"LogLevel":"Trace","Category":"LettuceEncrypt.Internal.AcmeCertificateLoader","Message":"ACME state transition: moving to ServerStartupState","State":{"Message":"ACME state transition: moving to ServerStartupState","stateName":"ServerStartupState","{OriginalFormat}":"ACME state transition: moving to {stateName}"}}
{"EventId":0,"LogLevel":"Debug","Category":"LettuceEncrypt.Internal.AcmeStates.ServerStartupState","Message":"Certificate for *.brightchain.net already found.","State":{"Message":"Certificate for *.brightchain.net already found.","domainNames":"*.brightchain.net","{OriginalFormat}":"Certificate for {domainNames} already found."}}
{"EventId":0,"LogLevel":"Trace","Category":"LettuceEncrypt.Internal.AcmeCertificateLoader","Message":"ACME state transition: moving to CheckForRenewalState","State":{"Message":"ACME state transition: moving to CheckForRenewalState","stateName":"CheckForRenewalState","{OriginalFormat}":"ACME state transition: moving to {stateName}"}}
{"EventId":0,"LogLevel":"Debug","Category":"LettuceEncrypt.Internal.AcmeStates.CheckForRenewalState","Message":"Checking certificates\u0027 renewals for *.brightchain.net, brightchain.net, *.therevolution.network, therevolution.network","State":{"Message":"Checking certificates\u0027 renewals for *.brightchain.net, brightchain.net, *.therevolution.network, therevolution.network","hostname":"*.brightchain.net, brightchain.net, *.therevolution.network, therevolution.network","{OriginalFormat}":"Checking certificates\u0027 renewals for {hostname}"}}
{"EventId":14,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Now listening on: https://[::]:443","State":{"Message":"Now listening on: https://[::]:443","address":"https://[::]:443","{OriginalFormat}":"Now listening on: {address}"}}
{"EventId":14,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Now listening on: http://[::]:80","State":{"Message":"Now listening on: http://[::]:80","address":"http://[::]:80","{OriginalFormat}":"Now listening on: {address}"}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Application started. Press Ctrl\u002BC to shut down.","State":{"Message":"Application started. Press Ctrl\u002BC to shut down.","{OriginalFormat}":"Application started. Press Ctrl\u002BC to shut down."}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Hosting environment: Production","State":{"Message":"Hosting environment: Production","envName":"Production","{OriginalFormat}":"Hosting environment: {envName}"}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.Hosting.Lifetime","Message":"Content root path: /app","State":{"Message":"Content root path: /app","contentRoot":"/app","{OriginalFormat}":"Content root path: {contentRoot}"}}
{"EventId":0,"LogLevel":"Information","Category":"BrightBlockService","Message":"\u003CBrightBlockService\u003E: logging initialized","State":{"Message":"\u003CBrightBlockService\u003E: logging initialized","{OriginalFormat}":"\u003CBrightBlockService\u003E: logging initialized"}}
{"EventId":0,"LogLevel":"Information","Category":"BrightBlockService","Message":"\u003CBrightBlockService\u003E: caches initialized","State":{"Message":"\u003CBrightBlockService\u003E: caches initialized","{OriginalFormat}":"\u003CBrightBlockService\u003E: caches initialized"}}
I've opened #221 to raise an error to make this clearer.
I'm open to supporting wildcard domains if someone wants to help implement #1. But it's not something I'm actively working on.
Describe the bug When trying to use LettuceEncrypt for Wildcard SSL, we receive an object not set error when doing unsupported wildcards.
Initially I thought I'd have to do DNS manual, but certbot worked fine. The comments below contain a workaround and provide a means to have a little more control over the certs- implements a cert store to pull the certs off a docker volume.
To Reproduce Steps to reproduce the behavior:
Expected behavior Either an error indicating unsupported behavior, or implement whatever mechanism certbot is using.
Additional context http/https are definitely through the firewall and http redirect works while the container is running.