search

nextorigin / ten-ply-crest

LetsEncrypt Automatic Microservice and Express Middleware for Consul/Vault/Fabio
MIT License
20 stars 2 forks source link

Problems running standalone script #27

Open afterthought opened 7 years ago

afterthought commented 7 years ago

Hi there. I've been trying to work through issues on my own, but figured I would check in to see if you're still active on this project. I have it forked and am trying to boot up in docker. It seems to hang on me when reading the keypair from vault (which doesn't exist on first startup). In my analysis so far, it seems like the node-vault library isn't quite used right here. However, iced coffee is new to me and it seems that several people have used this successfully. Before I started hacking around too much I thought I'd ask for help. I wonder if a library version changed and the interface changed.

doublerebel commented 7 years ago

Hi @afterthought , I am still using this I just haven't bumped the dependencies in a while.

There should be a bunch of information printed to the logs as it starts, can you copy and paste that here?

Also, you forked+cloned this repo, and did not install from npm? The npm package ten-ply-crest is published with the compiled javascript, it may be easier to install and require it as a normal module if you would like to try that first.

afterthought commented 7 years ago

Good idea! I just tried it out using "npm install" and integrating using middleware instead. Definitely got further. The reason I originally thought to fork it was because I knew I needed to tweak the consul config. I have port 8500 setup using ssl with client auth. I see that node-consul doesn't support client auth in it's config. I also have port 8501 setup without TLS bound to the loopback. My ideal setup would be to connect to 8500 using ssl because that lets me more easily docker ten-ply-crest using simple bridge networking. Right now my only option is to use host networking and modify ten-ply-crest to use port 8501.

I know I can only get so far testing out locally with docker... It looks like I can start trying to set this up in our dev environment for real testing.

https://gist.github.com/afterthought/4b34f6033a369cc523f6e819057a0241

That gist is the server.js file I made to test the middleware and the resulting logs. It did err out I think with the consul watch. Maybe on the error listener since I'm starting this against vanilla consul/vault running in -dev mode. When I get this running on our servers instead we already have consul, fabio, and nomad all setup.

I'd be happy to type up some "getting started" docs as I go along here. I've read through a bunch of the code already. The parts that are still a little bit fuzzy are what exactly I need to have setup so the LE challenges work in terms of DNS, SSL, etc. Also the fabio integration. I assume that is using the fabio http/s certificate store type and that ten-ply-crest's API works seamlessly there.

I can see the version changes in the package dependencies. So that I can move forward, I will try to get my fork setup to be identical with version numbers. This will let me expose the consul port as an option....

Thanks, Chuck

afterthought commented 7 years ago

Do you use VAULT_SKIP_VERIFY or are you adding trusted certs somehow for use when connecting to vault? That flag isn't working for me. I'd rather not use that anyway. We have self signed certificates and with other vault clients we just specify the "ca_cert"...

afterthought commented 7 years ago

I have TLS working on vault and consul now. And I am able to fetch a certificate back from LE on the staging service.

Do you integrate with Fabio? Based on how I understand the code, I assume you use the http certificate store in fabio which will force certificate renewals 15 days before expiration. I can't figure out the http endpoint to use. /certs hangs on me. Any advice for this? Thanks!

doublerebel commented 7 years ago

Oh great, glad you were able to get vault working! I do all this in Joyent SmartOS instances and not Docker images so my networking setup is pretty different.

Back when I did this, Fabio didn't have the cert store or Vault integration yet, and didn't proxy TCP. These days I'd probably use the Vault integration. I actually patched Fabio to enable routing */.well-known to a single app and I do my SSL termination with indutny/bud because it's super fast and allows me to dynamically proxy to TCP endpoints.

It looks like I haven't published the renewal logic for ten-ply-crest either.

I'll take a look at how Fabio does it now and ping back here with a recommendation. Let me know if you work it out and feel free to post here any further questions.

afterthought commented 7 years ago

I was just trying to figure out the renewal... and started to realize it wasn't quite there. I setup the vault cert store and it worked first try, so that's cool. I'm pretty close now. Thanks for the link to the patch. I realized earlier tonight that such a feature would be needed. Or I'll be hard coding all my domains against ten-ply.

doublerebel commented 7 years ago

Since you also find it useful, I can submit the config change as a PR to Fabio in the long-term. Ping me if you have any trouble with the patch.

afterthought commented 7 years ago

https://github.com/fabiolb/fabio/commit/e007d1ebe8921d935af1d5d09862246ec203d91e

doublerebel commented 7 years ago

Excellent! Are there any pieces left or does that complete the integration for you?

afterthought commented 7 years ago

Just the renewal logic. If you are too busy to push that I'll have to code something in. If you want to give me some pointers/direction it might be more useful as a pull request. I was trying to work it out and I think persisting the expiration on the cert model so a check can trigger the renewal makes sense. I see the consul watch seem to trigger quite frequently. I'm not sure if we'd use that to trigger a renewal function after the check for new domains?