ramereth
commented
3 years ago I'm getting the following error when starting named on a fresh build:
/etc/named.conf:22: open: /etc/crypto-policies/back-ends/bind.config: file not foundClosed andrewda closed 3 years ago
ramereth
commented
3 years ago I'm getting the following error when starting named on a fresh build:
/etc/named.conf:22: open: /etc/crypto-policies/back-ends/bind.config: file not found
andrewda
commented
3 years ago @ramereth Is that on CentOS 7 or 8? I've been testing almost exclusively on 8 for now, so maybe the bind config on 7 should be different?
ramereth
commented
3 years ago Ah, I was testing on 7 and haven't tried on 8. I noticed you're not using the osl-dns cookbook for setting up bind. That might help the situation and would be needed anyway. Although that cookbook is more setup for our DNS servers so it might need some adjustment.
andrewda
commented
3 years ago That's a good point. The osl-dns cookbook will need to be refactored a bit because it's currently cloning the zonefiles repo in the master recipe. Would it make sense to make a new recipe, like generic_master that would be responsible for getting things setup without any of the specific zonefiles?
ramereth
commented
3 years ago @andrewda it might be better to just make a specific acme recipe which does what you need for this on the bind server side.
andrewda
commented
3 years ago This will only be in the test cookbook, though, where we're setting up a local mock DNS setup. Unless I'm mistaken, the prod DNS would be configured through the zonefiles repository like normal. If you'd still like that on osl-dns that would work, but my thought process was that there would be some generic DNS configuration that applies to the master primary DNS server (util.osuosl.org IIRC) as well as for the ACME tests here.
ramereth
commented
3 years ago @andrewda yeah we should have a default recipe which does the basics for setting up a generic server. Please go ahead and do that and then use it here. At some point I need to see how this will be implemented on util for a production server. Ideally we should have a recipe just for that.
andrewda
commented
3 years ago Another thing to consider: currently if any alt name fails the challenge, the entire certificate will fail. Would it be better to simply request another certificate without the failing alt names so a minor DNS change (malicious or accidental) doesn't mess up a bigger certificate?
ramereth
commented
3 years ago Another thing to consider: currently if any alt name fails the challenge, the entire certificate will fail. Would it be better to simply request another certificate without the failing alt names so a minor DNS change (malicious or accidental) doesn't mess up a bigger certificate?
What does the current failure look like when that happens?
andrewda
commented
3 years ago What does the current failure look like when that happens?
It basically just complains that not all the challenges passed:
================================================================================
Error executing action `create` on resource 'get_acme_cert[test2.example.org]'
================================================================================
Acme::Client::Error
-------------------
Order's status ("invalid") was not ready When the challenges pass successfully, the order's status is "ready" and it can be fulfilled. With multiple alt names, it'll have something like this in the certificate:
X509v3 Subject Alternative Name:
DNS:test2.example.org, DNS:test2-san1.example.org, DNS:test2-san2.example.org@andrewda can you please update and resolve the conflicts?
ramereth
commented
3 years ago I get the following error on a fresh run on CentOS 7:
Recipe: acme_test::acme_dns_client
* dns_acme_certs[Get ACME certificates] action create
* dns_acme_cert[test1.example.org] action create
* file[/etc/pki/tls/test1.example.org.key] action create
- create new file /etc/pki/tls/test1.example.org.key
- update content in file /etc/pki/tls/test1.example.org.key from none to c01b34
- suppressed sensitive resource
- restore selinux security context
================================================================================
Error executing action `create` on resource 'dns_acme_cert[test1.example.org]'
================================================================================
RuntimeError
------------
Challenge failed for test1.example.org
Cookbook Trace: (most recent call first)
----------------------------------------
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_cert.rb:64:in `block (2 levels) in class_from_fil
e'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_cert.rb:51:in `each'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_cert.rb:51:in `block in class_from_file'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb:16:in `block (2 levels) in class_from_fi
le'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb:15:in `each'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb:15:in `block in class_from_file'
Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb
16: dns_acme_cert record['domain'] do
17: alt_names record['alt_names']
18:
19: contact new_resource.contact
20: acme_directory new_resource.acme_directory
21: acme_dns_api new_resource.acme_dns_api
22: cert_path "#{new_resource.cert_path}/#{record['domain']}.pem"
23: key_path "#{new_resource.key_path}/#{record['domain']}.key"
24: end
25: end
Compiled Resource:
------------------
# Declared in /tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb:16:in `block (2 levels) in class_from_file'
dns_acme_cert("test1.example.org") do
action [:create]
updated true
updated_by_last_action true
default_guard_interpreter :default
declared_type :dns_acme_cert
cookbook_name "acme_test"
alt_names []
contact "mailto:letsencrypt@osuosl.org"
acme_directory "https://acme-staging-v02.api.letsencrypt.org/directory"
acme_dns_api "http://192.168.10.1"
cert_path "/etc/pki/tls/test1.example.org.pem"
key_path "/etc/pki/tls/test1.example.org.key"
domain "test1.example.org"
end
System Info:
------------
chef_version=16.14.1
platform=centos
platform_version=7.9.2009
ruby=ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux]
program_name=/opt/cinc/bin/cinc-solo
executable=/opt/cinc/bin/cinc-solo@ramereth Hmm, looks like that Pebble issue is back on CentOS 7... It fixed itself for a bit on my end, but that seems to be the same error. If you try converging a second time, does it work?
It seems like Pebble isn't serving requests right away, but only on CentOS 7 for whatever reason. I'm not sure if it's an internal Pebble issue or something in systemd.
ramereth
commented
3 years ago @andrewda nope, happens again on a second and even third run
andrewda
commented
3 years ago Looks like adding a Requires=pebble.service to the acme-dns service resolves this problem for CentOS 7 on my end! Let me know if there's a prettier way you can think of implementing this:
andrewda
commented
3 years ago !bump major ~
osuosl-manatee
commented
3 years ago Jenkins has merged this PR into master and has automatically performed a major-level version bump to v4.0.0. Have a nice day!
recordsdatabag:credentialsdatabag: