Closed andrewda closed 3 years ago
I'm getting the following error when starting named on a fresh build:
/etc/named.conf:22: open: /etc/crypto-policies/back-ends/bind.config: file not found
@ramereth Is that on CentOS 7 or 8? I've been testing almost exclusively on 8 for now, so maybe the bind config on 7 should be different?
Ah, I was testing on 7 and haven't tried on 8. I noticed you're not using the osl-dns cookbook for setting up bind. That might help the situation and would be needed anyway. Although that cookbook is more setup for our DNS servers so it might need some adjustment.
That's a good point. The osl-dns
cookbook will need to be refactored a bit because it's currently cloning the zonefiles
repo in the master recipe. Would it make sense to make a new recipe, like generic_master
that would be responsible for getting things setup without any of the specific zonefiles?
@andrewda it might be better to just make a specific acme
recipe which does what you need for this on the bind server side.
This will only be in the test cookbook, though, where we're setting up a local mock DNS setup. Unless I'm mistaken, the prod DNS would be configured through the zonefiles repository like normal. If you'd still like that on osl-dns
that would work, but my thought process was that there would be some generic DNS configuration that applies to the master primary DNS server (util.osuosl.org
IIRC) as well as for the ACME tests here.
@andrewda yeah we should have a default
recipe which does the basics for setting up a generic server. Please go ahead and do that and then use it here. At some point I need to see how this will be implemented on util for a production server. Ideally we should have a recipe just for that.
Another thing to consider: currently if any alt name fails the challenge, the entire certificate will fail. Would it be better to simply request another certificate without the failing alt names so a minor DNS change (malicious or accidental) doesn't mess up a bigger certificate?
Another thing to consider: currently if any alt name fails the challenge, the entire certificate will fail. Would it be better to simply request another certificate without the failing alt names so a minor DNS change (malicious or accidental) doesn't mess up a bigger certificate?
What does the current failure look like when that happens?
What does the current failure look like when that happens?
It basically just complains that not all the challenges passed:
================================================================================
Error executing action `create` on resource 'get_acme_cert[test2.example.org]'
================================================================================
Acme::Client::Error
-------------------
Order's status ("invalid") was not ready
When the challenges pass successfully, the order's status is "ready" and it can be fulfilled. With multiple alt names, it'll have something like this in the certificate:
X509v3 Subject Alternative Name:
DNS:test2.example.org, DNS:test2-san1.example.org, DNS:test2-san2.example.org
@andrewda can you please update and resolve the conflicts?
I get the following error on a fresh run on CentOS 7:
Recipe: acme_test::acme_dns_client
* dns_acme_certs[Get ACME certificates] action create
* dns_acme_cert[test1.example.org] action create
* file[/etc/pki/tls/test1.example.org.key] action create
- create new file /etc/pki/tls/test1.example.org.key
- update content in file /etc/pki/tls/test1.example.org.key from none to c01b34
- suppressed sensitive resource
- restore selinux security context
================================================================================
Error executing action `create` on resource 'dns_acme_cert[test1.example.org]'
================================================================================
RuntimeError
------------
Challenge failed for test1.example.org
Cookbook Trace: (most recent call first)
----------------------------------------
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_cert.rb:64:in `block (2 levels) in class_from_fil
e'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_cert.rb:51:in `each'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_cert.rb:51:in `block in class_from_file'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb:16:in `block (2 levels) in class_from_fi
le'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb:15:in `each'
/tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb:15:in `block in class_from_file'
Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb
16: dns_acme_cert record['domain'] do
17: alt_names record['alt_names']
18:
19: contact new_resource.contact
20: acme_directory new_resource.acme_directory
21: acme_dns_api new_resource.acme_dns_api
22: cert_path "#{new_resource.cert_path}/#{record['domain']}.pem"
23: key_path "#{new_resource.key_path}/#{record['domain']}.key"
24: end
25: end
Compiled Resource:
------------------
# Declared in /tmp/kitchen/cache/cookbooks/osl-acme/resources/dns_acme_certs.rb:16:in `block (2 levels) in class_from_file'
dns_acme_cert("test1.example.org") do
action [:create]
updated true
updated_by_last_action true
default_guard_interpreter :default
declared_type :dns_acme_cert
cookbook_name "acme_test"
alt_names []
contact "mailto:letsencrypt@osuosl.org"
acme_directory "https://acme-staging-v02.api.letsencrypt.org/directory"
acme_dns_api "http://192.168.10.1"
cert_path "/etc/pki/tls/test1.example.org.pem"
key_path "/etc/pki/tls/test1.example.org.key"
domain "test1.example.org"
end
System Info:
------------
chef_version=16.14.1
platform=centos
platform_version=7.9.2009
ruby=ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux]
program_name=/opt/cinc/bin/cinc-solo
executable=/opt/cinc/bin/cinc-solo
@ramereth Hmm, looks like that Pebble issue is back on CentOS 7... It fixed itself for a bit on my end, but that seems to be the same error. If you try converging a second time, does it work?
It seems like Pebble isn't serving requests right away, but only on CentOS 7 for whatever reason. I'm not sure if it's an internal Pebble issue or something in systemd.
@andrewda nope, happens again on a second and even third run
Looks like adding a Requires=pebble.service
to the acme-dns service resolves this problem for CentOS 7 on my end! Let me know if there's a prettier way you can think of implementing this:
!bump major ~
Jenkins has merged this PR into master
and has automatically performed a major-level version bump to v4.0.0. Have a nice day!
records
databag:credentials
databag: