pan-net-security / certbot-dns-powerdns

PowerDNS DNS Authenticator plugin for Certbot
25 stars 16 forks source link

"411 Client Error: Length Required for url" when certbot runs behind squid proxy #3

Closed JohnDepon closed 5 years ago

JohnDepon commented 5 years ago

I am trying to use this plugin, but I am in a unique situation where the box that's running certbot does not have direct internet access and it must use a proxy to reach outside.

I've set up the appropriate ENV variables so that certbot uses the proxy to reach the ACME servers, but that makes this plugin also use the proxy to talk to the PowerDNS API.

For some reason, Squid does not like the request being made causing certbot to fail with error:

2019-05-29 19:01:47,205:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 1379, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 1262, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python2.7/dist-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 406, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 349, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python2.7/dist-packages/certbot/client.py", line 385, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 69, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/dns_common.py", line 58, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/local/lib/python2.7/dist-packages/certbot_dns_powerdns/dns_powerdns.py", line 55, in _perform
    domain, validation_name, validation)
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/dns_common_lexicon.py", line 40, in add_txt_record
    self._find_domain_id(domain)
  File "/usr/local/lib/python2.7/dist-packages/certbot/plugins/dns_common_lexicon.py", line 95, in _find_domain_id
    raise result
PluginError: Error determining zone identifier for domain.example.org: 411 Client Error: Length Required for url: http://domain.example.org:8081/api/v1/servers/localhost/zones/domain.example.org.

Looking through the letsencrypt.log I can see that this error is returned by squid and not the PDNS API.

Any ideas on how to overcome this problem?

splashx commented 5 years ago

@JohnDepon I have tested in an environment with squid/3.3.8 and it works. What's the version on your side? (if you do a curl -v http://blabla.com you will see Via: .... - there is a good chance you can see the version there).

Also, ask the proxy administrator on the request_entities option.

I'll be closing this as I'm unable to reproduce with a similar environment.

JohnDepon commented 5 years ago

I had the same problem. Setting request_entities on on squid.conf resolved the issue for me.