search

ryancbutler / ns-letsencrypt

Certificates with Let's Encrypt and automation to update Netscaler
http://techdrabble.com/citrix/18-letsencrypt-san-certificate-with-citrix-netscaler-take-2
GNU General Public License v3.0
43 stars 25 forks source link

https not being used for validation causing failure #8

Closed KyferEz closed 5 years ago

KyferEz commented 5 years ago

I have the following line in mynsconfig.py: connectiontype = "https"

However when I run the job, for validation, it tries to connect to http://mydomain.hopto.org instead of https://mydomain.hopto.org. See logs below. Now an SSL Vserver won't listen on port 80, so this is incorrect and will never validate. Also note the "port": "80" section below which is also incorrect.


Processing mydomain.hopto.org
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting authorization for mydomain.hopto.org...
+ 1 pending challenge(s)
+ Deploying challenge tokens...
Creating Challenge Policy for mydomain.hopto.org
CREATE RESPONDER ACTION: Created
CREATE RESPONDER POLICY: Created
BIND RESPONDER POLICY: OK
LOGOUT: Created
+ Responding to challenge for mydomain.hopto.org authorization...
+ Cleaning challenge tokens...
Removing Challenge Policy for mydomain.hopto.org
UNBIND RESPONDER POLICY: OK
DELETE RESPONDER POLICY: OK
DELETE RESPONDER ACTION: OK
LOGOUT: Created
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Fetching http://mydomain.hopto.org/.well-known/acme-challenge/cnIJifPA7EHQPCBBuhUoxxxxpJLxcUChlP6RvR_Udwg: Timeout during connect (likely firewall problem)",
    "status": 400
  },
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/u4EBhGAy-AwER19ZbOxxxxhwiqdfmLJbxz1bsE4dEBg/331778724",
  "token": "cnIJifPA7EHQPCBBuhUoxxxxpJLxcUChlP6RvR_Udwg",
  "validationRecord": [
    {
      "url": "http://mydomain.hopto.org/.well-known/acme-challenge/cnIJifPA7EHQPCBBuhUoxxxxpJLxcUChlP6RvR_Udwg",
      "hostname": "mydomain.hopto.org",
      "port": "80",
      "addressesResolved": [
        "7x.xx.xx.xxx"
      ],
      "addressUsed": "7x.xx.xx.xxx"
    }
  ]
})
# INFO: Using main config file /root/ns-letsencrypt/config.sh```
ryancbutler commented 5 years ago

The connection type is how the script connects to the Netscaler API. The validation from LE uses HTTP for domain validation.

KyferEz commented 5 years ago

Ok, but with the ADC configured for a SSL CS Vserver, then how can HTTP possibly be responded to? Is this a dehydrated issue or a script issue?

ryancbutler commented 5 years ago

The cs or lbneeds to be http. That's where the validation takes place. The cert can be used anywhere then.

KyferEz commented 5 years ago

I thought the whole idea is that you are binding the cert to the CS or LB that needs it automatically... the one it's configured for... Is that not correct? If not, then I understand why a Gateway VS isn't supported...

KyferEz commented 5 years ago

Ok I created a HTTP CS vserver and it worked. The issue was me misunderstanding how this script was intended to work.

ryancbutler commented 5 years ago

The cert created with the process can be bound anywhere. Le just verifies that there is a valid http server using the script. Once validated and the cert created it can be used anywhere. Doesn't have to be to bound to the cs or lb that is managing the renewal.