Open pm-McFly opened 9 months ago
I have just tried my API credentials through a manual certbot test and it seems to be okay:
pmarty in ~
ubnt nu x : sudo certbot certonly --dns-ovh --dns-ovh-credentials ~/.secrets/certbot/ovh.ini -d domain.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): email@domain.tld
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for domain.tld
Unsafe permissions on credentials configuration file: /home/pmarty/.secrets/certbot/ovh.ini
Waiting 120 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/domain.tld/fullchain.pem
Key is saved at: /etc/letsencrypt/live/domain.tld/privkey.pem
This certificate expires on 2024-03-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot was installed on my ubuntu laptop via snap.
Same results when using the python3-certbot
and python3-certbot-dns-ovh
packages on the Debian server.
If someone has an idea regarding the configuration?
Waiting for any leads, I have modified the configuration in order to serve my own certificates from traefik. I have tried and validated two options:
#
## SRV Delegation
#
matrix_well_known_matrix_server_enabled: false
# To serve the federation from any domain, as long as the path match
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)
# To let Traefik know which domains' certificates to serve
matrix_nginx_proxy_container_labels_additional_labels: |
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="domain.tld"
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.domain.tld"
# Disable ACME / Let's Encrypt support.
devture_traefik_config_certificatesResolvers_acme_enabled: false
# Disabling ACME support (above) automatically disables the creation of the SSL directory.
# Force-enable it here, because we'll add our certificate files there.
devture_traefik_ssl_dir_enabled: true
# Tell Traefik to load our custom configuration file (certificates.yml).
# The file is created below, in `aux_file_definitions`.
# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
devture_traefik_configuration_extension_yaml: |
providers:
file:
filename: /config/certificates.yml
watch: true
# Use the aux role to create our custom files on the server.
# If you'd like to do this manually, you remove this `aux_file_definitions` variable.
aux_file_definitions:
# Create the privkey.pem file on the server by
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
src: /path/on/your/ansible/running/machine/privkey.pem
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
# content: |
# FILE CONTENT
# HERE
# Create the cert.pem file on the server
# uploading a file from the computer where Ansible is running.
- dest: "{{ devture_traefik_ssl_dir_path }}/fullchain.pem"
src: /path/on/your/ansible/running/machine/fullchain.pem
# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
# Note the indentation level.
# content: |
# FILE CONTENT
# HERE
# Create the custom Traefik configuration.
# The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
- dest: "{{ devture_traefik_config_dir_path }}/certificates.yml"
content: |
tls:
certificates:
- certFile: /ssl/fullchain.pem
keyFile: /ssl/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/fullchain.pem
keyFile: /ssl/privkey.pem
# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart Coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
matrix_coturn_systemd_required_services_list: ['docker.service']
# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
matrix_coturn_container_additional_volumes: |
{{
(
[
{
'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'),
'dst': '/fullchain.pem',
'options': 'ro',
},
{
'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'),
'dst': '/privkey.pem',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else []
)
+
(
[
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'),
'dst': '/certificate.crt',
'options': 'ro',
},
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'),
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
)
}}
#
## SRV Delegation
#
matrix_well_known_matrix_server_enabled: false
# To serve the federation from any domain, as long as the path match
matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)
# To let Traefik know which domains' certificates to serve
matrix_nginx_proxy_container_labels_additional_labels: |
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="domain.tld"
traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.domain.tld"
# Disable ACME / Let's Encrypt support.
devture_traefik_config_certificatesResolvers_acme_enabled: false
# Disabling ACME support (above) automatically disables the creation of the SSL directory.
# Force-enable it here, because we'll add our certificate files there.
devture_traefik_ssl_dir_enabled: true
# Tell Traefik to load our custom configuration file (certificates.yml).
# The file is created below, in `aux_file_definitions`.
# The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
devture_traefik_configuration_extension_yaml: |
providers:
file:
filename: /config/certificates.yml
watch: true
# Use the aux role to create our custom files on the server.
# If you'd like to do this manually, you remove this `aux_file_definitions` variable.
aux_file_definitions:
# Uploading the files is not needed anymore.
# By placing your files directly in `/matrix/traefik/ssl/`,
# They will be directly mounted in the countainer thanks to the docker bind mount
# /!\ **Mind the ownership of the files `matrix:matrix`**
# otherwise traefik will not be able to read them /!\
# Create the custom Traefik configuration.
# The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
- dest: "{{ devture_traefik_config_dir_path }}/certificates.yml"
content: |
tls:
certificates:
- certFile: /ssl/fullchain.pem
keyFile: /ssl/privkey.pem
stores:
default:
defaultCertificate:
certFile: /ssl/fullchain.pem
keyFile: /ssl/privkey.pem
# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart Coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
matrix_coturn_systemd_required_services_list: ['docker.service']
# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
matrix_coturn_container_additional_volumes: |
{{
(
[
{
'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'),
'dst': '/fullchain.pem',
'options': 'ro',
},
{
'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'),
'dst': '/privkey.pem',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else []
)
+
(
[
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'),
'dst': '/certificate.crt',
'options': 'ro',
},
{
'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'),
'dst': '/privatekey.key',
'options': 'ro',
},
] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
)
}}
I am using this solution so certbot will automatically renew the certificate and install it where it needs to be placed.
Playbook Configuration:
My
vars.yml
file looks like this:Matrix Server:
Ansible: Running on my laptop to deploy on my VPS hosted by OVH.
Problem description:
Traefik struggles at generating the SSL certificate via the DNS-01 challenge. When opening the logs I found out that apparently the domain list was empty, and thus no domain could be treated. Although when crawling over the OVH API manually myself I can obtain the domain list correctly.
I have modified the permissions to be more permissive on the API usage but same result.
I have tried to tweak on different config and parameters but nothing seems to be working more properly.
A Debug version of the log is available attached. traefik-dns-01-debug.txt
Additional context I have a domain name and want to host different services (matrix, webserver, mail, etc.). As the VM I am using for the matrix is isolated from the rest I rather use the DNS SRV method so I can have a dediacted instance for matrix and point the domain on another IP.