search

w2c / letsencrypt-esxi

Let's Encrypt for VMware ESXi with easy installation using pre-built VIB or offline bundle. Auto-renewal of certificates.
GNU General Public License v3.0
132 stars 21 forks source link

IPv4 / IPv6 only #26

Closed felixreher closed 3 months ago

felixreher commented 8 months ago

On my host system, the renew.sh unfortunately only creates an IPv6 HTTP server

Serving HTTP on :: port 8120 (http://[::]:8120/)

Unfortunately, only v6 link locals exist on the system. Incoming request attempts therefore seem to come to nothing.

However, the whole thing could be easily accessed via the parameter "--bind=127.0.0.1" in the script, for example. Any chance of setting the addition ipv4/ipv6 via config value here?

Churro commented 8 months ago

I'm not sure if I understand your issue correctly. The HTTP server spawned on port 8120 receives requests locally from rhttpproxy based on an endpoint definition that looks like this: /.well-known/acme-challenge local 8120 redirect allow.

Are you saying that you're on a system that has an IPv6 stack only and local 8120 doesn't redirect to [::]:8120? If there are only IPv6 link local addresses (fe80:...), how would you be able to receive Let's Encrypt certificates? By default, Python's http.server binds to all interfaces, incl the loopback one on 127.0.0.1, so it's not clear to me why you would want to bind to it explicitly.

Would be great if you could describe how to reproduce the observed behavior.

felixreher commented 8 months ago

The host has ipv4 and ipv6 enabled, but only ipv4 is working (via dhcp). IPv6 is loopback only. The script seems to reply to external queries via HTTP on :: port 8120 (http://[::]:8120/) only. Therfore i cannot receive anything by letsencrypt and the script fails.

Might be that this a misconfiguration on my side?

EDIT: Without any changes it is working now - I do receive queries. However, now it says

Creating new order...
Order created!
Verifying [FQDN A.B.C.D]...
::ffff:127.0.0.1 - - [12/Jan/2024 16:35:35] "GET /.well-known/acme-challenge/cjxgJtr3cxgAixg_ahXGxZsq5YvPwnJuNov9SvursFE HTTP/1.1" 200 -
Traceback (most recent call last):
  File "./acme_tiny.py", line 199, in <module>
    main(sys.argv[1:])
  File "./acme_tiny.py", line 195, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
  File "./acme_tiny.py", line 153, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for [FQDN A.B.C.D]: {'identifier': {'type': 'dns', 'value': '[FQDN A.B.C.D]'}, 'status': 'invalid', 'expires': '2024-01-19T16:35:34Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:connection', 'detail': '[IP 1.2.3.4]: Fetching http://[FQDN A.B.C.D]/.well-known/acme-challenge/cjxgJtr3cxgAixg_ahXGxZsq5YvPwnJuNov9SvursFE: Timeout during connect (likely firewall problem)', 'status': 400}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/303470250926/N1iFtw', 'token': 'cjxgJtr3cxgAixg_ahXGxZsq5YvPwnJuNov9SvursFE', 'validationRecord': [{'url': 'http://[FQDN A.B.C.D]/.well-known/acme-challenge/cjxgJtr3cxgAixg_ahXGxZsq5YvPwnJuNov9SvursFE', 'hostname': '[FQDN A.B.C.D]', 'port': '80', 'addressesResolved': ['[IP 1.2.3.4]'], 'addressUsed': '[IP 1.2.3.4]'}], 'validated': '2024-01-12T16:35:36Z'}]}
Certificate will not expire
Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid.
usage: clusterAgent [-h] ACTION
clusterAgent: error: the following arguments are required: ACTION
usage: esxio-commd [-h] ACTION
esxio-commd: error: the following arguments are required: ACTION
logger: Invalid PID 'Usage: fsvmsockrelay '
logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
usage: gpuManager [-h] ACTION
gpuManager: error: the following arguments are required: ACTION
usage: hbrsrv [-h] ACTION
hbrsrv: error: the following arguments are required: ACTION
hostd signalled.
usage: infravisor [-h] ACTION
infravisor: error: the following arguments are required: ACTION
lsud stopped
lsud started
VMware HTTP reverse proxy signalled.
sfcbd-init[3191089]: args ('')
sfcbd-init[3191089]: Getting Exclusive access, please wait...
sfcbd-init[3191089]: Exclusive access granted.
sfcbd-init[3191100]: args ('ssl_reset')
sfcbd-init[3191100]: Getting Exclusive access, please wait...
sfcbd-init[3191100]: Exclusive access granted.
sfcbd-init[3191100]: sfcbd is not running.
logger: Invalid PID 'Usage: vdfsd '
logger: Invalid PID '{start|stop|status|restart|'
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 3191212
vvold is not running.
Churro commented 8 months ago

[IP 1.2.3.4]: Fetching http://[FQDN A.B.C.D]/.well-known/acme-challenge/cjxgJtr3cxgAixg_ahXGxZsq5YvPwnJuNov9SvursFE: Timeout during connect (likely firewall problem)

... reads as if port 80 isn't redirected to your ESXi instance. Let's Encrypt needs this to retrieve the validation file.

horfic commented 3 months ago

close due to inactivity by creator