Authsign not working

[YurkoWasHere]

Authsigner on k8 is in a crash loop:

root@org2:~# kubectl logs auth-signer-0
2023-04-18 13:15:41,132: INFO - Started server process [1]
2023-04-18 13:15:41,230: INFO - Waiting for application startup.
2023-04-18 13:15:41,230: INFO -   Loading config from: /app-config/config.yaml
2023-04-18 13:15:41,233: INFO -   Certificate rotation time: 7 days, 0:00:00
2023-04-18 13:15:41,330: INFO -   Timestamp validity time: 0:10:00
2023-04-18 13:15:41,330: INFO -
2023-04-18 13:15:41,330: INFO -   Signer init...
2023-04-18 13:15:41,330: INFO -   Auth Token Not Enabled
2023-04-18 13:15:41,330: INFO -   Domain Auth: Loading Cert: /data/cert.pem
2023-04-18 13:15:41,330: INFO -   Signing key or cert not found, creating new signing key + cert
2023-04-18 13:15:41,333: ERROR - Traceback (most recent call last):
  File "/app/./authsign/signer.py", line 182, in __init__
    self.load_key_pair_and_cert()
  File "/app/./authsign/signer.py", line 212, in load_key_pair_and_cert
    self.domain_signing = CertKeyPair().load(
  File "/app/./authsign/signer.py", line 82, in load
    with open(certfile, "rb") as fh_in:
FileNotFoundError: [Errno 2] No such file or directory: '/data/cert.pem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/starlette-0.19.1-py3.9.egg/starlette/routing.py", line 635, in lifespan
    async with self.lifespan_context(app):
  File "/usr/local/lib/python3.9/site-packages/starlette-0.19.1-py3.9.egg/starlette/routing.py", line 530, in __aenter__
    await self._router.startup()
  File "/usr/local/lib/python3.9/site-packages/starlette-0.19.1-py3.9.egg/starlette/routing.py", line 612, in startup
    await handler()
  File "/app/./authsign/main.py", line 65, in load_certs
    signer = Signer(
  File "/app/./authsign/signer.py", line 187, in __init__
    self.update_signing_key_and_cert()
  File "/app/./authsign/signer.py", line 267, in update_signing_key_and_cert
    csr = crypto.create_csr(self.domain, self.domain_signing.private_key)
  File "/app/./authsign/crypto.py", line 30, in create_csr
    .subject_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, domain)]))
  File "/usr/local/lib/python3.9/site-packages/cryptography-37.0.2-py3.9-linux-x86_64.egg/cryptography/x509/name.py", line 132, in __init__
    raise TypeError("value argument must be a str")
TypeError: value argument must be a str

2023-04-18 13:15:41,333: ERROR - Application startup failed. Exiting.

[ikreymer]

From the second error, it looks like the signing domain might be missing. It is set here: https://github.com/webrecorder/browsertrix-cloud/blob/main/chart/templates/signer.yaml#L14

with Ansible, this is set from values: https://github.com/webrecorder/browsertrix-cloud/blob/main/ansible/group_vars/do/do-values.template.yaml#L50 and https://github.com/webrecorder/browsertrix-cloud/blob/main/ansible/playbooks/do_setup.yml#L191 Can you double check that these are all set correctly?

[YurkoWasHere]

grep of that variable only exists in do templates not in micro k8

Tried adding this but it failed same way

-e full_signing_domain="org2.authsign.stg.domain.org" -e signing_subdomain="org2.authsign.stg.domain.org" -e signing_authtoken=999999

[YurkoWasHere]

Found the issue

https://github.com/webrecorder/browsertrix-cloud/blob/main/ansible/group_vars/microk8s/btrix_values.j2#L16

Default value breaks LE. Removing it breaks AuthSign host: "second-host.{{ domain }}"

[ikreymer]

You're right, the microk8s did not have the proper authsign setup! Can you the change in: https://github.com/webrecorder/browsertrix-cloud/pull/776 with:

-e signing_domain="org2.authsign.stg.domain.org" -e signing_subdomain="org2.authsign.stg.domain.org" -e signing_authtoken=999999

[YurkoWasHere]

There are additional variables that are missing

cert_email and enable_signing but adding these deploys fine.

This kind of stuff could be cleaned up using a defaults file