Comments (8)
hslatman
commented on May 28, 2024
1
@mholt I think your original PR in CertMagic does in fact what @arontsang is looking for, namely to send cookies (if received from the ELB) in follow up requests to the ACME server.
The HTTP client you're referring to is the one that's used to validate an HTTP challenge (actually, it's a wrapper for HTTP, DNS and TLS-ALPN challenge solving). That client does not operate on nonces, and should generally only fire a single request from behind the load balancer.
from caddy.
arontsang
commented on May 28, 2024
1
@arontsang Would you please try the cookies branch of CertMagic? See if that helps you out. caddyserver/certmagic#288
I'm going to try compile and run this in my corporate environment and see if it fixes the issue.
I'm not a golang dev, so I'm not sure how well it's going to go.😜
from caddy.
mholt
commented on May 28, 2024
@arontsang Would you please try the cookies branch of CertMagic? See if that helps you out. caddyserver/certmagic#288
from caddy.
mholt
commented on May 28, 2024
Oh, you said you have an ACME server. Nevermind. One minute.
from caddy.
mholt
commented on May 28, 2024
Ok, so that HTTP client actually comes from smallstep/certificates:
If there is a way to pass a custom HTTP client in (through context?) I haven't figured that out.
Sorry to redirect you again, but could you open an issue at the Smallstep repo? They will be able to better address this.
(Closing, but feel free to continue discussion if needed!)
from caddy.
mholt
commented on May 28, 2024
Let me know; if that PR does do what you need then I'll recreate it and merge it.
from caddy.
arontsang
commented on May 28, 2024
Still getting this issue:
2024/05/23 05:32:13.426 �[34mINFO�[0m tls.obtain obtaining certificate {"identifier": "serverName.redacted.company.com"}
2024/05/23 05:32:15.488 �[31mERROR�[0m tls.obtain could not get certificate from issuer {"identifier": "serverName.redacted.company.com", "issuer": "venafi.foobar-vacme-v2-acme-directory", "error": "[serverName.redacted.company.com] creating new order: attempt 1: https://venafi.foobar/vacme/v2/new-order: HTTP 400: {\"type\":\"urn:ietf:params:acme:error:badNonce\",\"detail\":\"Bad Nonce\",\"status\":400} (ca=https://venafi.foobar/vacme/v2/acme/directory)"}
2024/05/23 05:32:15.488 �[31mERROR�[0m tls.obtain will retry {"error": "[serverName.redacted.company.com] Obtain: [serverName.redacted.company.com] creating new order: attempt 1: https://venafi.foobar/vacme/v2/new-order: HTTP 400: {\"type\":\"urn:ietf:params:acme:error:badNonce\",\"detail\":\"Bad Nonce\",\"status\":400} (ca=https://venafi.foobar/vacme/v2/acme/directory)", "attempt": 2, "retrying_in": 120, "elapsed": 74.1983161, "max_duration": 2592000}
from caddy.
mholt
commented on May 28, 2024
@arontsang So it sounds like a Cookie Jar in the ACME client is not what is needed for your use case.
from caddy.
Related Issues (20)
- Caddy using an incredible amount of cpu out of nowhere HOT 2
- reverse proxy multiple web servers HOT 1
- Problem with proxy rpc over http HOT 5
- Multiple header values on the same field HOT 1
- Feature request: "Set-Cookie" manipulation in the response HOT 10
- binding to an interface explicite is not possible multiple times HOT 2
- Memory leaks HOT 7
- pflag error when compiling -> bad result slice HOT 2
- Inquiry on Using Starlark Scripting with Caddy HOT 4
- caddytls: tailscale cert manager not used as fallback for *.ts.net certs HOT 9
- reverseproxy: feature request: certificate pinning for use with tls_insecure_skip_verify
- all: Support the riscv64 platform HOT 3
- Improve error message when trying to define a global matcher HOT 3
- Issue with Caddy Server Configuration for Domain HOT 1
- v2.8.0-rc.1: panic: runtime error: invalid memory address or nil pointer dereference HOT 3
- Intermediate certificate expired without using specified root certificate HOT 2
- Set `sign_with_root` via Caddyfile HOT 1
- core: caddy unable to start with an empty $HOME
- Using proxy_protocol v2 with h2c backend gives wrong IP address to backend. HOT 11
- TLS does not work on NATed IPv4 literal
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caddy.