tritondatacenter / triton-dehydrated Goto Github PK

dehydrated.sh hook to set up certs for Triton and Manta

Shell 67.15% Makefile 32.85%

triton-dehydrated's Introduction

triton-dehydrated

dehydrated hook script to set up certificates automatically for Triton, using DNS challenges. Requires CNS.

Before You Begin

Due to recent changes with dehydrated upstream, you will either need to run this on platform 20200423 or later, or have grep (i.e., gnu-grep) installed from pkgsrc or pkgsrc-tools.

How to use: headnode services (CloudAPI etc)

Set up CNS in your Triton deployment (see the CNS operator guide). We'll assume for the sake of examples here that the CNS suffix for the DC is dc1.cns.example.com.
Decide either to use the CNS-generated names for cloudapi, adminui and docker (which are cloudapi.dc1.cns.example.com etc), or set up the DNS names you want for each service to be CNAMEs to those names. You may also choose to use ECDSA certificates instead (with domains.ecdsa.txt). For CMON, you must use the cns generated name and ECDSA certificates.
If you set up dc1.api.example.com as a CNAME to cloudapi.dc1.cns.example.com, then you must also set up _acme-challenge.dc1.api.example.com as a CNAME to _acme-challenge.cloudapi.dc1.cns.example.com (and similarly for the other services).

Now log into your Triton headnode and extract a release tarball of triton-dehydrated into /opt/dehydrated:

mkdir -p /opt/dehydrated
latest=$(curl -s https://api.github.com/repos/tritondatacenter/triton-dehydrated/releases/latest | json assets.0.browser_download_url)
curl -L "$latest" | gtar --no-same-owner -zxv -C /opt/dehydrated

Copy the example domains.txt.example to domains.txt and edit it:
```
cp /opt/dehydrated/domains.txt{.example,}
vi /opt/dehydrated/domains.txt
```
List on each line the DNS name you've chosen to use for that service (e.g. cloudapi.dc1.cns.example.com or dc1.api.example.com)

Set up your Let's Encrypt account keys by running:

/opt/dehydrated/dehydrated --register --accept-terms

Now get your first set of RSA certificates.

    [root@headnode (emy-15) ~]$ /opt/dehydrated/dehydrated -c
    # INFO: Using main config file /opt/dehydrated/config
    Processing adminui.emy-15.cns.joyent.us
     + Generating private key...
     * Generating signing request...
     * Requesting challenge for adminui.emy-15.cns.joyent.us...
    Successfully updated VM de569b37-4198-4b8b-b43e-b97a471d13ac
    OK: deployed dns token for adminui.emy-15.cns.joyent.us successfully
     * Responding to challenge for adminui.emy-15.cns.joyent.us...
    Successfully updated VM de569b37-4198-4b8b-b43e-b97a471d13ac
     * Challenge is valid!
     * Requesting certificate...
     * Checking certificate...
     * Done!
     * Creating fullchain.pem...
     * Walking chain...
    OK: adminui certificate deployed, and adminui restarted
     * Done!
    ....

To get ECDSA certificates, use the -f config.ecdsa parameter.
```
/opt/dehydrated/dehydrated -c -f config.ecdsa
```
Once you've done the first run successfully, you should add the renewal command to cron:
```
[root@headnode (emy-15) ~]$ crontab -e
1 16 * * * /opt/dehydrated/dehydrated -c
1 25 * * * /opt/dehydrated/dehydrated -c -f /opt/dehydrated/config.ecdsa
```
Note that the renewal process will restart SDC services as part of deploying certificates, which necessarily causes a small window of downtime. You should set the time and day of the week here and advise your users of this regularly scheduled event before using cron to automate renewal.

How to use: inside a user container on Triton

This hook script can also be used inside a regular user container on Triton to obtain a certificate for any name CNAME'd to the container's CNS name. This should work on LX-branded zones as well.

Either use the Triton public cloud, or set up CNS in your Triton deployment (see the CNS operator guide). We'll assume for the sake of example here that the CNS suffix for the DC is us-west-1.triton.zone.
Find the CNS-generated name for your container. One way to do this is to look at the output of triton inst get <instance> for the dns_names array. As an example, let's consider blog.svc.3c330096-89e6-11e7-9f13-23d71a63353e.us-west-1.triton.zone.
Set up your desired DNS name as a CNAME to this CNS-generated name. If you are hosting the root of your domain, it's also fine to just set up a regular A record instead, as long as you also deploy a TXT record containing the full UUID of the container. We'll use blog.example.com and CNAME it to blog.svc.3c330096-89e6-11e7-9f13-23d71a63353e.us-west-1.triton.zone.
Set up _acme-challenge.<domain> as a CNAME to _acme-challenge.<cnsdomain>. We'll set up _acme-challenge.blog.example.com as a CNAME to _acme-challenge.blog.svc.3c330096-89e6-11e7-9f13-23d71a63353e.us-west-1.triton.zone.
Inside the container, download and extract the dehydrated.tar.gz file from the latest GitHub release into a directory.
Create a new file domains.txt in the directory containing just one line with the full domain name you want on the certificate (e.g. blog.example.com).
Register with the Let's Encrypt server by running ./dehydrated --register --accept-terms
Get the first certificate by running ./dehydrated -c

Now you will find your certificate files in ./certs/blog.example.com/. You should configure your webserver to get the private key and certificate file (with chain) directly from this folder.

You can also create override hooks in a file named override-hook. The format for this file is the same as for dehydrated's hook file but should only have the deploy_cert and/or unchanged_cert functions. Use override hooks in a zone to do things like restart local services.

Finally, you can set up a cron job to re-run ./dehydrated -c daily, or at least once a week, pr (and then do a graceful reload of your web server configuration).

triton-dehydrated's People

Contributors

Stargazers

Watchers

Forkers

qdzlug bahamat greenbaum mariuspana coyhile sreboot initworks bissinc isabella232 neuroserve manifoldx

triton-dehydrated's Issues

new dehydrated version requires hook script safety

I forgot to include this in the recent update, so all 1.2.x are currently broken.

Possible to implement workaround to use this with root DNS domain?

Assume you'd like to use this in an instance that's meant to run the webserver for a root domain -
responding both to example.com and www.example.com. Is there a way to generate SSL certs for both domains with this handy dehydrated DNS hook and triton CNS?

Thanks for your continous work on this!

Missing zonename command on HVM causes failure

needs a config override mechanism

config.overrides should be prefixed with $SCRIPTDIR

Minor improvement to add full path to config.overrides file.

Part of this PR:
https://github.com/joyent/triton-dehydrated/pull/32/files#diff-2245023265ae4cf87d02c8b6ba991139R94-R95

Tarball should not include old copies of itself.

Support overriding hook functions

Single name wildcard certs fail

This is a "sub-issue" of #19. Because gnu grep is expected in upstream dehydrated, the regular "alias" format for single name wildcard certs fails.

Stuck on certificate renew

Would you have any ideas where to look debugging wise if my renewal gets stuck at the following stage:

Checking domain name(s) of existing cert... unchanged.
Checking expire date of existing cert...
Valid till Apr 26 15:02:02 2019 GMT (Less than 30 days). Renewing!
Signing domains...
Generating private key...
Generating signing request...
Requesting challenge for adminui.xyz.com...
Successfully updated VM 3f7954d3-b1e9-47c3-b4d3-4e1cda0d13e5

Thank you, been stuck on this a while

Support CMON

The CMON key setup is rather lo level at this point, it needs to be copied into the zone manually. It's also possible that there are several cmon zones so they all need to be updated. We've also had scaling issues with CMON using RSA keys, so having #4 here helps.

Dehydrated uses wrong default chain

Need to use the X1 "alt" root otherwise we get failures using various clients.

macOS resource forks in tar

If the tar is built on macOS there will be ._* files. These should be excluded

Domain with alternative names hook fails

When using triton-dehydrated in a LX zone on Triton Data Center I try to do the following:

cat domains.txt
mail.example.com imap.example.com smtp.example.com

When issueing dehydrated -c the hook fails to validate the records after deploying all three tokens into one TXT CNS record. I get

+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"kw_7e0TP5lf7wcK8FiVdX40-Qe7zxnMWqgyhLch-3w8\" found at _acme-challenge.smtp.example.com",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/vbn0dzSG2qK2HAbOzO68JYMm2Zbv_XuQVG0bsYjRtI0/13232734592",
  "token": "GEIk5plI4OdivZs0lAIQPFiyU6a4cIL0TArz7epgfI8"
})

It's possible to get it working by running the script several times, because authorizations are cached. So most of the times the first domain deployed works, but then only the second, alternative name fails.

Am I doing it wrong or is there a way to improve this / make this work?

More logs:

OK: deployed dns token for imap.example.com successfully
deploy_challenge
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
OK: deployed dns token for mail.example.com successfully
deploy_challenge
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
OK: deployed dns token for smtp.example.com successfully
+ Responding to challenge for imap.example.com authorization...
+ Challenge is valid!
+ Responding to challenge for mail.example.com authorization...
invalid_challenge
+ Cleaning challenge tokens...
clean_challenge
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
clean_challenge
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
clean_challenge
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available
../../../../lib/isc/unix/socket.c:2881: setsockopt(20, IP_RECVTOS) failed: Protocol not available

renwel stuck on successfully updated VM

Would you have any ideas where to look debugging wise if my renewal gets stuck at the following stage:

Checking domain name(s) of existing cert... unchanged.
Checking expire date of existing cert...
Valid till Apr 26 15:02:02 2019 GMT (Less than 30 days). Renewing!
Signing domains...
Generating private key...
Generating signing request...
Requesting challenge for adminui.xyz.com...
Successfully updated VM 3f7954d3-b1e9-47c3-b4d3-4e1cda0d13e5

Thank you, been stuck on this a while

online help does not function

[root@gtsb-proxy0 /var/opt/triton-dehydrated]# ./dehydrated -h
Usage: ./dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...

Default command: help

Commands:

@arekinath tells me this is because the wrapper script uses source to invoke the real dehydrated script, which then uses $0 to attempt to read its own source code to generate the help message. Other commands do appear to work correctly.

Getting "grep: illegal option -- o"

Hey there,

I recently updated to the latest version (1.2.3) and I'm getting grep errors. The whole process seems to succeed, but grep may not be doing what it is supposed to.

# INFO: Using main config file /opt/letsencrypt/config
startup_hook
grep: illegal option -- o
usage:  grep [-E|-F] [-bchHilnqrRsvx] [-A num] [-B num] [-C num|-num]
             [-e pattern_list]... [-f pattern_file]... [pattern_list] [file]...
grep: illegal option -- o
usage:  grep [-E|-F] [-bchHilnqrRsvx] [-A num] [-B num] [-C num|-num]
             [-e pattern_list]... [-f pattern_file]... [pattern_list] [file]...
Processing xxxx
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jul 31 10:32:47 2019 GMT (Longer than 30 days). Skipping renew!
unchanged_cert
OK: adminui certificate up to date
grep: illegal option -- o
usage:  grep [-E|-F] [-bchHilnqrRsvx] [-A num] [-B num] [-C num|-num]
             [-e pattern_list]... [-f pattern_file]... [pattern_list] [file]...
grep: illegal option -- o
usage:  grep [-E|-F] [-bchHilnqrRsvx] [-A num] [-B num] [-C num|-num]
             [-e pattern_list]... [-f pattern_file]... [pattern_list] [file]...
Processing xxxx
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jul 31 10:36:46 2019 GMT (Longer than 30 days). Skipping renew!
unchanged_cert
OK: cloudapi certificate up to date
grep: illegal option -- o
usage:  grep [-E|-F] [-bchHilnqrRsvx] [-A num] [-B num] [-C num|-num]
             [-e pattern_list]... [-f pattern_file]... [pattern_list] [file]...
grep: illegal option -- o
usage:  grep [-E|-F] [-bchHilnqrRsvx] [-A num] [-B num] [-C num|-num]
             [-e pattern_list]... [-f pattern_file]... [pattern_list] [file]...
Processing xxxx
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for xxxx
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge
Successfully updated VM yyyy
OK: deployed dns token for xxxx successfully
 + Responding to challenge for xxxx authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
clean_challenge
Successfully updated VM yyyy
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
deploy_cert
Installing certificate
Restarting sdc-docker service
OK: docker certificate deployed
 + Done!
exit_hook

Need updated dehydrated with acme-v2 support

Want some release tooling

Need something better than manual releases.

want optional NAMESERVER env variable for dig

In some cases direct DNS out to the Internet is not allowed. PR #33 adds an optional NAMESERVER variable.

As a side note, the NAMESERVER DNS server should have a rule to send Letsencrypt validation requests directly up to 8.8.8.8. This is required for consistency between internal and external DNS validation lookups. Internal validation lookup must match external Letsencrypt ones.

readme should be updated to reflect current practices

Prefer ECDSA keys?

instances in verifying state can't provision certs

Support haproxy for cloudapi instead of stud

sdc-cloudapi commit 4808df (TRITON-482) changed cloudapi to use haproxy instead of stud with a new cert location.

The cloudapi manifest needs to be updated.

want version info in deployed tar

Sometimes challenge value can start with `-` which severely confuses grep

_acme-challenge.docker.us-east-1.triton.zone.
"-a6NoE4PB5Dn5sBQS62qtUa7n2RQdevhLgMewf25Whw"
grep: illegal option -- a
usage:  grep [-E|-F] [-bchHilnqrRsvx] [-A num] [-B num] [-C num|-num]
             [-e pattern_list]... [-f pattern_file]... [pattern_list] [file]...

ECDSA cert for cloudapi

ECDSA certs should also work now for cloudapi - as it comes with haproxy instead of stud (have not tested it personally).

This line should be corrected https://github.com/TritonDataCenter/triton-dehydrated/blob/master/config.ecdsa#L3

triton-dehydrated should support grafana

Similar to other services, it would be useful to support installing a cert in the grafana zones on triton.

dehydrated dependency sometimes mis-handles account ID

 + Requesting new certificate order from CA...
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)

Details:
HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 178
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101uKKVUG1Lz2QX2EghOCxYKOjn69PrtGRaH17-LUdZLDE
Expires: Thu, 22 Aug 2019 20:09:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 22 Aug 2019 20:09:00 GMT
Connection: close

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Malformed account ID in KeyID header URL: \"https://acme-v02.api.letsencrypt.org/acme/acct/\"",
  "status": 400
}

This is fixed upstream in dehydrated-io/dehydrated@be13dcd.

Instances are not always index 0

Current hooks depend on instances being index 0, e.g., cloudapi0. This is not always the case. If there is no local instance with index 0, vmadm lookups will fail.

switch to v2 API for the staging API

similar to bahamat/make-cert#6 we need to switch the staging CA URL from the v1 URL to the v2 URL listed here

https://acme-staging-v02.api.letsencrypt.org/directory

clean_challenge doesn't clean manta challenge

clean_challenge in cns-hook-util needs an update to handle the case returned by the getservice function which was updated to support LE certs for Manta loadbalancers in Single DC deployments.

https://github.com/TritonDataCenter/triton-dehydrated/blob/master/cns-hook-util#L27-L31
will find loadbalancer as the manta_role

root@headnode (iad001) ~]# cat /opt/dehydrated/domains.txt
cloudapi.iad001.triton.zone iad001.api.joyent.com
docker.iad001.triton.zone iad001.docker.joyent.com
adminui.iad001.triton.zone adminui-iad001.joyent.com iad0-adminui.joyent.us iad001-adminui.joyent.us
iad.manta.joyent.com loadbalancer.svc.poseidon.iad001.triton.zone
[root@headnode (iad001) ~]# dig +short txt iad.manta.joyent.com @8.8.8.8 | tail -1 | sed 's/"//g'
e9a713b0-1e67-4523-a63e-a5ee038e0a9f
[root@headnode (iad001) ~]# sdc-vmadm get e9a713b0-1e67-4523-a63e-a5ee038e0a9f| json tags.manta_role
loadbalancer
[root@headnode (iad001) ~]# dig +short txt loadbalancer.svc.poseidon.iad001.triton.zone @8.8.8.8 | tail -1 | sed 's/"//g'
74af2e5c-8195-43fb-88d5-4a9c3c527856
[root@headnode (iad001) ~]# sdc-vmadm get 74af2e5c-8195-43fb-88d5-4a9c3c527856 | json tags.manta_role
loadbalancer
[root@headnode (iad001) ~]#

and thus return
manta

but https://github.com/TritonDataCenter/triton-dehydrated/blob/master/cns-hook-util#L237-L253
has no case statement handling for manta and so will hit the *) default case handler and will emit

ERROR: Unknown serivce:

resulting in leaving previous tokens remaining in loadbalancer VM's customer_metadata.

(The error message is also missing the service name because
vmservice is not set due to the case statement using a subshell directly.

This happens post certificate renew so loadbalancers will have their certs maintained up until something deeper in the dependencies will choke on the challenge tokens getting concatenated with new ones each subsequent pass until sufficiently long enough length that something dislikes a string that long:

OK: deployed dns token for iad.manta.joyent.com successfully
deploy_challenge

undefined:2
this.customer_metadata['triton.cns.acme-challenge'] = '010hfdQz__x18q0UOF8jpRi
                                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Unexpected token ILLEGAL
    at Object.Function (<anonymous>)
    at main (/opt/smartdc/bin/json:1280:27)
    at Object.<anonymous> (/opt/smartdc/bin/json:1674:5)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Function.Module.runMain (module.js:497:10)
    at startup (node.js:119:16)

happens.

Version 1.4.0 - Error

dehydrated 1.4.0 errors out. I guess, there's a typo somewhere, but I didn't find it:

[root@myinstance /opt/letsencrypt]# /opt/letsencrypt/dehydrated --register --accept-terms
# INFO: Using main config file /opt/letsencrypt/config
egrep: illegal option -- a
usage: egrep [-bchHilLnoqrRsvx] [-A num] [-B num] [-C num|-num]
             [--label=name] [-e pattern_list]... [-f pattern_file]...
             [pattern_list] [file]...
EXPECTED value GOT EOF

want txt record bypass

Sometimes we need to stage a new cert before we can flip the actual name. E.g., legacy certs are deployed for the old instance(s), and replacement instances are created using Let's Encrypt. In particular, this happens when the new instances are deployed in a different account (the login part of the cns name will change). Right now we do this by modifying cns-hook-util.

We've run into this enough times that we should have a supported way to bypass this check.

want proxy example

Small improvement to include proxy server option in the default config file.

Example:

# Proxy server to use for letsencrypt.org APIs
# CURL_OPTS="-x http://proxy:3128"

Useful for cases where direct Internet connectivity is not available.

fails if there is more than one txt record

Cert Issue

Hi Alex,

Tried this on a demo hn; was getting this:

[root@headnode (swdemo01) /opt/triton-dehydrated]# ./run -c
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
chmod: WARNING: can't access /opt/triton-dehydrated/dehydrated
./run: line 47: /opt/triton-dehydrated/dehydrated: No such file or directory

Tested w/ the cert that is added as part of the script and it failed. Replaced the one the script creates with a cacert.pem from pkgsrc (the mozilla one) in its place and all worked well. Not sure if this just me or not.

Jay

need to wait for all challenges to be deployed

When issuing multiple certs at once, or certs with multiple names the current behavior waits for any challenge to show up in the txt record. This doesn't give the rest of the names time to flush and can fail validations for subsequent names.

Can't use custom domains

triton-dehydrated can't generate certificates for custom domains, or don't fit the exact pattern.

E.g., in JPC we have api.${datacenter}.joyent.com. triton-dehydrated requires the hostname to begin with cloudapi.