haltu / velmu-mpass-ansible Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 0.0 38 KB

Shell 100.00%

velmu-mpass-ansible's People

Contributors

Watchers

velmu-mpass-ansible's Issues

Certificate renewal not working for subservices

Apparently the fix done on #4 for demo.velmu.fi service wasn't enough for the subservices.

Hello,

Your certificate (or certificates) for the names listed below will expire in
20 days (on 04 Jul 18 14:10 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

five.demo.velmu.fi
four.demo.velmu.fi
one.demo.velmu.fi
three.demo.velmu.fi
two.demo.velmu.fi

# certbot renew --no-self-upgrade --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/four.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Running pre-hook command: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for four.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (four.demo.velmu.fi) from /etc/letsencrypt/renewal/four.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. four.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://four.demo.velmu.fi/.well-known/acme-challenge/vOQzvEH15Lhu4hjQEqPEox5I5n1GUUUw9-HsZdR4enM: Connection refused. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/five.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for five.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (five.demo.velmu.fi) from /etc/letsencrypt/renewal/five.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. five.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://five.demo.velmu.fi/.well-known/acme-challenge/8NyTxGgZIspAfUUSOyVjJhMXn38xLLH-SA6oQPRV3nM: Connection refused. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/three.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for three.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (three.demo.velmu.fi) from /etc/letsencrypt/renewal/three.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. three.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://three.demo.velmu.fi/.well-known/acme-challenge/FntWiOaRWD98BsARH-_PvixriP66fe7PGJ5_wRy9Gts: Connection refused. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/one.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for one.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (one.demo.velmu.fi) from /etc/letsencrypt/renewal/one.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. one.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://one.demo.velmu.fi/.well-known/acme-challenge/ZwYc28iIeOIgeopj6VBfTofpkXl1MPWRDlDJrPFIckE: Connection refused. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/two.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for two.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (two.demo.velmu.fi) from /etc/letsencrypt/renewal/two.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. two.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://two.demo.velmu.fi/.well-known/acme-challenge/dvhLFuPz5w2gSI1QhdJQLxNOwTVR2KbR_3ROdeSZgx4: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/four.demo.velmu.fi/fullchain.pem (failure)
  /etc/letsencrypt/live/five.demo.velmu.fi/fullchain.pem (failure)
  /etc/letsencrypt/live/three.demo.velmu.fi/fullchain.pem (failure)
  /etc/letsencrypt/live/one.demo.velmu.fi/fullchain.pem (failure)
  /etc/letsencrypt/live/two.demo.velmu.fi/fullchain.pem (failure)

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/demo.velmu.fi/fullchain.pem expires on 2018-08-26 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/four.demo.velmu.fi/fullchain.pem (failure)
  /etc/letsencrypt/live/five.demo.velmu.fi/fullchain.pem (failure)
  /etc/letsencrypt/live/three.demo.velmu.fi/fullchain.pem (failure)
  /etc/letsencrypt/live/one.demo.velmu.fi/fullchain.pem (failure)
  /etc/letsencrypt/live/two.demo.velmu.fi/fullchain.pem (failure)
-------------------------------------------------------------------------------
Running post-hook command: systemctl start httpd
5 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: five.demo.velmu.fi
   Type:   connection
   Detail: Fetching
   http://five.demo.velmu.fi/.well-known/acme-challenge/8NyTxGgZIspAfUUSOyVjJhMXn38xLLH-SA6oQPRV3nM:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: four.demo.velmu.fi
   Type:   connection
   Detail: Fetching
   http://four.demo.velmu.fi/.well-known/acme-challenge/vOQzvEH15Lhu4hjQEqPEox5I5n1GUUUw9-HsZdR4enM:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: one.demo.velmu.fi
   Type:   connection
   Detail: Fetching
   http://one.demo.velmu.fi/.well-known/acme-challenge/ZwYc28iIeOIgeopj6VBfTofpkXl1MPWRDlDJrPFIckE:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: three.demo.velmu.fi
   Type:   connection
   Detail: Fetching
   http://three.demo.velmu.fi/.well-known/acme-challenge/FntWiOaRWD98BsARH-_PvixriP66fe7PGJ5_wRy9Gts:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: two.demo.velmu.fi
   Type:   connection
   Detail: Fetching
   http://two.demo.velmu.fi/.well-known/acme-challenge/dvhLFuPz5w2gSI1QhdJQLxNOwTVR2KbR_3ROdeSZgx4:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Based on documentation, the Ansible role in use (geerlingguy.certbot) uses standalone method for renewing the certificates. However, the Certbot in use doesn't seem to use standalone unless explicitly instructed. This is the apparent cause of the issue.

Configuration for running Velmu and its needed services

Velmu is Buildout based Django project using database, session store, cache and background tasks.

Python 2.7
Postgresql
Redis
Memcached
RabbitMQ

Server configuration

Centos7 based virtual machine
Running in CSC datacenter
Configuration with Ansible
Use best practices from Haltu Heliconia environment

Five demo services

We want to have five demo services on the Velmu desktop to showcase how MPASS works in real life. These five demo services will live on the same server as Velmu, but they will be completely independent services, with their own SAML SP:s.

Do this five (5) times:

Create Apache vhost
Shibboleth config for an SP, with its own entity id
Register SP to MPASS
Test that the SP config works

For now we don't yet know what kind of services we will be running here. Most probably Django, like Velmu, with minimal configuration to show one page. Or we will run mod_php. That's a separate issue.

Certificate renewal not working

Hello,

Your certificate (or certificates) for the names listed below will expire in
20 days (on 14 Jun 18 10:23 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

demo.velmu.fi

# certbot renew --no-self-upgrade
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for demo.velmu.fi
Cleaning up challenges
Attempting to renew cert (demo.velmu.fi) from /etc/letsencrypt/renewal/demo.velmu.fi.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.

The issue is that the Ansible role in use (geerlingguy.certbot) supports only standalone method for renewing the certificates. Therefore Apache HTTP server needs to be stopped and started by pre- and post-hooks so that Certbot's standalone web server can bind to ports it needs.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.