velmu-mpass-ansible's People
velmu-mpass-ansible's Issues
Certificate renewal not working for subservices
Apparently the fix done on #4 for demo.velmu.fi service wasn't enough for the subservices.
Hello,
Your certificate (or certificates) for the names listed below will expire in
20 days (on 04 Jul 18 14:10 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.five.demo.velmu.fi
four.demo.velmu.fi
one.demo.velmu.fi
three.demo.velmu.fi
two.demo.velmu.fi
# certbot renew --no-self-upgrade --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/four.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Running pre-hook command: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for four.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (four.demo.velmu.fi) from /etc/letsencrypt/renewal/four.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. four.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://four.demo.velmu.fi/.well-known/acme-challenge/vOQzvEH15Lhu4hjQEqPEox5I5n1GUUUw9-HsZdR4enM: Connection refused. Skipping.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/five.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for five.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (five.demo.velmu.fi) from /etc/letsencrypt/renewal/five.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. five.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://five.demo.velmu.fi/.well-known/acme-challenge/8NyTxGgZIspAfUUSOyVjJhMXn38xLLH-SA6oQPRV3nM: Connection refused. Skipping.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/three.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for three.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (three.demo.velmu.fi) from /etc/letsencrypt/renewal/three.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. three.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://three.demo.velmu.fi/.well-known/acme-challenge/FntWiOaRWD98BsARH-_PvixriP66fe7PGJ5_wRy9Gts: Connection refused. Skipping.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/one.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for one.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (one.demo.velmu.fi) from /etc/letsencrypt/renewal/one.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. one.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://one.demo.velmu.fi/.well-known/acme-challenge/ZwYc28iIeOIgeopj6VBfTofpkXl1MPWRDlDJrPFIckE: Connection refused. Skipping.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/two.demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for two.demo.velmu.fi
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (two.demo.velmu.fi) from /etc/letsencrypt/renewal/two.demo.velmu.fi.conf produced an unexpected error: Failed authorization procedure. two.demo.velmu.fi (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://two.demo.velmu.fi/.well-known/acme-challenge/dvhLFuPz5w2gSI1QhdJQLxNOwTVR2KbR_3ROdeSZgx4: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/four.demo.velmu.fi/fullchain.pem (failure)
/etc/letsencrypt/live/five.demo.velmu.fi/fullchain.pem (failure)
/etc/letsencrypt/live/three.demo.velmu.fi/fullchain.pem (failure)
/etc/letsencrypt/live/one.demo.velmu.fi/fullchain.pem (failure)
/etc/letsencrypt/live/two.demo.velmu.fi/fullchain.pem (failure)
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/demo.velmu.fi/fullchain.pem expires on 2018-08-26 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/four.demo.velmu.fi/fullchain.pem (failure)
/etc/letsencrypt/live/five.demo.velmu.fi/fullchain.pem (failure)
/etc/letsencrypt/live/three.demo.velmu.fi/fullchain.pem (failure)
/etc/letsencrypt/live/one.demo.velmu.fi/fullchain.pem (failure)
/etc/letsencrypt/live/two.demo.velmu.fi/fullchain.pem (failure)
-------------------------------------------------------------------------------
Running post-hook command: systemctl start httpd
5 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: five.demo.velmu.fi
Type: connection
Detail: Fetching
http://five.demo.velmu.fi/.well-known/acme-challenge/8NyTxGgZIspAfUUSOyVjJhMXn38xLLH-SA6oQPRV3nM:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- The following errors were reported by the server:
Domain: four.demo.velmu.fi
Type: connection
Detail: Fetching
http://four.demo.velmu.fi/.well-known/acme-challenge/vOQzvEH15Lhu4hjQEqPEox5I5n1GUUUw9-HsZdR4enM:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- The following errors were reported by the server:
Domain: one.demo.velmu.fi
Type: connection
Detail: Fetching
http://one.demo.velmu.fi/.well-known/acme-challenge/ZwYc28iIeOIgeopj6VBfTofpkXl1MPWRDlDJrPFIckE:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- The following errors were reported by the server:
Domain: three.demo.velmu.fi
Type: connection
Detail: Fetching
http://three.demo.velmu.fi/.well-known/acme-challenge/FntWiOaRWD98BsARH-_PvixriP66fe7PGJ5_wRy9Gts:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- The following errors were reported by the server:
Domain: two.demo.velmu.fi
Type: connection
Detail: Fetching
http://two.demo.velmu.fi/.well-known/acme-challenge/dvhLFuPz5w2gSI1QhdJQLxNOwTVR2KbR_3ROdeSZgx4:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Based on documentation, the Ansible role in use (geerlingguy.certbot) uses standalone method for renewing the certificates. However, the Certbot in use doesn't seem to use standalone unless explicitly instructed. This is the apparent cause of the issue.
Configuration for running Velmu and its needed services
Velmu is Buildout based Django project using database, session store, cache and background tasks.
- Python 2.7
- Postgresql
- Redis
- Memcached
- RabbitMQ
Server configuration
- Centos7 based virtual machine
- Running in CSC datacenter
- Configuration with Ansible
- Use best practices from Haltu Heliconia environment
Five demo services
We want to have five demo services on the Velmu desktop to showcase how MPASS works in real life. These five demo services will live on the same server as Velmu, but they will be completely independent services, with their own SAML SP:s.
Do this five (5) times:
- Create Apache vhost
- Shibboleth config for an SP, with its own entity id
- Register SP to MPASS
- Test that the SP config works
For now we don't yet know what kind of services we will be running here. Most probably Django, like Velmu, with minimal configuration to show one page. Or we will run mod_php. That's a separate issue.
Certificate renewal not working
Hello,
Your certificate (or certificates) for the names listed below will expire in
20 days (on 14 Jun 18 10:23 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.demo.velmu.fi
# certbot renew --no-self-upgrade
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/demo.velmu.fi.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for demo.velmu.fi
Cleaning up challenges
Attempting to renew cert (demo.velmu.fi) from /etc/letsencrypt/renewal/demo.velmu.fi.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
The issue is that the Ansible role in use (geerlingguy.certbot) supports only standalone method for renewing the certificates. Therefore Apache HTTP server needs to be stopped and started by pre- and post-hooks so that Certbot's standalone web server can bind to ports it needs.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.