ibmjstart / bluemix-letsencrypt Goto Github PK

The usage for bx security cert-add no longer accepts domain names with host names (subdomains) attached. The setup-app.py file needs to be changed to invoke it correctly.

I'm getting error while uploading the certificate:

bx app domain-cert-add xyz.io -c cert.pem -k privkey.pem -I chain.pem

Uploading certificate to domain 'xyz.io'...
FAILED
Error: {code: 'bad_request', message: 'The domain xyz.io is not supported by the certificate CN/SAN matches [host.xyz.io] and misses [].'}

Here's my domains.json file:

"domains": [
  {
    "domain": "xyz.io",
    "hosts": [
      "host"
    ]

This used to work as is earlier but I am unable to upload the certs now.. Am I missing a step here?

   2018-06-18T16:02:09.03-0400 [APP/PROC/WEB/0] ERR   File "run.py", line 6, in <module>
   2018-06-18T16:02:09.04-0400 [APP/PROC/WEB/0] ERR     import SimpleHTTPServer
   2018-06-18T16:02:09.04-0400 [APP/PROC/WEB/0] ERR ModuleNotFoundError: No module named 'SimpleHTTPServer'

A few searches tell me SimpleHTTPServer is now included in http.server

Currently locally attempting to solve this issue. Will make a pull request if it works.

scrubbed

I just wanted to say „Thank you“ for maintaining this project. I just had my first cert renewal coming up, and it worked flawlessly.

Keep up the good work!

Retreiving certificates doesn't work for me.
The content of all pem files contains the ibmcloud helper text.

Incorrect Usage.

NAME:
  ibmcloud - A command line tool to interact with IBM Cloud
  Find more information at: https://ibm.biz/cli-docs

USAGE:
  [environment variables] ibmc....

From what I could see, it looks like the ibmcloud version I have installed doesn't support the --quiet option.

If I try ibmcloud cf ssh letsencrypt -c "cat ~/app/conf/live/domain.com/cert.pem"

it works correctly but it's not quiet :

Invoking 'cf ssh letsencrypt -c cat ~/app/conf/live/domain.com/cert.pem'...

-----BEGIN CERTIFICATE-----
MIIHrzCCBpegAwIBAgISBG1bm+oDE/7s47RArSvJ9whTMA0GCSqGSIb3DQEBCwUA

ibmcloud --version
ibmcloud version 1.1.0+cc908fe-2020-04-29T04:06:12+00:00

Does it work for someone ?

If not just me I can open an Issue on ibmcloud cli repo

How should we obtain our certificates now that the Diego architecture does not support cf files?

I noticed the following warning from pushing the letsencrypt app:

Deprecation warning: Route component attributes 'domain', 'domains', 'host', 'hosts' and 'no-hostname' are deprecated. Found: no-hostname.
Please see http://docs.cloudfoundry.org/devguide/deploy-apps/manifest.html#deprecated for the currently supported syntax and other app manifest deprecations. This feature will be removed in the future.

I think its safe just to remove that setting now so I'll go ahead and do that.

One of our customers is having the issue.

His custom domain (rsearch.co) is currently hosted with Yahoo and he added it to his org. However I cannot set it as the sole domain for his application, and he believes this may be the issue with getting my SSL through letsencrypt and the bluemix app to run the acme tests, and upload the certificate automatically. If there is anything he need to do with Yahoo please let me know - He'd love to have this resolved within the next 2 weeks as I am meeting with an important client.

He is trying to replace the rsearch.mybluemix.net with rsearch.co. He has attached the cname/a records and the output from running the letsencrypt app covered in :
https://www.ibm.com/blogs/bluemix/2016/08/securing-custom-domains-lets-encrypt/
He has followed every step shown. Let us know if he needs anything more.

Is there a recommended way to automate certificate renewal?

My IBM Bluemix site keeps getting it's certificate expired, and then I manually renew it. Seems like something that would irk users!

In the current implementation, we use both. I think that means users must have both installed. Since this repo is focused on bluemix and we need the bluemix cli for the certificate upload, I think it makes sense to go 'all in' on the bluemix cli and remove the direct calls to cf.
For users that prefer to stick with just the cf cli, there is https://github.com/bsyk/cf-letsencrypt

I have been attempting to follow this guide: Securing Custom Domains with Let's Encrypt

When running python setup-app.py after:

1. Installing dependencies pip install -r requirements.txt
2. Configuring DNS (The guide suggests using CNAME to the Bluemix route but DreamHost seems to have issues doing url forwarding on unhosted domain names so forwarding omegaunicorn.com to www.omegaunicorn.com wasn't working and DreamHost wouldn't accept a CNAME for something other than a subdomain. Therefore, instead I did an nslookup on my deployed application on Bluemix and added A records for omegaunicorn.com and www.omegaunicorn.com using that ip to DreamHost. This seems to be fine.)
3. Adding omegaunicorn.com to target org

The letsencrypt app (deployed successfully to Bluemix) times out waiting for certificates issuing the error:
"It has been 1 minutes without seeing certificates issued in the log. Something probably went wrong. Please check the output of cf logs letsencrypt --recent for more information."

Following the advice, I check the output of cf logs letsencrypt --recent and the logs report Unable to clean up challenge directory /home/vcap/app/host/.well-known/acme-challenge

From there a FailedChallenges error is raised.

The domains.yml file is as follows:

{ "email": "[email protected]", "staging": false, "domains": [ { "domain": "omegaunicorn.com", "hosts": [ "www", "." ] } ] }
I tracked the error down in the certbot source code also and all it's supposed to be doing is this: os.rmdir(root_path) so I guess there is some kind of permissions issue within the deployed letsencrypt app or maybe the folder wasn't created? I am able to visit the site with the existing DNS/Bluemix configuration so I assume that there is some issue with my domains.yml configuration or I have uncovered an error with this or some other source that this depends on.

Maybe rename it to domains.json instead?

when running python setup-app.py it gives this error. Complete output here -

Traceback (most recent call last):
  File "setup-app.py", line 66, in <module>
    check_call(["bx", "app", "push", "--no-start"])
  File "C:\ProgramData\Anaconda3\lib\subprocess.py", line 323, in check_call
    retcode = call(*popenargs, **kwargs)
  File "C:\ProgramData\Anaconda3\lib\subprocess.py", line 304, in call
    with Popen(*popenargs, **kwargs) as p:
  File "C:\ProgramData\Anaconda3\lib\subprocess.py", line 756, in __init__
    restore_signals, start_new_session)
  File "C:\ProgramData\Anaconda3\lib\subprocess.py", line 1155, in _execute_child
    startupinfo)
FileNotFoundError: [WinError 2] The system cannot find the file specified

Am I correct in assuming that you need to run this once for each bluemix/cloudfoundry space?

If so, it would be nice if we could add support for multiple spaces within the domain.json, and perhaps run bx target --cf before processing the domains within that space?

Hello, I'm having a problem because my certificate is not being updated. In the logs of the "letsencrypt" cloud foundry app created by this script I see no error and everything seems to be working correctly, even the new certificates are being downloaded fine, but when displaying the certificate data, the expiration date is the same than when I first configured this plugin.

To be clear, I followed the exact steps as they are in the readme file in this repo. Below you can see some screenshots to show the output when running the script:

As you can see, the output seems to be fine, but after running it, the certificate expiration date seems to be the same as before:

Is there anything I'm missing or understanding wrongly of how this tool works?

Should I upload the resulting files to my web server cloud foundry app (from the letsencrypt one to the one with the webserver)? It would be really useful if someone could give me some thoughts on this.

Thanks a lot in advance for your help 🙏

Let's Encrypt has released support for wildcard certificates: https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

What does this mean for bluemix-letsencrypt?
It sounds like they will issue only a DNS challenge and the DNS part was already out-of-scope for bluemix-letsencrypt. Maybe bluemix-letsencrypt isn't even needed any more if users move to this functionality?

IBM Cloud has also introduced https://console.bluemix.net/catalog/services/certificate-manager which should be looked at as well.

I am getting the following error at the upload step:

Attempting certificate upload...
Uploading certificate to domain 'xxxxx.co'...
FAILED
Error response from server. Status code: 500; description: BXNUI2081E: <b>The certificates and keys were not modified because an unknown error occurred: Error.</b> <br>Click the <b>Account and Support</b> icon in the top menu bar, click <b>Get help</b>, and search for help or get support..

Making GET request to https://xxxxx.co
HTTPSConnectionPool(host='xxxxx.co', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 unrecognized name')],)",),))
Warning: Please note that your SSL certificate, its corresponding PRIVATE KEY, and its intermediate certificates have been downloaded to the current working directory. If you need to remove them, use `rm *.pem`
Unable to upload certificates

I also tried to upload the files by using the following command but still getting the same error.

bx security cert-add xxxxx.co -k privkey.pem -c cert.pem -i chain.pem

What might be the reason?

Hi,

I'm getting the following fail. Would love to know if you have any idea why this happens.
Thanks and best regards!

Waiting for app to start...

name: letsencrypt
requested state: started
instances: 1/1
usage: 128M x 1 instances
routes: medorion.com/.well-known/acme-challenge, prod.medorion.com/.well-known/acme-challenge,
staging.medorion.com/.well-known/acme-challenge
last uploaded: Tue 28 Aug 22:16:16 IDT 2018
stack: cflinuxfs2
buildpack: python_buildpack
start command: python run.py

 state     since                  cpu     memory          disk           details

#0 running 2018-08-28T19:19:09Z 10.3% 38.7M of 128M 218.1M of 1G
Parsing log files.
Waiting for certs...
Running: bx --quiet cf ssh letsencrypt -c "cat ~/app/conf/live/medorion.com/cert.pem"
Running: bx --quiet cf ssh letsencrypt -c "cat ~/app/conf/live/medorion.com/chain.pem"
Running: bx --quiet cf ssh letsencrypt -c "cat ~/app/conf/live/medorion.com/fullchain.pem"
Running: bx --quiet cf ssh letsencrypt -c "cat ~/app/conf/live/medorion.com/privkey.pem"
Making GET request to https://medorion.com

IMPORTANT
This domain name already has an SSL certificate in bluemix. You must first remove the old SSL before adding a new one. This means that your application will have a window of time without a certificate.

If you wish to continue, run:
bx app domain-cert-remove medorion.com; bx app domain-cert-add medorion.com -c cert.pem -k privkey.pem -i chain.pem; bx app domain-cert medorion.com

eviatarkhen:~/Medorion/bluemix-letsencrypt()$ bx app domain-cert-remove medorion.com; bx app domain-cert-add medorion.com -c cert.pem -k privkey.pem -i chain.pem; bx app domain-cert medorion.com
Are you sure you want to remove the certificate for domain 'medorion.com'? [y/N] > y
Removing certificate on domain 'medorion.com'...
OK
Certificate was removed from domain 'medorion.com'.

Uploading certificate to domain 'medorion.com'...
FAILED
Error: {code: 'internal_server_error', message: 'Invalid PEM formatted message.'}

Getting certificate info of domain medorion.com in region eu-gb...
FAILED
Certificate of domain 'medorion.com' was not found.

Bluemix appears to have given me an invalid SSL certificate by default on my custom domain, which is causing the script to fail as follows:

Waiting for certs...
Certs not ready yet, retrying in 5 seconds.
Making GET request to https://{domain omitted}
Traceback (most recent call last):
  File "setup-app.py", line 121, in <module>
    if domain_has_ssl(domain_with_first_host, True):
  File "setup-app.py", line 24, in domain_has_ssl
    return cert_exists or check_ssl(domain)
  File "setup-app.py", line 46, in check_ssl
    requests.get(target)
  File "/home/martin/.local/lib/python2.7/site-packages/requests/api.py", line 72, in get
    return request('get', url, params=params, **kwargs)
  File "/home/martin/.local/lib/python2.7/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/home/martin/.local/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/martin/.local/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
    r = adapter.send(request, **kwargs)
  File "/home/martin/.local/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='{domain omitted}', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 unrecognized name')],)",),))

In theory I could upload the certificates manually, but the code to download the certificates is after the code to check for an existing SSL on the connection (which appears to be the wrong way round to me).