ibmjstart / bluemix-letsencrypt Goto Github PK
View Code? Open in Web Editor NEWThis project forked from bsyk/cf-letsencrypt
Let's Encrypt wrapper for Cloud Foundry apps on IBM Bluemix
License: MIT License
This project forked from bsyk/cf-letsencrypt
Let's Encrypt wrapper for Cloud Foundry apps on IBM Bluemix
License: MIT License
The usage for bx security cert-add
no longer accepts domain names with host names (subdomains) attached. The setup-app.py
file needs to be changed to invoke it correctly.
I'm getting error while uploading the certificate:
bx app domain-cert-add xyz.io -c cert.pem -k privkey.pem -I chain.pem
Uploading certificate to domain 'xyz.io'...
FAILED
Error: {code: 'bad_request', message: 'The domain xyz.io is not supported by the certificate CN/SAN matches [host.xyz.io] and misses [].'}
Here's my domains.json file:
"domains": [
{
"domain": "xyz.io",
"hosts": [
"host"
]
This used to work as is earlier but I am unable to upload the certs now.. Am I missing a step here?
2018-06-18T16:02:09.03-0400 [APP/PROC/WEB/0] ERR File "run.py", line 6, in <module>
2018-06-18T16:02:09.04-0400 [APP/PROC/WEB/0] ERR import SimpleHTTPServer
2018-06-18T16:02:09.04-0400 [APP/PROC/WEB/0] ERR ModuleNotFoundError: No module named 'SimpleHTTPServer'
A few searches tell me SimpleHTTPServer is now included in http.server
Currently locally attempting to solve this issue. Will make a pull request if it works.
scrubbed
I just wanted to say „Thank you“ for maintaining this project. I just had my first cert renewal coming up, and it worked flawlessly.
Keep up the good work!
Retreiving certificates doesn't work for me.
The content of all pem files contains the ibmcloud helper text.
Incorrect Usage.
NAME:
ibmcloud - A command line tool to interact with IBM Cloud
Find more information at: https://ibm.biz/cli-docs
USAGE:
[environment variables] ibmc....
From what I could see, it looks like the ibmcloud version I have installed doesn't support the --quiet
option.
If I try ibmcloud cf ssh letsencrypt -c "cat ~/app/conf/live/domain.com/cert.pem"
it works correctly but it's not quiet :
Invoking 'cf ssh letsencrypt -c cat ~/app/conf/live/domain.com/cert.pem'...
-----BEGIN CERTIFICATE-----
MIIHrzCCBpegAwIBAgISBG1bm+oDE/7s47RArSvJ9whTMA0GCSqGSIb3DQEBCwUA
ibmcloud --version
ibmcloud version 1.1.0+cc908fe-2020-04-29T04:06:12+00:00
Does it work for someone ?
If not just me I can open an Issue on ibmcloud cli repo
How should we obtain our certificates now that the Diego architecture does not support cf files
?
I noticed the following warning from pushing the letsencrypt app:
Deprecation warning: Route component attributes 'domain', 'domains', 'host', 'hosts' and 'no-hostname' are deprecated. Found: no-hostname.
Please see http://docs.cloudfoundry.org/devguide/deploy-apps/manifest.html#deprecated for the currently supported syntax and other app manifest deprecations. This feature will be removed in the future.
I think its safe just to remove that setting now so I'll go ahead and do that.
Attempting certificate upload...
FAILED
Console endpoint is not set. Run 'bx api API_ENDPOINT' or 'bx login' and try again.
One of our customers is having the issue.
His custom domain (rsearch.co) is currently hosted with Yahoo and he added it to his org. However I cannot set it as the sole domain for his application, and he believes this may be the issue with getting my SSL through letsencrypt and the bluemix app to run the acme tests, and upload the certificate automatically. If there is anything he need to do with Yahoo please let me know - He'd love to have this resolved within the next 2 weeks as I am meeting with an important client.
He is trying to replace the rsearch.mybluemix.net with rsearch.co. He has attached the cname/a records and the output from running the letsencrypt app covered in :
https://www.ibm.com/blogs/bluemix/2016/08/securing-custom-domains-lets-encrypt/
He has followed every step shown. Let us know if he needs anything more.
Is there a recommended way to automate certificate renewal?
My IBM Bluemix site keeps getting it's certificate expired, and then I manually renew it. Seems like something that would irk users!
In the current implementation, we use both. I think that means users must have both installed. Since this repo is focused on bluemix and we need the bluemix cli for the certificate upload, I think it makes sense to go 'all in' on the bluemix cli and remove the direct calls to cf.
For users that prefer to stick with just the cf cli, there is https://github.com/bsyk/cf-letsencrypt
I have been attempting to follow this guide: Securing Custom Domains with Let's Encrypt
When running python setup-app.py
after:
pip install -r requirements.txt
nslookup
on my deployed application on Bluemix and added A records for omegaunicorn.com and www.omegaunicorn.com using that ip to DreamHost. This seems to be fine.)The letsencrypt app (deployed successfully to Bluemix) times out waiting for certificates issuing the error:
"It has been 1 minutes without seeing certificates issued in the log. Something probably went wrong. Please check the output of cf logs letsencrypt --recent
for more information."
Following the advice, I check the output of cf logs letsencrypt --recent
and the logs report Unable to clean up challenge directory /home/vcap/app/host/.well-known/acme-challenge
From there a FailedChallenges error is raised.
The domains.yml file is as follows:
{ "email": "[email protected]", "staging": false, "domains": [ { "domain": "omegaunicorn.com", "hosts": [ "www", "." ] } ] }
I tracked the error down in the certbot source code also and all it's supposed to be doing is this: os.rmdir(root_path)
so I guess there is some kind of permissions issue within the deployed letsencrypt app or maybe the folder wasn't created? I am able to visit the site with the existing DNS/Bluemix configuration so I assume that there is some issue with my domains.yml configuration or I have uncovered an error with this or some other source that this depends on.
Maybe rename it to domains.json
instead?
when running python setup-app.py
it gives this error. Complete output here -
Traceback (most recent call last):
File "setup-app.py", line 66, in <module>
check_call(["bx", "app", "push", "--no-start"])
File "C:\ProgramData\Anaconda3\lib\subprocess.py", line 323, in check_call
retcode = call(*popenargs, **kwargs)
File "C:\ProgramData\Anaconda3\lib\subprocess.py", line 304, in call
with Popen(*popenargs, **kwargs) as p:
File "C:\ProgramData\Anaconda3\lib\subprocess.py", line 756, in __init__
restore_signals, start_new_session)
File "C:\ProgramData\Anaconda3\lib\subprocess.py", line 1155, in _execute_child
startupinfo)
FileNotFoundError: [WinError 2] The system cannot find the file specified
Am I correct in assuming that you need to run this once for each bluemix/cloudfoundry space?
If so, it would be nice if we could add support for multiple spaces within the domain.json
, and perhaps run bx target --cf
before processing the domains within that space?
Hello, I'm having a problem because my certificate is not being updated. In the logs of the "letsencrypt" cloud foundry app created by this script I see no error and everything seems to be working correctly, even the new certificates are being downloaded fine, but when displaying the certificate data, the expiration date is the same than when I first configured this plugin.
To be clear, I followed the exact steps as they are in the readme file in this repo. Below you can see some screenshots to show the output when running the script:
As you can see, the output seems to be fine, but after running it, the certificate expiration date seems to be the same as before:
Is there anything I'm missing or understanding wrongly of how this tool works?
Should I upload the resulting files to my web server cloud foundry app (from the letsencrypt
one to the one with the webserver)? It would be really useful if someone could give me some thoughts on this.
Thanks a lot in advance for your help 🙏
Let's Encrypt has released support for wildcard certificates: https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
What does this mean for bluemix-letsencrypt?
It sounds like they will issue only a DNS challenge and the DNS part was already out-of-scope for bluemix-letsencrypt. Maybe bluemix-letsencrypt isn't even needed any more if users move to this functionality?
IBM Cloud has also introduced https://console.bluemix.net/catalog/services/certificate-manager which should be looked at as well.
I am getting the following error at the upload step:
Attempting certificate upload...
Uploading certificate to domain 'xxxxx.co'...
FAILED
Error response from server. Status code: 500; description: BXNUI2081E: <b>The certificates and keys were not modified because an unknown error occurred: Error.</b> <br>Click the <b>Account and Support</b> icon in the top menu bar, click <b>Get help</b>, and search for help or get support..
Making GET request to https://xxxxx.co
HTTPSConnectionPool(host='xxxxx.co', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 unrecognized name')],)",),))
Warning: Please note that your SSL certificate, its corresponding PRIVATE KEY, and its intermediate certificates have been downloaded to the current working directory. If you need to remove them, use `rm *.pem`
Unable to upload certificates
I also tried to upload the files by using the following command but still getting the same error.
bx security cert-add xxxxx.co -k privkey.pem -c cert.pem -i chain.pem
What might be the reason?
Hi,
I'm getting the following fail. Would love to know if you have any idea why this happens.
Thanks and best regards!
Waiting for app to start...
name: letsencrypt
requested state: started
instances: 1/1
usage: 128M x 1 instances
routes: medorion.com/.well-known/acme-challenge, prod.medorion.com/.well-known/acme-challenge,
staging.medorion.com/.well-known/acme-challenge
last uploaded: Tue 28 Aug 22:16:16 IDT 2018
stack: cflinuxfs2
buildpack: python_buildpack
start command: python run.py
state since cpu memory disk details
#0 running 2018-08-28T19:19:09Z 10.3% 38.7M of 128M 218.1M of 1G
Parsing log files.
Waiting for certs...
Running: bx --quiet cf ssh letsencrypt -c "cat ~/app/conf/live/medorion.com/cert.pem"
Running: bx --quiet cf ssh letsencrypt -c "cat ~/app/conf/live/medorion.com/chain.pem"
Running: bx --quiet cf ssh letsencrypt -c "cat ~/app/conf/live/medorion.com/fullchain.pem"
Running: bx --quiet cf ssh letsencrypt -c "cat ~/app/conf/live/medorion.com/privkey.pem"
Making GET request to https://medorion.com
IMPORTANT
This domain name already has an SSL certificate in bluemix. You must first remove the old SSL before adding a new one. This means that your application will have a window of time without a certificate.
If you wish to continue, run:
bx app domain-cert-remove medorion.com; bx app domain-cert-add medorion.com -c cert.pem -k privkey.pem -i chain.pem; bx app domain-cert medorion.com
eviatarkhen:~/Medorion/bluemix-letsencrypt()$ bx app domain-cert-remove medorion.com; bx app domain-cert-add medorion.com -c cert.pem -k privkey.pem -i chain.pem; bx app domain-cert medorion.com
Are you sure you want to remove the certificate for domain 'medorion.com'? [y/N] > y
Removing certificate on domain 'medorion.com'...
OK
Certificate was removed from domain 'medorion.com'.
Uploading certificate to domain 'medorion.com'...
FAILED
Error: {code: 'internal_server_error', message: 'Invalid PEM formatted message.'}
Getting certificate info of domain medorion.com in region eu-gb...
FAILED
Certificate of domain 'medorion.com' was not found.
Bluemix appears to have given me an invalid SSL certificate by default on my custom domain, which is causing the script to fail as follows:
Waiting for certs...
Certs not ready yet, retrying in 5 seconds.
Making GET request to https://{domain omitted}
Traceback (most recent call last):
File "setup-app.py", line 121, in <module>
if domain_has_ssl(domain_with_first_host, True):
File "setup-app.py", line 24, in domain_has_ssl
return cert_exists or check_ssl(domain)
File "setup-app.py", line 46, in check_ssl
requests.get(target)
File "/home/martin/.local/lib/python2.7/site-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/home/martin/.local/lib/python2.7/site-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/home/martin/.local/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/home/martin/.local/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/home/martin/.local/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='{domain omitted}', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 unrecognized name')],)",),))
In theory I could upload the certificates manually, but the code to download the certificates is after the code to check for an existing SSL on the connection (which appears to be the wrong way round to me).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.