!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

106 Members
Another day, another cert renewal46 Servers

Load older messages

SenderMessageTime
4 Oct 2021
@hexa:lossy.networkhexa * the reason letsencrypt failed on many systems is that they don't handle cross-signed roots, where one signatory expired, and the other one is still valid, well12:16:15
@hexa:lossy.networkhexathere is certainly a way to get your server cert without the cross-signing (isrg x1 root only)12:16:50
@hexa:lossy.networkhexabut you are trading breakages in one way or another12:17:09
@aanderse:nixos.devaandersein this specific example i have a single cert for a single domain - i load that cert into prosody, then when trying to connect with my jabber client i get "The certificate chain presented is invalid."12:20:16
@hexa:lossy.networkhexa
--preferred-chain="ISRG Root X1"
12:20:31
@aanderse:nixos.devaanderse like i said... low on time, so i really appreciate the quick save 12:21:42
@aanderse:nixos.devaandersejust moved... it has been a self inflicted nightmare 😉12:21:57
@dandellion:dodsorf.asDandellion

I have the following nginx configuration for one of my services:

services.nginx.virtualHosts."hydrus.dodsorf.as" = {
    enableACME = true;
    onlySSL = true;

    locations."/.well-known/matrix/server" = {
      return = ''
        200 '{"m.server": "hydrus.dodsorf.as:443"}'
      '';
      extraConfig = ''
       default_type application/json;
      '';
    };

    locations."~ ^/_matrix/media/r0/download/hydrus.dodsorf.as/(?<sha>[A-Fa-f0-9]+)" = {
      proxyPass = "http://192.168.10.50:45869/get_files/file?hash=$sha";
      extraConfig = ''
        proxy_set_header Hydrus-Client-API-Access-Key <some-key>;
      '';
    };
  };

which for some reason fails with

Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: Could not find solver for: tls-alpn-01
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: use http-01 solver
Oct 04 12:41:19 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:19 [INFO] [hydrus.dodsorf.as] acme: Trying to solve HTTP-01
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/36912141660
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: 2021/10/04 12:41:25 error: one or more domains had a problem:
Oct 04 12:41:25 lilith acme-hydrus.dodsorf.as-start[2233969]: [hydrus.dodsorf.as] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://hydrus.dodsorf.as/.well-known/acme-challenge/pxMFKnR4CI8fzgQzwoeXYDegD-Beb3zVJW9sdbd4pB0 [51.174.193.44]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Does someone here know of the top of your head why?

12:26:40
@hexa:lossy.networkhexasome location block shadowing the webroot?12:29:23
@aanderse:nixos.devaanderse

hexa: your suggestion was to add this to my security.acme.certs."example.org" configuration, right?

      extraLegoRunFlags = [ "--preferred-chain=\"ISRG Root X1\"" ];
      extraLegoRenewFlags = [ "--preferred-chain=\"ISRG Root X1\"" ];
12:36:29
@hexa:lossy.networkhexasomething along those lines12:36:44
@hexa:lossy.networkhexaisn't that basically extraLegoFlags if you are adding it to both?12:36:56
@aanderse:nixos.devaanderse extraLegoFlags complained the flag didn't exist 12:37:09
@hexa:lossy.networkhexa then it might be run only 12:37:18
@aanderse:nixos.devaandersei put it in run and renew and i got my cert12:37:45
@aanderse:nixos.devaandersebut pidgin still complains12:37:49
@hexa:lossy.networkhexaalrighty12:37:51
@hexa:lossy.networkhexaextraLegoFlags probably does `lego $extraLegoFlags <run/renew>12:38:04
@hexa:lossy.networkhexa * extraLegoFlags probably does lego $extraLegoFlags <run/renew> 12:38:06
@hexa:lossy.networkhexawhile the others append12:38:10
@hexa:lossy.networkhexawould have to look that up though12:38:16
@hexa:lossy.networkhexa
In reply to @aanderse:nixos.dev
any chance we need to update LEGO? ... or iunno... anything? i think the letsencrypt root cert expired recently and one of my certs is having issues when being used with prosody
i don't have many details, sorry, short on time
updated lego nevertheless. https://github.com/NixOS/nixpkgs/pull/140479 		12:54:44
@hexa:lossy.networkhexa
In reply to @hexa:lossy.network
some location block shadowing the webroot?
try removing the location blocks one by one to rule them out 		12:55:14
@dandellion:dodsorf.asDandellionMhm, will try12:55:49
@hexa:lossy.networkhexaalso check your nginx log, it might show you the full path it tried 12:56:14
@aanderse:nixos.devaandersethanks12:56:29
@dandellion:dodsorf.asDandellion
In reply to @hexa:lossy.network
try removing the location blocks one by one to rule them out

For some crazy reason I had

  services.nginx.virtualHosts = {
    "acmechallenge.dodsorf.as" = {
      # Catchall vhost, will redirect users to HTTPS for all vhosts
      serverAliases = [ "*.dodsorf.as" ];
      # /var/lib/acme/.challenges must be writable by the ACME user
      # and readable by the Nginx user.
      # By default, this is the case.
      locations."/.well-known/acme-challenge" = {
        root = "/var/lib/acme/.challenges";
      };
      locations."/" = {
        return = "301 https://$host$request_uri";
      };
    };
  };

in my config

20:38:31
@hexa:lossy.networkhexa🙂20:39:13
@dandellion:dodsorf.asDandellionwhich it seems I copied from here https://nixos.org/manual/nixos/stable/#module-security-acme-configuring20:39:35
@dandellion:dodsorf.asDandellionprobably from when I was using traefik or something :)20:40:15

Show newer messages

Back to Room ListRoom Version: 6