devops icon indicating copy to clipboard operation
devops copied to clipboard
verified publisher icon avinetworks

Questions on the LetsEncrypt ControlScript

Open mackov83 opened this issue 3 years ago • 5 comments

I refer to the following: https://github.com/avinetworks/devops/blob/master/cert_mgmt/letsencrypt_mgmt_profile.py/

Is this supported to work with both VS and EVH setups? I am a novice in the coding space, however I do see references to parent / child within the script which suggests it does.

In my case I get the following error (assuming vs.domain.com is the child object): Error` from certificate management service: STDOUT - "Running version 0.9.6 dry_run is: False disable_check is: False directory_url is https://acme-v02.api.letsencrypt.org/directory Account key not found. Generating account key... Parsing account key... Parsing CSR... Found domains: vs.domain.com Getting directory... Directory found! Registering account... Registered! Creating new order... Order created! Verifying vs.domain.com... Warning: Could not find a VSVIP with fqdn = vs.domain.com ". STDERR - "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( /usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( /usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( Traceback (most recent call last): File "/run/shm/cs/LetsEncrypt_EVH", line 550, in <module> cert = certificate_request(csr, common_name, kwargs) File "/run/shm/cs/LetsEncrypt_EVH", line 522, in certificate_request signed_crt = get_crt(user, password, tenant, api_version, csr_temp_file.name, File "/run/shm/cs/LetsEncrypt_EVH", line 264, in get_crt raise Exception("Could not find a VS with fqdn = {}".format(domain)) Exception: Could not find a VS with fqdn = vs.domain.com Error in sys.excepthook: Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/avi_traceback/avi_exception_hook.py", line 51, in avi_excepthook os.makedirs(output_dir) File "/usr/lib/python3.8/os.py", line 223, in makedirs mkdir(name, mode) OSError: [Errno 30] Read-only file system: '/var/lib/avi/python_crash' Original exception was: Traceback (most recent call last): File "/run/shm/cs/LetsEncrypt_EVH", line 550, in <module> cert = certificate_request(csr, common_name, kwargs) File "/run/shm/cs/LetsEncrypt_EVH", line 522, in certificate_request signed_crt = get_crt(user, password, tenant, api_version, csr_temp_file.name, File "/run/shm/cs/LetsEncrypt_EVH", line 264, in get_crt raise Exception("Could not find a VS with fqdn = {}".format(domain)) Exception: Could not find a VS with fqdn = vs.domain.com "..

mackov83 avatar Jul 25 '22 03:07 mackov83

Update: I my previous attempt was with 0.9.6. I saw that you also have 0.9.7 so I tried that too. Below is the output from 0.9.7:

Error from certificate management service: STDOUT - "". STDERR - " File "/run/shm/cs/LetsEncrypt_EVH", line 37 @@ -129,16 +131,21 @@ def _poll_until_not(url, pending_statuses, err_msg): ^ IndentationError: unexpected indent Error in sys.excepthook: Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/avi_traceback/avi_exception_hook.py", line 51, in avi_excepthook os.makedirs(output_dir) File "/usr/lib/python3.8/os.py", line 223, in makedirs mkdir(name, mode) OSError: [Errno 30] Read-only file system: '/var/lib/avi/python_crash' Original exception was: File "/run/shm/cs/LetsEncrypt_EVH", line 37 @@ -129,16 +131,21 @@ def _poll_until_not(url, pending_statuses, err_msg): ^ IndentationError: unexpected indent "..

mackov83 avatar Jul 25 '22 03:07 mackov83

Update: I my previous attempt was with 0.9.6. I saw that you also have 0.9.7 so I tried that too. Below is the output from 0.9.7:

Error from certificate management service: STDOUT - "". STDERR - " File "/run/shm/cs/LetsEncrypt_EVH", line 37 @@ -129,16 +131,21 @@ def _poll_until_not(url, pending_statuses, err_msg): ^ IndentationError: unexpected indent Error in sys.excepthook: Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/avi_traceback/avi_exception_hook.py", line 51, in avi_excepthook os.makedirs(output_dir) File "/usr/lib/python3.8/os.py", line 223, in makedirs mkdir(name, mode) OSError: [Errno 30] Read-only file system: '/var/lib/avi/python_crash' Original exception was: File "/run/shm/cs/LetsEncrypt_EVH", line 37 @@ -129,16 +131,21 @@ def _poll_until_not(url, pending_statuses, err_msg): ^ IndentationError: unexpected indent "..

Ignore this error. This came from copying the diff between 0.9.6 and 0.9.7 and missing that the copy brought lines in from 0.9.6.

The original error is the same with 0.9.7 file version.

mackov83 avatar Jul 25 '22 03:07 mackov83

Update: by using the 'overwrite_vs' I was able to bypass the error about the VS not being found.

Error from certificate management service: STDOUT - "Running version 0.9.7 dry_run is: False disable_check is: False directory_url is https://acme-v02.api.letsencrypt.org/directory Account key not found. Generating account key... Parsing account key... Parsing CSR... Found domains: vs.domain.com Getting directory... Directory found! Registering account... Registered! Creating new order... Order created! Verifying vs.domain.com... Note: Overwriting VS UUID to virtualservice-5a29daa5-837d-4f28-b4d9-d6d940287c56 Found VS virtualservice-5a29daa5-837d-4f28-b4d9-d6d940287c56 with fqdn vs.domain.com ". STDERR - "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( /usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( Traceback (most recent call last): File "/run/shm/cs/LetsEncrypt_EVH", line 558, in <module> cert = certificate_request(csr, common_name, kwargs) File "/run/shm/cs/LetsEncrypt_EVH", line 530, in certificate_request signed_crt = get_crt(user, password, tenant, api_version, csr_temp_file.name, File "/run/shm/cs/LetsEncrypt_EVH", line 306, in get_crt for service in rsp["results"][0]["services"]: KeyError: 'services' Error in sys.excepthook: Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/avi_traceback/avi_exception_hook.py", line 51, in avi_excepthook os.makedirs(output_dir) File "/usr/lib/python3.8/os.py", line 223, in makedirs mkdir(name, mode) OSError: [Errno 30] Read-only file system: '/var/lib/avi/python_crash' Original exception was: Traceback (most recent call last): File "/run/shm/cs/LetsEncrypt_EVH", line 558, in <module> cert = certificate_request(csr, common_name, kwargs) File "/run/shm/cs/LetsEncrypt_EVH", line 530, in certificate_request signed_crt = get_crt(user, password, tenant, api_version, csr_temp_file.name, File "/run/shm/cs/LetsEncrypt_EVH", line 306, in get_crt for service in rsp["results"][0]["services"]: KeyError: 'services' "..

Any ideas where I could look next?

mackov83 avatar Jul 25 '22 06:07 mackov83

I believe it is related to EVH. I've never tested it with EVH, I'm only using the Virtual Hosting. Do you have the ability to test VH if it works there?

patschi avatar Sep 01 '22 01:09 patschi

I could have, but it would have involved a lot of reconfiguration work as I only have a single public IP. Sure, I could implement different levels of NAT, but then it starts becoming overly complicated for a home lab.

I ended up buying a wildcard cert as I had wasted too much time with the LE control scripts. It seemed as though each time a new version of ALB came along it broke, therefore the yearly cost of the cert was much cheaper than the hours spent continually lost trying to troubleshoot.

mackov83 avatar Oct 17 '22 02:10 mackov83