rekby
Update lets-proxy to lets-proxy2 with inplace change binary
@rekby
Since Let's Encrypt deprecated this month the V1 API , I'm having a hard time making my let's proxy work (I’m using this version: v0.15.1.9 commit 5092600a725e48e16abae6e8cb7134e9244c1ce6 os=linux-amd64)
This is one of the entries in my log:
time="2020-06-25T22:09:17Z" level=error msg="Can't create new authorization for domain 'hvacservicehouston.com': HTTP error: 403 Forbidden\nmap[Date:[Thu, 25 Jun 2020 22:09:12 GMT] Content-Type:[application/problem+json] Content-Length:[230] Boulder-Requester:[54508640] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0002VNfonRNGw9QGfcKd-ZTo05afir-QEwOCdfFXGA-Ez8U] Server:[nginx]]\n{\n \"type\": \"urn:acme:error:unauthorized\",\n \"detail\": \"Error creating new authz :: Validations for new domains are disabled in the V1 API (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430)\",\n \"status\": 403\n}"
and this is the script I used to run it as a service in my Ubuntu box:
../lets-proxy --service-name=lets-proxy --service-action=stop
./lets-proxy \
-allowed-ips=1.1.1.1. \
--service-name=lets-proxy \
--service-action=reinstall \
-in-memory-cnt=20000 \
-real-ip-header=X-Forwarded-For \
-loglevel=warning \
-logout=log/lets-proxy.log \
-logrotate-count=2
./lets-proxy --service-name=lets-proxy --service-action=start
Then, I updated the script to use a new acme-server by adding the -acme-server parameter
./lets-proxy --service-name=lets-proxy --service-action=stop
./lets-proxy \
-allowed-ips=1.1.1.1 \
--service-name=lets-proxy \
--service-action=reinstall \
-in-memory-cnt=20000 \
-acme-server="https://acme-v02.api.letsencrypt.org/directory" \
-real-ip-header=X-Forwarded-For \
-loglevel=warning \
-logout=log/lets-proxy.log \
-logrotate-count=2
./lets-proxy --service-name=lets-proxy --service-action=start
but now, I'm getting this error
time="2020-06-25T22:56:18Z" level=error msg="Can't get acme client for authorize domain 'hvacservicehouston.com': context deadline exceeded"
time="2020-06-25T22:56:18Z" level=error msg="Can't get acme client for authorize domain 'www.hvacservicehouston.com': context deadline exceeded"
time="2020-06-25T22:56:18Z" level=error msg="Retrieve certificate for domains '[hvacservicehouston.com www.hvacservicehouston.com]' has error 'Authorized domains doesn't contain main domain', create temporary self-signed certificate"
I installed lets-proxy2 (Version: 'v0.23.11+build-837, Build time 2020-03-07 22:24:36+00:00, commit 93071751399bc09e33d0d8842bdd52f6210b2080, go version go1.10 linux/amd64', Os: 'linux', Arch: ‘amd64') but I’m stuck in how to configure the config_default.toml file to use the same values as I am using them with the current setup.
Please help, I'm stuck on that and ACME V1 will be disconnected in a few more days.
Hello.
Yes, I understand your problem. lets-proxy of first version is very difficult to support, including add new acme protocol and it no support yet.
I see how I can support old command-line parameters for update by change binary inplace.
For config: config_default.toml is example of default values only. It isn't parse for work. For config - create file config.toml (or you can specify config path with --config flag). In config.toml you can set only values, what changed from default.
For exapmple your config with same as: config.toml
[Log]
LogLevel = "warning"
File="log/lets-proxy.log"
MaxCount=2
[Proxy]
Headers = [ "X-Forwarded-For:{{SOURCE_IP}}" ]
[CheckDomains]
IPWhiteList = "1.1.1.1"
@rekby Thank you for your answer. Also, one last thing:
How can I run the lets-proxy2 as a service? I mean, using the commands below with the new version?
--service-name=lets-proxy --service-action=reinstall
Hi @rekby
I was able to runt it using a custom config.toml file and I started lets-encrypt2 using this command:
./lets-proxy -config config.toml
Here is the config file I used: config.toml
The log file was showing a lot of these errors below
2020-06-26T16:37:58.410Z error domain_checker/ip_list_sources.go:131 Get ipv6 {"mac": "12:c8:18:aa:09:16", "ipv6": "", "error": "EC2MetadataError: failed to make EC2Metadata request\n\tstatus code: 404, request id: \ncaused by: <?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n\t\t \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n"}
2020-06-26T17:30:59.757Z error cert_manager/manager.go:498 accept authorization {"connection_id": "c204136c-097c-4074-bdde-f3bea5b916d5", "domain": "hawaiiangrillmo.com (punycode:hawaiiangrillmo.com)", "cert_name": "hawaiiangrillmo.com.ecdsa", "domain": "hawaiiangrillmo.com (punycode:hawaiiangrillmo.com)", "authorized_challenge": null, "error": "400 : <html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n<
2020-06-26T16:38:54.277Z error cert_manager/manager.go:610 Got certificate key from cache and reuse old key {"connection_id": "4ba9707e-c681-4023-99b9-df33067fb01c", "domain": "www.locksmithwestland.com (punycode:www.locksmithwestland.com)", "cert_name": "locksmithwestland.com.ecdsa", "error": "lets proxy: cache miss"}
2020-06-26T17:30:59.857Z dpanic cert_manager/cert-state.go:51 Must be cert exactly one: cert or last error. Cert set as nil. {"connection_id": "31d1f03c-e30f-4e40-877c-dd46f43d6573", "domain": "www.pueblonuevomexicanrestaurant.com (punycode:www.pueblonuevomexicanrestaurant.com)", "cert_name": "
2020-06-26T17:30:59.857Z dpanic cert_manager/manager.go:924 Panic handled {"connection_id": "31d1f03c-e30f-4e40-877c-dd46f43d6573", "domain": "www.pueblonuevomexicanrestaurant.com (punycode:www.pueblonuevomexicanrestaurant.com)", "panic": "runtime error: invalid memory address or nil pointer dereference"}
Then, the files that werer generated in the certificates folder are like this one:
> autorestorationserviceorange.com.ecdsa.cer
> autorestorationserviceorange.com.ecdsa.key
> behealthystayfitbistro.com.ecdsa.cer
> behealthystayfitbistro.com.ecdsa.key
> championssportsbargrillny.com.ecdsa.cer
> championssportsbargrillny.com.ecdsa.key
No .crt, no .key were generated for the domains.
Thank you very much for your help again!!
How can I run the lets-proxy2 as a service? I mean, using the commands below with the new version?
lets-proxy2 doesn't has self-contained installer (and hasn't installer at all now) If your linux have systemd - you can get .service file from https://github.com/rekby/lets-proxy2/wiki If your haven't systemd - you have to create own script wrap to start lets-proxy2
No .crt, no .key were generated for the domains.
.cer - same as crt - it is public certificate file. .key is .key, lets-proxy2 support two cert/key algorithm: rsa and ecdsa and suffix now is .ecdsa.key/.rsa.key/.ecdsa.cer/.rsa.cer
And I create two issues from your log: https://github.com/rekby/lets-proxy2/issues/133 https://github.com/rekby/lets-proxy2/issues/134
@rekby we've also been using 'lets-proxy' which uses ACMEv1. It looks like this has now been depreciated by Let's Encrypt as since the 14th July, we've been unable to issue certificates, new and renewals.
Is there a suggested way to upgrade to 'lets-proxy-2'? Or is it a case of removing 'lets-proxy' and then implementing 'lets-proxy-2'?
Any tips on best practice here would be appreciated as I don't want to affect the certificates we've already issued on the server.
Thanks for your help.
@realleoman what process did you use to compile the lets-proxy executable? Normally I'd use go build but this set up seems a little different. I'm using on Linux Ubuntu 16.04 and 18.04
Cheers
@realleoman what process did you use to compile the lets-proxy executable? Normally I'd use go build but this set up seems a little different. I'm using on Linux Ubuntu 16.04 and 18.04
Cheers
I think I've found the releases here - https://github.com/rekby/lets-proxy2/releases
Cheers
@adviserportals Yeah, I used the releases already compiled by @rekby They worked great at my end.
@adviserportals Yeah, I used the releases already compiled by @rekby They worked great at my end.
I've just got this working on my test environment, it's great. Setting up as a service is definitely the way to go.
I just need to figure out whitelisting domains now...
@adviserportals now It hasn't any special instuctions and need reconfigure lets-proxy2 from scratch.
I think about add support of lets-proxy flags for backward compatible. lets-proxy2 not support full functions of lets-proxy:
- It doesn't support daemon-mode (not need if you use systemd)
- KeepAlive settings for backend.
- Set acceptes SSL/TLS versions
- Disable idn-decode domains in log
- Set key length
- Proxy in tcp mode
- Self-install
- Remove expect header
If you don't use any of it - I can add support of other flags/flag-stubs for change binary inplace. But I can't test it in my environment because don't use lets-proxy now.
@rekby thanks for coming back, that's useful information.
Having backwards compatibility may not be necessary. Maybe more of a 'nice to have' than 'essential'.
I suppose just removing all the current lets-proxy files and then implementing the new lets-proxy2 files would be enough without causing issues?
It would then just be a case of re-issuing all the certificates with the new software, which should be fine?
I have my own custom config.toml file running with some updated values, which is great.
I can not figure out how to whitelist domains though? Is there a specific format that these should be in, or can it be in a separate file like vs1?
Sorry for two years late :((
I didn't see the question.
Lets-proxy2 allow set domain filters in the config, with options BlackList, WhiteList in section "CheckDomains".