certs icon indicating copy to clipboard operation
certs copied to clipboard
verified publisher icon math-nao

Job finishes succesfully on renewing certs but ssl are not used by https

Open freshteapot opened this issue 1 year ago • 3 comments

Not sure how to help with this one.

I believe renew of certs used to work. I have recently added more domains and I am wondering if that has caused trouble...

The certs job seems happy, but looped over enough letsencrypt has ratelimited me.

[Wed Jan 17 18:39:44 UTC 2024] Installing cert to: /root/certs/tls.crt
[Wed Jan 17 18:39:44 UTC 2024] Installing CA to: /root/certs/ca.crt
[Wed Jan 17 18:39:44 UTC 2024] Installing key to: /root/certs/tls.key
[Wed Jan 17 18:39:44 UTC 2024] Installing full chain to: /root/certs/fullchain.crt

The job seems happy, and says nothing needs renewing, but the secrets are not updated and the endpoint says the cert is out of date.

Looking into the secrets, it appears that there is more than one certificate in "tls.crt", "ca.crt".

Also when I decode the conf secrets, there are things like "rootroot" and it almost looks like there should have been some new lines.

Here is an example

acme.sh/www.learnalist.net_ecc/fullchain.cerXXX 0ustar  rootroot-----BEGIN CERTIFICATE-----

Also at the top of the conf

acme.sh/www.learnalist.net_ecc/www.learnalist.net.csr.confXXX 0ustar  rootroot[ req_distinguished_name ]

I lack detailed knowledge but I have a feeling rootroot maybe should have been "newline", as I suspect

[ req_distinguished_name ]

should be on its own line like other conf blocks.

freshteapot avatar Jan 17 '24 20:01 freshteapot

Hi, did you try with 2.0.1 version?

math-nao avatar Jan 20 '24 18:01 math-nao

Sorry for the slow response. Today I tried again. (I had to give it a little break to make lets encrypt happy)

Short answer:

It worked with 2.0.1. But only after I deleted both the "tls-xxx" and its "tls-xxx-conf".

Long answer

Only after removing tls / https support 100% for that domain did it recover and create the tls files.

2.0.1 was set in cronjob in kubernetes. This is from the currently disabled cronjob in kubernetes.

image: mathnao/certs:2.0.1

Manually made the job

kubectl create job --from=cronjobs/certs certs-1

Steps to get it working again

  • Trying again failed.
  • Suggesting use "--force".
  • I disabled all others and it still failed.
  • I deleted the "tls-learnalist" secret.
  • It still failed.
  • Running the job again, I noticed it found the "conf", which seemed odd.
  • I then realised there is "tls-learnalist-conf".
  • After deleting this.
  • Running the job, worked.

Note

  • I no longer have tls-learnalist-conf, which makes it harder to help you debug it.
  • Possibly 2.0.0 broke the conf and then running 2.0.1, it felt all was fine and didn't see the need to update the secret (guessing)

freshteapot avatar Feb 03 '24 08:02 freshteapot

I could reproduced a similar issue using 2.0.1 version. Deploying 2.1.0 version solved issue without having to manually remove secret.

Could you please check your cronjob logs to check if you still have this issue on 2.0.1? And then deploy 2.1.0 version.

math-nao avatar Feb 19 '24 14:02 math-nao

Sorry for the long delay.

I can confirm I had the cronjob running 2.0.1 Today, seeing it break via a manual job.

I re-read this issue, and have got it working without changes by using 2.1.0.

Thank you for taking the time to answer back in February.

freshteapot avatar Aug 05 '24 22:08 freshteapot

Good news. Thank you for your feedback.

math-nao avatar Aug 08 '24 19:08 math-nao