lemur
lemur copied to clipboard
Netflix
Unable to create Authority
Hi guys,
I've installed lemur refer Was not created! 'NoneType'
If I login I'm unable to create a new Authority it shows "Was not created! 'NoneType' object has no attribute 'strip'"
I've found the solution. It was caused by the missing certificate.
Is there any wiki for creating an CA with lets encrypt?
I believe Let's encrypt is still new and may be missing documentation cc @castrapel
@philippkayser I'm facing the same problem that you have faced. I have launched using https://github.com/Netflix/lemur-docker. my plugin in CFSSL. Do you how can I solve this problem?
Hi @sohel2020 in my case the field for the certificate was missing. I've created one self-signed and put it inside. I don't know if this is the correct way therefore.
I'm facing the same problem. I installed Lemur following the QuickStart guide, fresh installation Ubuntu 18.04
File "/www/lemur/lemur/certificates/models.py", line 144, in __init__
self.body = kwargs['body'].strip()
AttributeError: 'NoneType' object has no attribute 'strip'
My fault, I didn't configure properly the CFSSL installation, following this https://www.howtoforge.com/tutorial/integration-of-cfssl-with-the-lemur-certificate-manager/ I manage now to create the CA
Thanks! But in my case i need such an tutorial or whatever for Let's Encrypt :-)
Hi @philippkayser , support for LetsEncrypt is still pretty beta until our internal stakeholders test and provide feedback. This flow is definitely subject to change and we will appreciate any PRs.
We currently support LetsEncrypt v2. Here are a few critical pieces of info you will need to create an authority:
Acme v2 endpoint: https://acme-v02.api.letsencrypt.org/directory Chain of trust is here: https://letsencrypt.org/certs/isrgrootx1.pem.txt
- Create an authority (Here are a few screenshots of the process. The cert field should have the chain of trust certificate above)
- Create a DNS provider under "Admin/DNS Providers" (The DNS providers we've tested internally are route53 and dyn. We run in AWS, so we ensure our instance profiles / assumed roles have the permissions necessary to create TXT records). For route53:
Now, you should be able to create a certificate. The certificate process is async.
- Create a cert - this will actually create a "pending certificate" (ie, you should see your certificate in the pending certificate queue). Ensure that you're able to select the authority and dns provider you just created:
- Pending certs are not resolved automatically. Run this command to resolve your pending certs (With your LEMUR_CONF environmental variable set properly)
lemur/manage.py pending_certs fetch_all_acme
In our environment, we have a cron that runs the following script every few minutes. It will only execute if the script is not already running. This is convenient for checking the queue often, but not have race conditions between different instances processing the same pending certificates:
#!/bin/bash
PIDFILE=/tmp/`basename $0`.pid
if [ -f $PIDFILE ]; then
if ps -p `cat $PIDFILE` > /dev/null 2>&1; then
echo "$0 already running!"
exit
fi
fi
echo $$ > $PIDFILE
trap 'rm -f "$PIDFILE" >/dev/null 2>&1' EXIT HUP KILL INT QUIT TERM
/path/to/lemur pending_certs fetch_all_acme
Please let me know if this is enough to get you started. Thanks!
Thank you so much! Next week we will create the necessary NAT rules on our firewall and set the dns entries on our domain. So afterwards i will try it with your steps. I will comment next week. Have a great weekend! :-) @castrapel
Hi @castrapel lemur is now reachable from outside, also all necessary domains. We don't use a dns provider like route 53 so we should set the TXT entries on our own or want to use the http verification. How can I configure this?
I also got this error while try to create one.
(lemur) lemur@ev-mz-lemur01:/www/lemur/lemur$ python manage.py pending_certs fetch_all_acme /www/lemur/lib/python3.6/site-packages/psycopg2/__init__.py:144: UserWarning: The psycopg2 wheel package will be renamed from release 2.8; in order to keep installing from binary please use "pip install psycopg2-binary" instead. For details see: <http://initd.org/psycopg/docs/install.html#binary-install-from-pypi>. """) Plugin 'DigiCertCISIssuerPlugin' may not work correctly. Required variable 'DIGICERT_CIS_API_KEY' is not set in Lemur's conf. Plugin 'DigiCertCISSourcePlugin' may not work correctly. Required variable 'DIGICERT_CIS_API_KEY' is not set in Lemur's conf. Plugin 'DigiCertIssuerPlugin' may not work correctly. Required variable 'DIGICERT_API_KEY' is not set in Lemur's conf. Connecting with directory at https://acme-v02.api.letsencrypt.org/directory Connected: https://acme-v02.api.letsencrypt.org/acme/acct/38481254 Starting DNS challenge for test2.evoila.de [2018-07-17 14:05:03,475] ERROR in plugin: Unable to resolve pending cert: <PendingCertificate 1> Traceback (most recent call last): File "/www/lemur/lemur/plugins/lemur_acme/plugin.py", line 292, in get_ordered_certificates dns_provider_options) File "/www/lemur/lemur/plugins/lemur_acme/plugin.py", line 176, in get_authorizations dns_provider_options) File "/www/lemur/lemur/plugins/lemur_acme/plugin.py", line 76, in start_dns_challenge account_number File "/www/lemur/lemur/plugins/lemur_acme/dyn.py", line 74, in create_txt_record get_dynect_session() File "/www/lemur/lemur/plugins/lemur_acme/dyn.py", line 18, in get_dynect_session current_app.config.get('ACME_DYN_PASSWORD', ''), File "/www/lemur/lib/python3.6/site-packages/dyn/core.py", line 51, in __call__ cur_thread: super(_Singleton, cls).__call__(*args, **kwargs) File "/www/lemur/lib/python3.6/site-packages/dyn/tm/session.py", line 57, in __init__ self.authenticate() File "/www/lemur/lib/python3.6/site-packages/dyn/tm/session.py", line 176, in authenticate response = self.execute('/Session/', 'POST', api_args) File "/www/lemur/lib/python3.6/site-packages/dyn/core.py", line 399, in execute return self._handle_response(response, uri, method, raw_args, final) File "/www/lemur/lib/python3.6/site-packages/dyn/core.py", line 319, in _handle_response return self._process_response(ret_val, method) File "/www/lemur/lib/python3.6/site-packages/dyn/tm/session.py", line 115, in _process_response raise DynectCreateError(response['msgs']) dyn.tm.errors.DynectCreateError: pass: Password is required. user: Username is required. cust: Customer is required. login: Login failed. Unable to resolve pending cert: <PendingCertificate 1> Traceback (most recent call last): File "/www/lemur/lemur/plugins/lemur_acme/plugin.py", line 292, in get_ordered_certificates dns_provider_options) File "/www/lemur/lemur/plugins/lemur_acme/plugin.py", line 176, in get_authorizations dns_provider_options) File "/www/lemur/lemur/plugins/lemur_acme/plugin.py", line 76, in start_dns_challenge account_number File "/www/lemur/lemur/plugins/lemur_acme/dyn.py", line 74, in create_txt_record get_dynect_session() File "/www/lemur/lemur/plugins/lemur_acme/dyn.py", line 18, in get_dynect_session current_app.config.get('ACME_DYN_PASSWORD', ''), File "/www/lemur/lib/python3.6/site-packages/dyn/core.py", line 51, in __call__ cur_thread: super(_Singleton, cls).__call__(*args, **kwargs) File "/www/lemur/lib/python3.6/site-packages/dyn/tm/session.py", line 57, in __init__ self.authenticate() File "/www/lemur/lib/python3.6/site-packages/dyn/tm/session.py", line 176, in authenticate response = self.execute('/Session/', 'POST', api_args) File "/www/lemur/lib/python3.6/site-packages/dyn/core.py", line 399, in execute return self._handle_response(response, uri, method, raw_args, final) File "/www/lemur/lib/python3.6/site-packages/dyn/core.py", line 319, in _handle_response return self._process_response(ret_val, method) File "/www/lemur/lib/python3.6/site-packages/dyn/tm/session.py", line 115, in _process_response raise DynectCreateError(response['msgs']) dyn.tm.errors.DynectCreateError: pass: Password is required. user: Username is required. cust: Customer is required. login: Login failed. [+] Certificates: New: 0 Failed: 1 Not using ACME: 0 (lemur) lemur@ev-mz-lemur01:/www/lemur/lemur$
@philippkayser What do you mean by
lemur is now reachable from outside, also all necessary domains
Lemur really shouldn't be accessible to the internet at large. If you meant that Lemur can now reach resources out on the internet than that is fine.
Also, I believe the Lemur Let's Encrypt functionally does not support http verification only DNS (and only Route53).
@kevgliss sorry, i mean the ressources are reachable from outside.
So can i create the necessary TXT records by my self?
It looks like cloudflare, dyn and route53 are currently support:
https://github.com/Netflix/lemur/tree/c0c6ff51e2f1487f02a6f0814bdd28629345a40a/lemur/plugins/lemur_acme
If you use a different DNS provider you would have to implement your provider in a similar manner.