acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard

Published 20 hours ago verified publisher icon acmesh-official

[deploy/vault.sh] "--deploy-hook vault" ignores cases when `VAULT_TOKEN` invalid

Open atomlab opened this issue 2 years ago • 1 comments

Hello! deploy/vault.sh does not handle the case when VAULT_TOKEN invalid.

What am I doing

  1. Upgrade acme.sh to latest version
./acme.sh --home /opt/acme --upgrade
  1. Create cert
./acme.sh --issue --server letsencrypt --home /opt/acme --dns dns_cf -d 'test.mydomain.com'
  1. Deploy cert to vault. Success.
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="XXXX"
export VAULT_PREFIX=acme

./acme.sh --deploy --ecc --home /opt/acme -d 'test.mydomain.com' --deploy-hook vault
[Wed 10 May 2023 12:11:51 PM UTC] Writing certificate to http://127.0.0.1:8200/v1/acme/test.mydomain.com/cert.pem
[Wed 10 May 2023 12:11:52 PM UTC] Writing key to http://127.0.0.1:8200/v1/acme/test.mydomain.com/cert.key
[Wed 10 May 2023 12:11:52 PM UTC] Writing CA certificate to http://127.0.0.1:8200/v1/acme/test.mydomain.com/ca.pem
[Wed 10 May 2023 12:11:52 PM UTC] Writing full-chain certificate to http://127.0.0.1:8200/v1/acme/test.mydomain.com/fullchain.pem
[Wed 10 May 2023 12:11:52 PM UTC] Success
  1. Check vault secrets
$ vault kv list acme/
No value found at acme
  1. Check vault-audit.log Logs contains "permission denied" errors
"path":"acme/test.mydomain.com/cert.pem","data":{"value":"hmac-sha256:15897f59a70684c6532b661ef3e4ff6756e36094361916d086417e26da0bfa89"},"remote_address":"127.0.0.1","remote_port":49154},"response":{"mount_type":"kv","mount_accessor":"kv_4dedafc9","data":{"error":"hmac-sha256:9e69e97d53e54f7c6763a464c933d31e93283b21d59a836f60b52e1c0d408800"}},"error":"1 error occurred:\n\t* permission denied\n\n"}

"path":"acme/test.mydomain.com/cert.key","data":{"value":"hmac-sha256:d0bdd4b08f1f8144801ea39c0a74415df0e67dfa6d75732f81b7855e8a7a7c3e"},"remote_address":"127.0.0.1","remote_port":49164},"response":{"mount_type":"kv","mount_accessor":"kv_4dedafc9","data":{"error":"hmac-sha256:9e69e97d53e54f7c6763a464c933d31e93283b21d59a836f60b52e1c0d408800"}},"error":"1 error occurred:\n\t* permission denied\n\n"}

"path":"acme/test.mydomain.com/ca.pem","data":{"value":"hmac-sha256:bc17a4201859a682782f52a9c159fa357f7c917acea0d5aa08d8ff5194b2faa0"},"remote_address":"127.0.0.1","remote_port":49166},"response":{"mount_type":"kv","mount_accessor":"kv_4dedafc9","data":{"error":"hmac-sha256:9e69e97d53e54f7c6763a464c933d31e93283b21d59a836f60b52e1c0d408800"}},"error":"1 error occurred:\n\t* permission denied\n\n"}

What do I expect

Some thing like that.

./acme.sh --deploy --ecc --home /opt/acme -d 'test.mydomain.com' --deploy-hook vault
[ERROR] Writing certificate to http://127.0.0.1:8200/v1/acme/test.mydomain.com/cert.pem permission denied
[ERROR] Writing key to http://127.0.0.1:8200/v1/acme/test.mydomain.com/cert.key permission denied
[ERROR] Writing CA certificate to http://127.0.0.1:8200/v1/acme/test.mydomain.com/ca.pem permission denied
[ERROR] Writing full-chain certificate to http://127.0.0.1:8200/v1/acme/test.mydomain.com/fullchain.pem permission denied
Failed

Solution

Maybe curl --fail option helped

Without --fail option

curl -H "X-Vault-Token: ${VAULT_TOKEN}" \
  -H "Content-Type: application/json" \
  -X POST  -d '{"value":{"value":"bar"}}' \
  "${VAULT_ADDR}/v1/acme/test.mydomain.com" ; echo $?

Output. Result and exit code 0.

{"errors":["1 error occurred:\n\t* permission denied\n\n"]}
0

With --fail option

curl --fail -H "X-Vault-Token: ${VAULT_TOKEN}" \
  -H "Content-Type: application/json" \
  -X POST  -d '{"value":{"value":"bar"}}' \
  "${VAULT_ADDR}/v1/acme/test.mydomain.com" ; echo $?

Output. Result and exit code non zero.

curl: (22) The requested URL returned error: 403
22

DEBUG

$ ./acme.sh --deploy --debug 2 --ecc --home /opt/acme -d 'test.mydomain.com' --deploy-hook vault
[Wed 10 May 2023 12:46:34 PM UTC] _is_idn_d='test.mydomain.com'
[Wed 10 May 2023 12:46:34 PM UTC] _idn_temp
[Wed 10 May 2023 12:46:34 PM UTC] Lets find script dir.
[Wed 10 May 2023 12:46:34 PM UTC] _SCRIPT_='./acme.sh'
[Wed 10 May 2023 12:46:34 PM UTC] _script='/opt/acme/acme.sh'
[Wed 10 May 2023 12:46:34 PM UTC] _script_home='/opt/acme'
[Wed 10 May 2023 12:46:34 PM UTC] Using config home:/opt/acme
[Wed 10 May 2023 12:46:34 PM UTC] LE_WORKING_DIR='/opt/acme'
https://github.com/acmesh-official/acme.sh
v3.0.6
[Wed 10 May 2023 12:46:34 PM UTC] Running cmd: deploy
[Wed 10 May 2023 12:46:34 PM UTC] Using config home:/opt/acme
[Wed 10 May 2023 12:46:34 PM UTC] default_acme_server
[Wed 10 May 2023 12:46:34 PM UTC] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Wed 10 May 2023 12:46:34 PM UTC] _ACME_SERVER_HOST='acme.zerossl.com'
[Wed 10 May 2023 12:46:34 PM UTC] _ACME_SERVER_PATH='v2/DV90'
[Wed 10 May 2023 12:46:34 PM UTC] DOMAIN_PATH='/opt/acme/test.mydomain.com_ecc'
[Wed 10 May 2023 12:46:34 PM UTC] DOMAIN_CONF='/opt/acme/test.mydomain.com_ecc/test.mydomain.com.conf'
[Wed 10 May 2023 12:46:34 PM UTC] _deployApi='/opt/acme/deploy/vault.sh'
[Wed 10 May 2023 12:46:34 PM UTC] _cdomain='test.mydomain.com'
[Wed 10 May 2023 12:46:34 PM UTC] _ckey='/opt/acme/test.mydomain.com_ecc/test.mydomain.com.key'
[Wed 10 May 2023 12:46:34 PM UTC] _ccert='/opt/acme/test.mydomain.com_ecc/test.mydomain.com.cer'
[Wed 10 May 2023 12:46:34 PM UTC] _cca='/opt/acme/test.mydomain.com_ecc/ca.cer'
[Wed 10 May 2023 12:46:34 PM UTC] _cfullchain='/opt/acme/test.mydomain.com_ecc/fullchain.cer'
[Wed 10 May 2023 12:46:34 PM UTC] Writing certificate to http://127.0.0.1:8200/v1/acme/test.mydomain.com/cert.pem
[Wed 10 May 2023 12:46:34 PM UTC] POST
[Wed 10 May 2023 12:46:34 PM UTC] _post_url='http://127.0.0.1:8200/v1/acme/test.mydomain.com/cert.pem'
[Wed 10 May 2023 12:46:34 PM UTC] body='{"value": "-----BEGIN CERTIFICATE-----\....\n-----END CERTIFICATE-----\n"}'
[Wed 10 May 2023 12:46:34 PM UTC] _postContentType
[Wed 10 May 2023 12:46:34 PM UTC] _CURL='curl --silent --dump-header /opt/acme/http.header  -L  --trace-ascii /tmp/tmp.xD6L8nvN80  -g '
[Wed 10 May 2023 12:46:34 PM UTC] _ret='0'
[Wed 10 May 2023 12:46:34 PM UTC] Writing key to http://127.0.0.1:8200/v1/acme/test.mydomain.com/cert.key
[Wed 10 May 2023 12:46:34 PM UTC] POST
[Wed 10 May 2023 12:46:34 PM UTC] _post_url='http://127.0.0.1:8200/v1/acme/test.mydomain.com/cert.key'
[Wed 10 May 2023 12:46:34 PM UTC] body='{"value": "-----BEGIN EC PRIVATE KEY-----\....\n-----END EC PRIVATE KEY-----\n"}'
[Wed 10 May 2023 12:46:34 PM UTC] _postContentType
[Wed 10 May 2023 12:46:34 PM UTC] Http already initialized.
[Wed 10 May 2023 12:46:34 PM UTC] _CURL='curl --silent --dump-header /opt/acme/http.header  -L  --trace-ascii /tmp/tmp.xD6L8nvN80  -g '
[Wed 10 May 2023 12:46:34 PM UTC] _ret='0'
[Wed 10 May 2023 12:46:34 PM UTC] Writing CA certificate to http://127.0.0.1:8200/v1/acme/test.mydomain.com/ca.pem
[Wed 10 May 2023 12:46:34 PM UTC] POST
[Wed 10 May 2023 12:46:34 PM UTC] _post_url='http://127.0.0.1:8200/v1/acme/test.mydomain.com/ca.pem'
[Wed 10 May 2023 12:46:34 PM UTC] body='{"value": "\n-----BEGIN CERTIFICATE-----\....\n-----END CERTIFICATE-----\n"}'
[Wed 10 May 2023 12:46:34 PM UTC] _postContentType
[Wed 10 May 2023 12:46:34 PM UTC] Http already initialized.
[Wed 10 May 2023 12:46:34 PM UTC] _CURL='curl --silent --dump-header /opt/acme/http.header  -L  --trace-ascii /tmp/tmp.xD6L8nvN80  -g '
[Wed 10 May 2023 12:46:34 PM UTC] _ret='0'
[Wed 10 May 2023 12:46:34 PM UTC] Writing full-chain certificate to http://127.0.0.1:8200/v1/acme/test.mydomain.com/fullchain.pem
[Wed 10 May 2023 12:46:34 PM UTC] POST
[Wed 10 May 2023 12:46:34 PM UTC] _post_url='http://127.0.0.1:8200/v1/acme/test.mydomain.com/fullchain.pem'
[Wed 10 May 2023 12:46:34 PM UTC] body='{"value": "-----BEGIN CERTIFICATE-----\...\n-----END CERTIFICATE-----\n"}'
[Wed 10 May 2023 12:46:34 PM UTC] _postContentType
[Wed 10 May 2023 12:46:34 PM UTC] Http already initialized.
[Wed 10 May 2023 12:46:34 PM UTC] _CURL='curl --silent --dump-header /opt/acme/http.header  -L  --trace-ascii /tmp/tmp.xD6L8nvN80  -g '
[Wed 10 May 2023 12:46:34 PM UTC] _ret='0'
[Wed 10 May 2023 12:46:34 PM UTC] GET
[Wed 10 May 2023 12:46:34 PM UTC] url='http://127.0.0.1:8200/v1/acme/test.mydomain.com/chain.pem'
[Wed 10 May 2023 12:46:34 PM UTC] timeout=
[Wed 10 May 2023 12:46:34 PM UTC] Http already initialized.
[Wed 10 May 2023 12:46:34 PM UTC] _CURL='curl --silent --dump-header /opt/acme/http.header  -L  --trace-ascii /tmp/tmp.xD6L8nvN80  -g '
[Wed 10 May 2023 12:46:34 PM UTC] ret='0'
[Wed 10 May 2023 12:46:34 PM UTC] Success

atomlab avatar May 10 '23 12:05 atomlab

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

github-actions[bot] avatar May 10 '23 12:05 github-actions[bot]