dnsrobocert
dnsrobocert copied to clipboard
Published
20 hours ago •
adferrand
adferrand
Different behaviour of deploy_hook from docker shell and from certbot process
Hi
I have tried for some time debug this issue but I can't seem to figure out the problem. I have searched this repo issues and found https://github.com/adferrand/dnsrobocert/issues/62. I already use in my ENV the DEPLOY_HOOK, but still my script fails execution.
My issue is that I have created a script that automates the installation on a server. If I execute this in within docker' shell (docker exec -it dnsrobocert /bin/sh OR docker exec -it dnsrobocert /bin/bash) they work well. However, the renewal process seems to have problems with it. For example, this is the failed log:
2022-03-10 23:32:01,391:INFO:certbot.compat.misc:Running deploy-hook command: /usr/local/bin/python3 -m dnsrobocert.core.hooks -t deploy -c "/tmp/tmp_9znxpiu/dnsrobocert-runtime.yml" -l "__REDACTED__"
2022-03-10 23:32:01,686:DEBUG:certbot._internal.display.obj:Notifying user: Hook 'deploy-hook' ran with output:
uploading certificate cert.pem
Uploading key privkey.pem
updating certificate on NS for wildcard.__REDACTED__
Done
2022-03-10 23:32:01,687:WARNING:certbot.display.ops:Hook 'deploy-hook' ran with error output:
/home/root/deploy-hook.sh: 3: apk: not found
/home/root/deploy-hook.sh: 4: apk: not found
/home/root/deploy-hook.sh: 5: apk: not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (7) Failed to connect to 192.168.1.150 port 80: Connection refused
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (7) Failed to connect to 192.168.1.150 port 80: Connection refused
/home/root/deploy-hook.sh: 29: ssh: not found
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (7) Failed to connect to 192.168.1.150 port 80: Connection refused
/home/root/deploy-hook.sh: 36: ssh: not found
2022-03-10 23:32:01,687:DEBUG:certbot._internal.display.obj:Notifying user:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/__REDACTED__/fullchain.pem
Key is saved at: /etc/letsencrypt/live/__REDACTED__/privkey.pem
This certificate expires on 2022-06-08.
These files will be updated when the certificate renews.
If I run the script directly from docker's shell:
# ./deploy-hook.sh
./deploy-hook.sh: 1: !/bin/bash: not found
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 https://download.docker.com/linux/debian bullseye InRelease [43.3 kB]
Fetched 43.3 kB in 0s (170 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (7.74.0-1.3+deb11u1).
openssh-client is already the newest version (1:8.4p1-5).
0 upgraded, 0 newly installed, 0 to remove and 39 not upgraded.
whoami= root
whoami
root
uploading certificate cert.pem
Uploading key privkey.pem
adding NS pub key to known_hosts
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6
# 192.168.1.150:22 SSH-2.0-OpenSSH_8.6
convert key to rsa
###############################################################################
# #
# WARNING: Access to this system is for authorized users only #
# Disconnect IMMEDIATELY if you are not an authorized user! #
# #
###############################################################################
Done
writing RSA key
Done
updating certificate on NS for wildcard.__REDACTED__
{ "errorcode": 0, "message": "Done", "severity": "NONE" }
saving config
###############################################################################
# #
# WARNING: Access to this system is for authorized users only #
# Disconnect IMMEDIATELY if you are not an authorized user! #
# #
###############################################################################
Done
Done
Finished upload process
#
You can clearly see the errors in the log files and the success when ran from shell. I even have tried adding the "whoami" command to see who is running this. I also have tried checking bot dnsrobocert and certbot docs but I can't figure out what is happening, maybe you can give me some pointers?
For reference, my script is below, redacted:
root@devops:/etc/letsencrypt# cat deploy-hook.sh
!/bin/sh
#make sure curl and ssh are installed
#apk update -y
#apk --no-cache add curl
#apk add --update coreutils
#apk add openssh
apt-get update -y
apt-get install curl openssh-client -y
echo "whoami= `whoami`"
echo "whoami"
whoami
#
NS_RSA_KEY_FINGERPRINT=__REDACTED__
NSIP=__REDACTED__
NSUSER="certuser"
NSPASS="certuser"
NSCERTNAME=__REDACTED__
LOCALCERTFILE=cert.pem
LOCALCERTKEY=privkey.pem
LETSENCRYPTCERTPATH=/etc/letsencrypt/live/__REDACTED__/
NSCERTFILENAME=$(basename $(readlink ${LETSENCRYPTCERTPATH}cert.pem))
NSKEYFILENAME=$(basename $(readlink ${LETSENCRYPTCERTPATH}privkey.pem))
NSPATH="/nsconfig/ssl/"
cd $LETSENCRYPTCERTPATH
#upload certificate
echo "\n\nuploading certificate ${LOCALCERTFILE}"
curl -X POST -H "X-NITRO-USER:${NSUSER}" -H "X-NITRO-PASS:${NSPASS}" -H "Content-Type:application/json" -d '{"systemfile":{"filename":"'${NSCERTFILENAME}'","filelocation":"'${NSPATH}'","filecontent":"'"$(base64 -w 0 ${LOCALCERTFILE})"'","fileencoding":"BASE64"}}' --insecure https://${NSIP}/nitro/v1/config/systemfile?override=yes
#upload key
echo "\n\nUploading key ${LOCALCERTKEY}"
curl -X POST -H "X-NITRO-USER:${NSUSER}" -H "X-NITRO-PASS:${NSPASS}" -H "Content-Type:application/json" -d '{"systemfile":{"filename":"'${NSKEYFILENAME}'","filelocation":"'${NSPATH}'","filecontent":"'"$(base64 -w 0 ${LOCALCERTKEY})"'","fileencoding":"BASE64"}}' --insecure https://${NSIP}/nitro/v1/config/systemfile?override=yes
#add pub key to known_hosts for no prompts during auth (replaces -o StrictHostKeyChecking="no")
echo "\n\nadding NS pub key to known_hosts"
mkdir -p /root/.ssh/
ssh-keyscan -H ${NSIP} > /root/.ssh/known_hosts
#convert key to RSA - assumes ssh pubkey auth
echo "\n\nconvert key to rsa"
ssh -i /home/root/.ssh/id_rsa ${NSUSER}@${NSIP} shell openssl rsa -in ${NSPATH}${NSKEYFILENAME} -out ${NSPATH}${NSKEYFILENAME}
#update certificate for NSCERTNAME
echo "\n\nupdating certificate on NS for ${NSCERTNAME}"
curl --insecure "https://${NSIP}/nitro/v1/config/sslcertkey" -X POST -H "X-NITRO-USER:${NSUSER}" -H "X-NITRO-PASS:${NSPASS}" -H "Content-Type:application/x-www-form-urlencoded" --data 'object={"params":{"action":"update"},"sslcertkey":{"certkey":"'${NSCERTNAME}'","cert":"'${NSCERTFILENAME}'","key":"'${NSKEYFILENAME}'","nodomaincheck":true}}'
#savec
echo "\n\nsaving config"
ssh -i /home/root/.ssh/id_rsa ${NSUSER}@${NSIP} savec
echo "\n\nFinished upload process"
