pomerium icon indicating copy to clipboard operation
pomerium copied to clipboard

Published 20 hours ago verified publisher icon pomerium

ACME/Autocert setup is greedy/clunky when using split mode

Open calderonth opened this issue 1 year ago • 2 comments

What happened?

When using the split-service model, individual components should only request certificates when required. Instead, each instance (authenticate, proxy for example) will both attempt to retrieve certificates for each other's when using ACME and it creates severe lags to daemon starting up.

What did you expect to happen?

Each component only request certificates for the scope that they work under (i.e. authenticate for the FQDN associated to the authenticate_service_url and not the potentially configured routes.

It is unclear how Autocert should be working at all in split mode and is made worse in my setup as it's impossible to disable TLS-ALPN-01 config (which doesn't seem to work).

How'd it happen?

  1. Configure Pomerium in split mode with ACME
  2. Observe individual instances attempting to retrieve each other's certificates (which lags/then fail)

What's your environment like?

  • Pomerium version (retrieve with pomerium --version): 0.22
  • Server Operating System/Architecture/Cloud: running in K8s with LoadBalancer setup and subdomain used

What's your config.yaml?

# Paste your configs here
# Be sure to scrub any sensitive values

What did you see in the logs?

Example below is from the authenticate service that should not request a certificate for the verify route as it is pointing on a different endpoint through the proxy service.

{"level":"info","time":"2023-05-24T17:22:06Z","msg":"waiting on internal rate limiter","service":"autocert","identifiers":["verify.XXXX.com"],"ca":"https://smallstep-XXXX.com/acme/acme/directory","account":""}
{"level":"info","time":"2023-05-24T17:22:06Z","msg":"done waiting on internal rate limiter","service":"autocert","identifiers":["verify.XXXX.com"],"ca":"https://smallstep-XXXX.com/acme/acme/directory","account":""}
{"level":"info","time":"2023-05-24T17:22:06Z","logger":"acme_client","msg":"trying to solve challenge","service":"autocert","identifier":"verify.XXXX.com","challenge_type":"http-01","ca":"https://smallstep-XXXX.com/acme/acme/directory"}```

## Additional context

Add any other context about the problem here.

calderonth avatar May 24 '23 17:05 calderonth

In split service mode, the authenticate service should only grab certificates for its own domain.

desimone avatar May 31 '23 16:05 desimone

I see you are running in Kubernetes,

we have a recommended way of deploying to K8S https://www.pomerium.com/docs/deploy/k8s/install and it integrates with the cert-manager which is a preferred way to acquire certs in the Kubernetes environments, where autocert is not really a best fit.

wasaga avatar Jun 15 '23 17:06 wasaga