vault-acme
vault-acme copied to clipboard
remilapeyre
Failed to create a new order
I'm running into trouble trying to get this working with Vault 1.8.2. I have configured things as shown in the documentation, and I am getting the following error:
Error writing data to acme/certs/staging: Error making API request.
URL: PUT https://vault.example.comv1/acme/certs/staging
Code: 400. Errors:
* Failed to validate certificate signing request: acme: error: 500 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:serverInternal :: Error creating new order, url:
I think this is potentially an error with my config, but I'm not really sure. Any advice is greatly appreciated.
Hi @the-maldridge, could you give more information about the request you are making to Vault and what ACME provider you are using?
Sure, I am using the DigitalOcean provider, and I am trying to issue a certificate for common_name=www.voidlinux.org from the staging LE instance. I can provide exact commands if that would be helpful as well.
@remilapeyre just checking in to see if there is more information I can provide. I so far haven't been able to make any headway here, but debugging Vault plugins certainly isn't my specialty.
Sure, though I must warn you that I just tried this again and with no further changing of things it worked. I wonder if there's some propagation delay that I'm racing here.
Command: $ vault write acme/certs/staging common_name=voidlinux.org
$ vault read acme/roles/staging
Key Value
--- -----
account staging
allow_bare_domains true
allow_subdomains true
allowed_domains [voidlinux.org]
cache_for_ratio 70
disable_cache false
If you are using the DNS validation method it is very possible that there is some time needed for the DNS to update. I'm glad it is now working, if the issue happens again try to save the commands your are using and the error messages that you got as they may need to be improved.
Will do. I'm about to configure a production role and try to issue certs against that. The failure message came near instantly previously, so I don't think it was a DNS propagation issue. I will keep en eye on it though and see what happens.
So it partially works, but man vault really resists attempts to debug it.
Account:
Key Value
--- -----
contact [email protected]
enable_http_01 false
enable_tls_alpn_01 false
ignore_dns_propagation false
key_type EC256
provider digitalocean
provider_configuration map[DO_AUTH_TOKEN:<redacted>]
registration_uri https://acme-v02.api.letsencrypt.org/acme/acct/<redacted>
server_url https://acme-v02.api.letsencrypt.org/directory
terms_of_service_agreed true
Role
Key Value
--- -----
account voidlinux
allow_bare_domains true
allow_subdomains true
allowed_domains [voidlinux.org]
cache_for_ratio 70
disable_cache false
Attempt:
$ vault write acme/certs/voidlinux.org common_name='*.voidlinux.org' alternative_names='*.s.voidlinux.org'
Error writing data to acme/certs/voidlinux.org: context deadline exceeded
The only thing I can think of is that s.voidlinux.org needs to be added to the role's allowed_domains attribute. I don't know if this is failing because of something internal to the plugin or because I'm now waiting for the subdomain to validate, but trying to get a cert for the subdomain reliably fails.
I added s.voidlinux.org to the allowed_domains list and it still doesn't work, failing with the same context deadline exceeded. I can only assume that having multiple domains in a role and/or using multi-level subdomains doesn't really work.
Hi @the-maldridge, can you please set the parameter ignore_dns_propagation on your account? It should return a better error message, then I will make the appropriate fixes based on the results.