Author |
|
paikuhan
Joined: 16 Jun 2023 Posts: 6
|
Posted: Fri 16 Jun '23 13:36 Post subject: mod_md DNS challenge with binary executable |
|
|
Hello world!
I'm trying to use Apache mod_md to get certificates for my sites using the DNS challenge because I want to use the wildcard on my domains (I know how to do it with HTTP challenge and it works fine).
So I wrote my own "acme-setup-dns" program in C (full source code can be found here: https://apaste.info/kNu4)
I tried it as a stand alone program and it does the job:
acme-setup-dns.exe setup mydomain.com challenge-data creates a TXT record with the name _acme-challenge and the value challenge-data for the domain mydomain.com
acme-setup-dns.exe teardown mydomain.com deletes the previously generated TXT record
I then wrote the Apache configuration file for one of my domain name to try it out (stripped down version with bare minimum can be found here: https://apaste.info/D5I8)
Note that I'm forcing it to only use dns-01 challenge by using MDCAChallenges dns-01.
When I run the script I get the following error log in my Apache ErrorLog file for the domain
Quote: |
[Fri Jun 16 18:06:19.417390 2023] [ssl:info] [pid 25100:tid 352] AH01914: Configuring server subdomain.example.com:443 for SSL protocol
[Fri Jun 16 18:06:19.820970 2023] [ssl:warn] [pid 25100:tid 352] AH10085: Init: subdomain.example.com:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Fri Jun 16 18:06:19.823967 2023] [ssl:info] [pid 25100:tid 352] AH02568: Certificate and private key subdomain.example.com:443:0 configured from Y:/Jobs/Programs/WWW/system/mod_md/domains/example.com/fallback-pubcert.pem and Y:/Jobs/Programs/WWW/system/mod_md/domains/example.com/fallback-privkey.pem
|
Usually, with http-01 challenge, '503 Service Unavailable' is perfectly normal the first time I run Apache with no certificate using mod_md. But there is that new third line I don't recall seeing when I did HTTP challenge. As I do with the HTTP challenge, I added the following lines to my vhost:
Code: |
SSLCertificateFile "${WWWROOT}/system/mod_md/domains/example.com/fallback-pubcert.pem"
SSLCertificateKeyFile "${WWWROOT}/system/mod_md/domains/example.com/fallback-privkey.pem"
|
but this time, unlike when I use the HTTP challenge, the fallback certificate and key did not get replaced by the final certificate and key.
I checked the job.json file in the staging directory and I get the following message among other things:
Quote: |
{
"status": 720002,
"problem": "challenge-setup-failure",
"detail": "None of the offered challenge types example.com offered for domain dns-01 could be setup successfully. Please check the log for errors.",
"activity": "Setting up challenge 'dns-01' for domain example.com"
}
|
Also, md.json in the staging directory yield the following info among other:
Quote: |
"state-descr": "certificate(rsa) is missing"
|
I don't know it yield the same thing when using HTTP challenge since I never checked thouroughly md.json in the past.
Thanks in advance for the help!
EDIT:
I'm running Apache
Quote: |
Server version: Apache/2.4.54 (Win64)
Apache Lounge VS17 Server built: Nov 10 2022 11:16:17
|
on windows 11. PHP and MySQL version don't matter in this case. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Sat 17 Jun '23 13:36 Post subject: |
|
|
This is a little above my head, but given that the standalone challenge works did you contact Stefan Eissing?
After all, he wrote mod_md. Including the description how to use MDChallengeDns01:
https://github.com/icing/mod_md#mdchallengedns01
See a similar issue on github:
https://github.com/icing/mod_md/issues/289
Maybe it enough to draw his attention to this topic. Once in a while he is also seen on Apachelounge.
BTW: I had to remove the SSLCertificateFile and SSLCertificateKeyFile statements to get it working with HTTP challenge on Windows. Did you try that? |
|
Back to top |
|
paikuhan
Joined: 16 Jun 2023 Posts: 6
|
Posted: Sun 18 Jun '23 13:37 Post subject: |
|
|
Jan-E wrote: | This is a little above my head, but given that the standalone challenge works did you contact Stefan Eissing? |
Thanks for the reply. After I saw your reply I contacted Stefan Eissing.
the description on how to use it seems to be the same as on Apache HTTPD's official website (that's how I knew how to write my acme-setup-dns).
I checked the opened (now closed) issue 289 and it Icing says the requirement are:
it should be executable code
it should return 0 on success
Jan-E wrote: |
BTW: I had to remove the SSLCertificateFile and SSLCertificateKeyFile statements to get it working with HTTP challenge on Windows. Did you try that? |
If you look at my linked Apache config I didn't use SSLCertificateFile and SSLCertificateKeyFile for the DNS challenge. But since you're asking about the HTTP challenge on Windows; let me tell you it's working fine for me. I have to not use SSLCertificateFile and SSLCertificateKeyFile. then, once the cert and key are generated I have to add them using SSLCertificateFile and SSLCertificateKeyFile. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Sun 18 Jun '23 15:26 Post subject: |
|
|
paikuhan wrote: | If you look at my linked Apache config I didn't use SSLCertificateFile and SSLCertificateKeyFile for the DNS challenge. But since you're asking about the HTTP challenge on Windows; let me tell you it's working fine for me. I have to not use SSLCertificateFile and SSLCertificateKeyFile. then, once the cert and key are generated I have to add them using SSLCertificateFile and SSLCertificateKeyFile. |
My point is you do not ever have to add SSLCertificateFile and SSLCertificateKeyFile statements. mod_md takes care of that automatically. I guess that those statements might even prohibit certificate renewal bacause then they are used both by the Apache config and by mod_md (internally). |
|
Back to top |
|
paikuhan
Joined: 16 Jun 2023 Posts: 6
|
Posted: Sun 18 Jun '23 16:19 Post subject: |
|
|
Jan-E wrote: |
My point is you do not ever have to add SSLCertificateFile and SSLCertificateKeyFile statements. mod_md takes care of that automatically. |
OK. I see what you mean. Thanks for the insight! I will try that when auto renewal period is nearing (august according to the .json). |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Sun 18 Jun '23 17:33 Post subject: |
|
|
paikuhan wrote: | Jan-E wrote: |
My point is you do not ever have to add SSLCertificateFile and SSLCertificateKeyFile statements. mod_md takes care of that automatically. |
OK. I see what you mean. Thanks for the insight! I will try that when auto renewal period is nearing (august according to the .json). |
Remove the SSLCertificateFile and SSLCertificateKeyFile statements ftom your apache config, move the generated cert/key and both jsons away from md\domains\yourdomain, but do not delete the directory md\domains\yourdomain.
Restart Apache. It should create new fallback certs in md\domains\yourdomain and start new challenges in md\staging.
Wait until the challenges have finished and restart Apache once again. The generated certs will be moved to md\domains\yourdomain.
That is how it works with HTTP challenges. Just tested it for 3 domains.
If your setup is correct the same should work for MDChallengeDns01. If it fails you can always put back the cert/key and json's that you move away. |
|
Back to top |
|
paikuhan
Joined: 16 Jun 2023 Posts: 6
|
Posted: Sun 18 Jun '23 18:33 Post subject: |
|
|
Jan-E wrote: |
Remove the SSLCertificateFile and SSLCertificateKeyFile statements ftom your apache config, move the generated cert/key and both jsons away from md\domains\yourdomain, but do not delete the directory md\domains\yourdomain.
Restart Apache. It should create new fallback certs in md\domains\yourdomain and start new challenges in md\staging.
Wait until the challenges have finished and restart Apache once again. The generated certs will be moved to md\domains\yourdomain.
That is how it works with HTTP challenges. Just tested it for 3 domains.
If your setup is correct the same should work for MDChallengeDns01. If it fails you can always put back the cert/key and json's that you move away. |
I personally don't move the certs & keys. When I run apache with no cert/key, mod_md creates both fallback cert/key in the directory you mentioned. At that point I haven't use the SSLCertificateFile and SSLCertificateKeyFile statements (because httpd wouldn't run otherwise). But like an idiot I add the SSLCertificateFile and SSLCertificateKeyFile statements with the fallback as values. When I run httpd again those files are archived and replaced by the public and private cert/key. Then, again like an idiot, I change the values of both statements with the new files.
I sure if I remove the statements everything will keep working seemlessly. Nothing is moved.
EDIT:
Since you are insisting, I removed the statements (nothing else was changed). And I can confirm it is working fine like you said it would. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Sun 18 Jun '23 18:47 Post subject: |
|
|
paikuhan wrote: | I personally don't move the certs & keys. When I run apache with no cert/key, mod_md creates both fallback cert/key in the directory you mentioned. At that point I haven't use the SSLCertificateFile and SSLCertificateKeyFile statements (because httpd wouldn't run otherwise). But like an idiot I add the SSLCertificateFile and SSLCertificateKeyFile statements with the fallback as values. When I run httpd again those files are archived and replaced by the public and private cert/key. Then, again like an idiot, I change the values of both statements with the new files.
I sure if I remove the statements everything will keep working seemlessly. Nothing is moved. |
If you do not add the SSLCertificateFile and SSLCertificateKeyFile statements (never), mod_md will move the generated verts in the md/staging directory to md/domains at a restart of Apache. That is how it should work. So restart Apache after the certs have been generated in md/staging. Do not add those SSLCertificateFile and SSLCertificateKeyFile statements ever. |
|
Back to top |
|
paikuhan
Joined: 16 Jun 2023 Posts: 6
|
Posted: Sun 18 Jun '23 19:05 Post subject: |
|
|
Jan-E wrote: | Do not add those SSLCertificateFile and SSLCertificateKeyFile statements ever. |
Duly noted. |
|
Back to top |
|
paikuhan
Joined: 16 Jun 2023 Posts: 6
|
Posted: Mon 19 Jun '23 16:34 Post subject: |
|
|
Hello world!
Mr Stefan Eissing gave me insight to fix the issue. My C code has not issue per se. The issue rises when another program execute my acme-setup-dns. When that happens. My program is looking for the config.cfg file (the file containing the API key and secret for the API of my DNS) in a path different from the root path of acme-setup-dns. It could be that it is looking for config.cfg in the root path of the caller program (i.e. Apache httpd) since the caller is the one executing my program.
I just had to make it so that acme-setup-dns looks for the config.cfg file in its own root path (another possibility is to use an absolute path if you know where acme-setup-dns will always be).
Thank you Jan-E! Thank you Stefan Eissing (if you happen to see this thread) and a big thank you to the Apache Lounge community! |
|
Back to top |
|