Renewing a Wildcard certificate

harrisreynolds · November 30, 2020, 8:05pm

I worked through setting up a wildcard certificate for WeBase this past summer and everything was working fine until the certificate expired and needed to be renewed.

I expected that Caddy would handle that automatically but it did not.

Is there a command that I need to run to renew a wildcard certificate? How are wildcard certificates intended to be renewed?

Details including caddy config below. Thank you for any tips or pointers?

–harris

1. Caddy version (`caddy version`):

v2.1.0 h1:MC4d65RCVaEKy1iOFjsD51mybOwS8qdEVBi7ESDhUfE=

2. How I run Caddy:

sudo systemctl start caddy-api.service

d. My complete Caddyfile or JSON config:

{
  "admin": {
    "enforce_origin": true,
    "listen": "0.0.0.0:2019",
    "origins": [
      "ABC123"
    ]
  },
  "apps": {
    "http": {
      "servers": {
        "webase": {
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "request": {
                              "set": {
                                "Access-Control-Allow-Headers": [
                                  "Cache-Control,Content-Type"
                                ],
                                "X-Real-Ip": [
                                  "{http.request.remote.host}"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "172.17.0.12:5000"
                            },
                            {
                              "dial": "172.17.0.14:5000"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "www.webase.com",
                    "*.webase.com",
                    "webase.com"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "request": {
                              "set": {
                                "Access-Control-Allow-Headers": [
                                  "Cache-Control,Content-Type"
                                ],
                                "X-Real-Ip": [
                                  "{http.request.remote.host}"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "172.17.0.12:5000"
                            },
                            {
                              "dial": "172.17.0.14:5000"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "www.sbaloanshq.com"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "request": {
                              "set": {
                                "Access-Control-Allow-Headers": [
                                  "Cache-Control,Content-Type"
                                ],
                                "X-Real-Ip": [
                                  "{http.request.remote.host}"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "172.17.0.12:5000"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "www.nimblehq.com"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "request": {
                              "set": {
                                "Access-Control-Allow-Headers": [
                                  "Cache-Control,Content-Type"
                                ],
                                "X-Real-Ip": [
                                  "{http.request.remote.host}"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "172.17.0.16:5000"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "chart.ly"
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    },
    "tls": {
      "automation": {
        "on_demand": {
          "ask": "https://www.webase.com/api/v1/domain-check.json",
          "rate_limit": {
            "burst": 100,
            "interval": "5m"
          }
        },
        "policies": [
          {
            "issuer": {
              "challenges": {
                "dns": {
                  "provider": {
                    "max_retries": 10,
                    "name": "route53"
                  }
                }
              },
              "email": "harris@webase.com",
              "module": "acme"
            },
            "on_demand": false,
            "subjects": [
              "*.webase.com"
            ]
          },
          {
            "issuer": {
              "email": "harris@webase.com",
              "module": "acme"
            },
            "on_demand": true
          }
        ]
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "encoder": {
          "format": "json"
        },
        "level": "debug",
        "writer": {
          "filename": "/tmp/caddy-tmp.log",
          "output": "file"
        }
      }
    },
    "sink": {
      "writer": {
        "filename": "/tmp/caddy-go.log",
        "output": "file"
      }
    }
  }
}

matt · November 30, 2020, 8:58pm

Caddy will renew expiring certificates. What are the full logs? We’re missing a lot of the topic template there so a lot of the information is missing…

And why are you using on-demand TLS?

harrisreynolds · December 1, 2020, 2:52pm

Thank for the reply Matt.

Here are the logs:

2020/12/01 09:44:38 [ERROR] error: one or more domains had a problem:
[*.webase.com] [*.webase.com] acme: error presenting token: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
 (challenge=dns-01 remaining=[])
2020/12/01 09:44:40 [ERROR] attempt 1: [*.webase.com] Renew: [*.webase.com] error: one or more domains had a problem:
[*.webase.com] [*.webase.com] acme: error presenting token: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
 - retrying in 1m0s (9.428525254s/720h0m0s elapsed)...

This had worked previously but maybe it was just luck. I have all of my AWS credentials for handling the DNS challenge in a /etc/environment file:

AWS_ACCESS_KEY_ID=KEY_HERE
AWS_SECRET_ACCESS_KEY=SECRET_HERE
AWS_HOSTED_ZONE_ID=ZONE_HERE
AWS_REGION=us-west-2

I’d love to know exactly how this works. I will be scouring Google for an answer but if something is obvious to anyone here please let me know.

–harris

matt · December 1, 2020, 3:11pm

That looks like something AWS-related, maybe even specific to the AWS provider implementation or its adapter: GitHub - caddy-dns/route53: Caddy module: dns.providers.route53

Unfortunately I am not familiar with Route53 (I don’t use it myself) but @danlsgiga might have an idea.

Have you tried using the latest version?

harrisreynolds · December 1, 2020, 9:12pm

Thanks for the reply Matt.

I did upgrade to the latest version of Caddy as well as the caddy route 53 plugin. The current issue is that what is on the README for the Route53 plugin does not match the latest release.

The readme says to configure the Route53 plugin this way:

{
  "module": "acme",
  "challenges": {
    "dns": {
      "provider": {
        "name": "route53",
        "max_retries": 10,
        "aws_profile": "real-profile"
      }
    }
  }
}

But then I get this error message starting Caddy:

Dec 1 16:02:49 webase caddy[14802]: run: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: loading TLS automation management module: loading module 'acme': provision tls.issuance.acme: loading DNS provider module: loading module 'route53': decoding module config: dns.providers.route53: json: unknown field "aws_profile"

How would we go about cutting a new release of the Route53 plugin so that the latest PRs can be compiled into Caddy to support this aws_profile setting?

–harris

PhoenixPeca · December 21, 2020, 1:55pm

Hi @harrisreynolds, I think this issue is the same with [bug]: Deprecated AWSProfile field on config · Issue #7 · caddy-dns/route53 · GitHub

“master” ≠ ‘latest release’ (master is not equal to latest release)

The AWSProfile field is an added feature in a yet-to-be-released version (in master branch) of caddy-dns/route53… you are looking at the README of the master branch… For actual docs, please read the documentation in https://caddyserver.com/ or at the README of the last release

apologies, if this reply did not help resolve your issue.

system · December 30, 2020, 8:05pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

Renewing a Wildcard certificate

1. Caddy version (caddy version):

2. How I run Caddy:

d. My complete Caddyfile or JSON config:

1. Caddy version (`caddy version`):