TransIP verification fails because of token error about lego HOT 18 CLOSED

That makes sense, because i put in a placeholder account. I fixed the issue, i'll post separatly what it was so it can be pinned/marked as solution.

from lego.

Hi all,

This is the solution, it is crazy and far fetched but with the awesome help if @ldez it was found and fixed!

On a non-functional server:

root@vps01:/opt/deployment/webserver# file -i traefik/transip.apikey 
traefik/transip.apikey: text/plain; charset=utf-8

On a functional server:

root@lb-01:/opt/traefik$ file -i transip.apikey 
transip.apikey: text/plain; charset=us-ascii

The encoding was off, and me beeing a total dumb*ss i copied the file contents to Idez, instead of the exact file which i could not retrieve natively.

Apparently the error "acme: error presenting token: transip: could not get token from authenticator: could not decode private key" also shows when the file encoding is not correct.

Since the file was created by an automation system, i will try to find why this happened in the first place, but for future people who experience this issue, Either try to convert your file to ascii with the command:

 iconv -f UTF-8 -t ASCII transip.apikey -o transip.apikey

or just write a new file with the same contents.

Once again Thanks @ldez for helping out, i would never found this myself!

from lego.

Encoding problems, the hidden problems that can spend you hours on them 😸

FYI, I deleted all the information you provided from my computer and my mailbox.

Sponsoring is a good way to sustain open source maintainers: sponsor me

from lego.

Hello,

Did you try with previous versions of Traefik?

from lego.

The implementation is using the official API client.

The error:

could not get token from authenticator: could not decode private key

comes from:

• https://github.com/transip/gotransip/blob/9dc7354effdfe25646fd159601bf44d52dc9a697/client.go#L126
• https://github.com/transip/gotransip/blob/9dc7354effdfe25646fd159601bf44d52dc9a697/authenticator/authenticator.go#L92

Your problem seems to be related to your configuration.
I think the file's content defined with TRANSIP_PRIVATE_KEY_PATH has a problem.

from lego.

This was indeed the first thing i suspected, however the key is readable from the docker container. Unfortunatly i am not aware how i could get more logging from inside the process itself

from lego.

Hello,

Did you try with previous versions of Traefik?

Now i have, same outcome. I am now comparing a working and a non-working setup but can not find differences about the above references file.

Since i have multiple installations i even tried using the api key from a working machine, but it results in the same issue (also testen on v2.11 and v2.10 of traefik)

from lego.

I have tested some more, and by changing the TRANSIP_PRIVATE_KEY_PATH to TRANSIP_PRIVATE_KEY_PATH_FILE i got this output:

time="2024-02-22T15:57:55Z" level=error msg="Unable to obtain ACME certificate for domains \"vps01.*****.net\"" routerName=api@docker error="cannot get ACME client transip: error while opening private key file: open \ufeff-----BEGIN PRIVATE KEY-----\nMIIEvQIBA*************TvPQ=\n-----END PRIVATE KEY-----\n: no such file or directory" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=letsencrypt.acme rule="Host(`vps01.*****.net`) && PathPrefix(`/api`)"

This clearly proves the file can be read, however i am not sure what the "\ufeff" part means before the private key.

For transparency, this is how i mention the variables in my docker-compose.yml file:

environment:
  - TRANSIP_ACCOUNT_NAME=*****
  - TRANSIP_PRIVATE_KEY_PATH=/transip.apikey

from lego.

I don't think the problem comes from the fact to open the file.
I think it's related to the content, as I said previously.

The error could not decode private key is about the content.
There is something invalid with the content of this file.

from lego.

I understand why you would say that, however to test what is going on here, i have deleted the contents of the file multiple times and pasted new (and even currently working) keys in the file in order to test if this would be the issue.

I guess i'm a bit lost here now.. Strange, this is the first time this exact config does not work for me

from lego.

Strange, this is the first time this exact config does not work for me

what was the context when this was working?
What's changed since that?

from lego.

It's a completely new server, but i used the same basic templates for my docker-compose.yml file as before. That's why i'm so surprised it does not have the same outcome.

To doublecheck, i created a new api key without any ip-restrictions on the TransIP side, just to exclude that too.

As shown in the log output above, the file is exactly a private key, with 0600 file permissions, it's just the same over multiple servers here.

from lego.

When it was working, what was the exact Traefik version?

Because the code of the API client hasn't changed for a long time for the parts that lego uses.

from lego.

One of the working servers is running Traefik 2.5.3, so i ran that specific version, issue resides.. I'll trash everything and start over completely blank to see if that changes anything

from lego.

If you can create a temporary file, can you send me one by email?
Like that, I will be able to just test the file.

from lego.

Your private key file works, I run tests of the API client with it there is no error and I can sign a request.
So the problem is not here 🤔
I can be on the mounting point or related to system encoding 🤔

from lego.

Thank you so much for excluding those specifics, i'll continue to test here

from lego.

I could not test more with the information you provided, because:

transip: could not get token from authenticator: error requesting token: Your key signature is invalid or API is not enabled in your account

from lego.