Comments (15)
Hey @jojof2024, did you send the SIGHUP
signal to the CA or restart the CA after changing the configuration? I.e. something like killall -i -s SIGHUP step-ca
from certificates.
Hey, yes we did restart the CA. And the old DNS name is no where to be found in the ca.json or the default.json. Do we have to remove the old DNS name somewhere else to. How can this happen?
from certificates.
It also says that it runs with the latest dns name.
The primary server URL is latest.lhgroup.de. But it does not matter, when I send a certbot request with latest.lhgroup.de url it changes in at the moment of the connection to the old dns name xxxlhgroup.de.
certbot certonly --standalone -d example --server https://latest.lhgroup.de/acme/acme1day/directory -m email -vvv
Root logging level set at 0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator standalone and installer None
Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f529f3e2f28>
Prep: True
Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x7f529f3e2f28> and installer None
Plugins selected: Authenticator standalone, Installer None
Sending GET request to https://latest.lhgroup.de/acme/acme1day/directory.
Starting new HTTPS connection (1): latest.lhgroup.de:443
https://latest.lhgroup.de:443 "GET /acme/acme1day/directory HTTP/1.1" 200 382
Received response:
HTTP 200
Cache-Control: private, max-age=86400, no-cache, must-revalidate
Pragma: no-cache
Content-Type: application/json
Expires: -1
X-Powered-By: ARR/3.0
Strict-Transport-Security: max-age=31536000;includeSubdomains
X-Frame-Options: sameorigin
Content-Security-Policy: default-src 'self' *.latest.lhgroup.de data:; style-src *.latest.lhgroup.de 'unsafe-inline'; script-src *.pki-np.app.lhgroup.de 'unsafe-inline' 'unsafe-eval'
X-Content-Type-Options: nosniff; case-insensitive
Date: Tue, 30 Apr 2024 06:17:09 GMT
Content-Length: 382
Please read the Terms of Service at None. You must agree in order to register
with the ACME server. Do you agree?
(Y)es/(N)o: y
Requesting fresh nonce
Sending HEAD request to https://xxxx.lhgroup.de/acme/acme1day/new-nonce.
Starting new HTTPS connection (1): xxxx.lhgroup.de:443
from certificates.
Have you tried executing step ca health
, and does that return an OK? What do you see when you visit https://latest.lhgroup.de/acme/acme1day/directory
in a browser?
It looks like there's a proxy in between: X-Powered-By: ARR/3.0
. Is it possible that's what's interfering with the request?
from certificates.
step ca Health is ok.
It schould not be our proxy. In the ca logs we find:
The primary server URL is latest.lhgroup.de
and
from certificates.
step ca Health is ok. It schould not be our proxy. In the ca logs we find: The primary server URL is latest.lhgroup.de
and
The CA will reply with xxxlhgroup.de
in the ACME directory if the ACME client requests it by that domain, as it will extract the host to use from the request. It'll use the latest.lhgroup.de
only as a fallback. Is it possible the ACME client kept using the old URL in some way?
from certificates.
We tried it also with different clients (certbot (redhat client) and win-acme) all with the same responce. The win-acme client was just recently set up and did not send any request before this test.
from certificates.
What's shown when you go to https://latest.lhgroup.de/acme/acme1day/directory in a browser?
from certificates.
I get the exact same responce:
"newNonce":"[https://xxxx.lhgroup.de/acme/acme1day/new-nonce",
"newAccount":"https://xxxx.lhgroup.de/acme/acme1day/new-account",
"newOrder":"https://xxxx.lhgroup.de/acme/acme1day/new-order",
"revokeCert":"https://xxxx.lhgroup.de/acme/acme1day/revoke-cert"
from certificates.
What response headers does the browser console show?
from certificates.
Cache-Control:
private, max-age=86400, no-cache, must-revalidate
Content-Length:
382
Content-Security-Policy:
default-src 'self' *.latest.lhgroup.de data:; style-src *.latest.lhgroup.de 'unsafe-inline'; script-src *.latest.lhgroup.de 'unsafe-inline' 'unsafe-eval'
Content-Type:
application/json
Date:
Tue, 30 Apr 2024 14:29:49 GMT
Expires:
-1
Pragma:
no-cache
Strict-Transport-Security:
max-age=31536000;includeSubdomains
X-Content-Type-Options:
nosniff; case-insensitive
X-Frame-Options:
sameorigin
X-Powered-By:
ARR/3.0
from certificates.
I still suspect the proxy may have something to do with it. Can you try it without going through the proxy in your browser?
from certificates.
I just tested this locally and I get the correct urls being served from the /directory
ACME endpoints after update. I started with FQDN ca.smallstep.com
and I changed to ca1.smallstep.com
. When I curl the directory structure after making the change in the ca.json
and SIGHUP-ing the step-ca
service, I get:
{"newNonce":"https://ca1.smallstep.com:8081/acme/acme2/new-nonce","newAccount":"https://ca1.smallstep.com:8081/acme/acme2/new-account","newOrder":"https://ca1.smallstep.com:8081/acme/acme2/new-order","revokeCert":"https://ca1.smallstep.com:8081/acme/acme2/revoke-cert","keyChange":"https://ca1.smallstep.com:8081/acme/acme2/key-change"}
I agree with @hslatman that there may be an issue with cacheing in your proxy layer?
from certificates.
Related Issues (20)
- [Bug]: Do not output terminal control codes when output is not a terminal HOT 3
- [Bug]: step ca init ignores --context flag when using --pki
- [Bug]: Get a certificate via SCEP fails with: scep post request failed: crypto/rsa: verification error HOT 8
- [Docs]: Include information on where TLS certificates for the HTTPS API are stored HOT 1
- [Bug]: Docker Container never becomes healthy HOT 3
- [Bug]: Insecure HTTP server is not available after enabling CRL endpoint HOT 3
- Regularly reload provisioners from DB
- [Bug]: wrong oidc provisioner config prevents startup, can't remove provisioner
- Adding CRLIssuer information to crlDistributionPoints HOT 1
- [Bug]: Chang the crl issuing distribution point url or add a url with http HOT 4
- [Docs]: Additional information about the database schema (MySQL) + data in plaintext instead of blobs HOT 1
- Option to use publicly signed cert vs self generated
- Ability to silent logging of /health hits HOT 2
- [Bug]: Doesn't recognize (*.subdomain.domain.com) as valid HOT 2
- [Docs]: Clarify step ca init --remote-management HOT 8
- TKey integration HOT 4
- wildcard certificates with acme http-01 challenge HOT 2
- [Docs]: step ca token requires the --ca-url HOT 1
- Add an in-memory cookie jar to http.Client returned by NewClient HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certificates.