Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't update .pem in haproxy #6165

Open
nicovd737 opened this issue Dec 17, 2024 · 2 comments
Open

Can't update .pem in haproxy #6165

nicovd737 opened this issue Dec 17, 2024 · 2 comments

Comments

@nicovd737
Copy link

Steps to reproduce

We are configuring new site with your script as follow:

:~# sudo -u acme /usr/local/bin/acme-cert.sh xxx.xxx.com (example)

Content of script acme-cert.sh

#! /usr/bin/bash
set -xv
export DEPLOY_HAPROXY_HOT_UPDATE=yes
export DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock
export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs

/usr/local/bin/acme.sh --issue -d $1 --stateless --server letsencrypt

/usr/local/bin/acme.sh --deploy -d $1 --deploy-hook haproxy --debug 2

Debug log

root@haproxy:~# sudo -u acme /usr/local/bin/acme-cert.sh xxx.xx.com
export DEPLOY_HAPROXY_HOT_UPDATE=yes
+ export DEPLOY_HAPROXY_HOT_UPDATE=yes
+ DEPLOY_HAPROXY_HOT_UPDATE=yes
export DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock
+ export DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock
+ DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock
export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs
+ export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs
+ DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs

/usr/local/bin/acme.sh --issue  -d $1 --stateless --server letsencrypt
+ /usr/local/bin/acme.sh --issue -d xx.xxx.com --stateless --server letsencrypt
[Tue Dec 17 12:55:09 PM UTC 2024] Domains not changed.
[Tue Dec 17 12:55:09 PM UTC 2024] Skipping. Next renewal time is: 2025-02-14T12:42:14Z
[Tue Dec 17 12:55:09 PM UTC 2024] Add '--force' to force renewal.

/usr/local/bin/acme.sh --deploy -d $1 --deploy-hook haproxy  --debug 2
+ /usr/local/bin/acme.sh --deploy -d xxx.xxx.com --deploy-hook haproxy --debug 2
[Tue Dec 17 12:55:09 PM UTC 2024] Let's find the script directory.
[Tue Dec 17 12:55:09 PM UTC 2024] _SCRIPT_='/usr/local/bin/acme.sh'
[Tue Dec 17 12:55:09 PM UTC 2024] _script='/usr/local/share/acme.sh/acme.sh'
[Tue Dec 17 12:55:09 PM UTC 2024] _script_home='/usr/local/share/acme.sh'
[Tue Dec 17 12:55:09 PM UTC 2024] Using default home: /var/lib/acme/.acme.sh
[Tue Dec 17 12:55:09 PM UTC 2024] Using config home: /var/lib/acme/.acme.sh
[Tue Dec 17 12:55:09 PM UTC 2024] LE_WORKING_DIR='/var/lib/acme/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.1.0
[Tue Dec 17 12:55:09 PM UTC 2024] Running cmd: deploy
[Tue Dec 17 12:55:09 PM UTC 2024] Using config home: /var/lib/acme/.acme.sh
[Tue Dec 17 12:55:09 PM UTC 2024] default_acme_server
[Tue Dec 17 12:55:09 PM UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Tue Dec 17 12:55:09 PM UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Tue Dec 17 12:55:09 PM UTC 2024] _ACME_SERVER_PATH='v2/DV90'
[Tue Dec 17 12:55:09 PM UTC 2024] The domain 'xxx.xxx.com' seems to already have an ECC cert, let's use it.
[Tue Dec 17 12:55:09 PM UTC 2024] DOMAIN_PATH='/var/lib/acme/.acme.sh/xxx.xxx.com_ecc'
[Tue Dec 17 12:55:09 PM UTC 2024] DOMAIN_CONF='/var/lib/acme/.acme.sh/xxx.xxx.xxx_ecc/xxx.xxx.com_.conf'
[Tue Dec 17 12:55:09 PM UTC 2024] _deployApi='/usr/local/share/acme.sh/deploy/haproxy.sh'
[Tue Dec 17 12:55:09 PM UTC 2024] _cdomain='xxx.xxx.com_'
[Tue Dec 17 12:55:09 PM UTC 2024] _ckey='/var/lib/acme/.acme.sh/xxx.xxx.com_ecc/xxx.xxx.com.key'
[Tue Dec 17 12:55:09 PM UTC 2024] _ccert='/var/lib/acme/.acme.sh/xxx.xxx.com_ecc/xxx.xxx.com.cer'
[Tue Dec 17 12:55:09 PM UTC 2024] _cca='/var/lib/acme/.acme.sh/xxx.xxx.com_ecc/ca.cer'
[Tue Dec 17 12:55:09 PM UTC 2024] _cfullchain='/var/lib/acme/.acme.sh/xxx.xxx.coms_ecc/fullchain.cer'
[Tue Dec 17 12:55:09 PM UTC 2024] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs'
[Tue Dec 17 12:55:09 PM UTC 2024] PEM_PATH /etc/haproxy/certs exists
[Tue Dec 17 12:55:09 PM UTC 2024] DEPLOY_HAPROXY_PEM_NAME
[Tue Dec 17 12:55:09 PM UTC 2024] DEPLOY_HAPROXY_BUNDLE
[Tue Dec 17 12:55:09 PM UTC 2024] DEPLOY_HAPROXY_ISSUER
[Tue Dec 17 12:55:09 PM UTC 2024] DEPLOY_HAPROXY_RELOAD
[Tue Dec 17 12:55:09 PM UTC 2024] DEPLOY_HAPROXY_HOT_UPDATE='yes'
[Tue Dec 17 12:55:09 PM UTC 2024] DEPLOY_HAPROXY_STATS_SOCKET='/var/run/haproxy/admin.sock'
[Tue Dec 17 12:55:09 PM UTC 2024] DEPLOY_HAPROXY_MASTER_CLI
[Tue Dec 17 12:55:09 PM UTC 2024] _suffix
[Tue Dec 17 12:55:09 PM UTC 2024] Deploying PEM file
[Tue Dec 17 12:55:09 PM UTC 2024] _temppem='/tmp/tmp.hAlrpMM70V'
[Tue Dec 17 12:55:09 PM UTC 2024] Moving new certificate into place
[Tue Dec 17 12:55:09 PM UTC 2024] _pem='/etc/haproxy/certs/xxx.xxx.com.pem'
[Tue Dec 17 12:55:09 PM UTC 2024] _socat_cert_cmd='echo 'show ssl cert' | socat '/var/run/haproxy/admin.sock' - | grep -q '^/etc/haproxy/certs/xxx.xxx.com.pem$''
[Tue Dec 17 12:55:09 PM UTC 2024] Update existing certificate '/etc/haproxy/certs/xxx.xxx.com.pem' over HAProxy stats socket.
[Tue Dec 17 12:55:09 PM UTC 2024] _socat_cert_set_cmd='echo -e 'set ssl cert /etc/haproxy/certs/xxx.xxx.com.pem <<\n-----BEGIN CERTIFICATE-----
MIIDizCCAxGgAwIBAgISAzoZ44KlBxpEnXp22JbCzytNMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNDEyMTcxMTQzNDNaFw0yNTAzMTcxMTQzNDJaMCAxHjAcBgNVBAMTFXRp
bWVwcm8ucGF5ZXJuZS5zd2lzczBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPJ4
H38gxPoSFKDc9bph5VhvwrmNU6qUg0a2WLx8nzpCnZx/5q2FGoGa/jtXzUFlmjfA
xxx
xxxx
xxxx
5uDJHK6iQTItLBQAWA0CDmwen8jqSKbWpzAKBggqhkjOPQQDAwNoADBlAjEA562z
DmQZOmwhhmEjgRAOkNqfKYbDIZMhv5AfLuMr4OFjC8hDpGdVVxb5Spy7+t7pAjAH
JLxQskEeSQPqS+OiP5dD1rzR32LuJthKazz5kA7uvrcK6z41i+oV69I1o0Oq7nI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK
a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO
xxxx
xxxx
xxxx
K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
VQD9F6Na/+zmXCc=
-----END CERTIFICATE-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMs4tSuTqBFPsTwVDvPmU2+9zfprjRTn/p9EaQWWvkJNoAoGCCqGSM49
AwEHoUQDQgAE8ngffyDE+hIUoNz1umHlWG/CuY1TqpSDRrZYvHyfOkKdnH/mrYUa
gZr+O1fNQWWaN8BKHe6nkOcAD8mMTG14uw==
-----END EC PRIVATE KEY-----\n' | socat '/var/run/haproxy/admin.sock' - | grep -q 'Transaction created''
[Tue Dec 17 12:55:09 PM UTC 2024] Can't update '/etc/haproxy/certs/xxx.xxx.com.pem' in haproxy
[Tue Dec 17 12:55:09 PM UTC 2024] Error deploying for domain: xxx.xxx.com
[Tue Dec 17 12:55:09 PM UTC 2024] Error encountered while deploying.

Copy link

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

@nicovd737
Copy link
Author

Already done with upgrade

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant