Configure acme.sh in stateless mode

lucianp · July 6, 2018, 9:33am

Hi guys,

I’m trying to use acme.sh in stateless mode and I keep getting errors related to the authorization key being different. The setup is done in 2 separate Docker containers, one running Nginx with the authorization key received at the registration, the other container runs acme.sh in stateless mode and checks the URL which is served by the Nginx container. Is the authorization key changed frequently? I registered manually and added that key in a script which further generates entries in the Nginx config for multiple domains and I can’t get certificates because this key seems to be different by the one used in the challange.

Nginx config:

server {

    listen 443 ssl;
    listen [::]:443 ssl;
    # SSL settings
    include /etc/nginx/ssl/ssl.conf;

    server_name www.testing-something.mycompany.com testing-something.mycompany.com;

    # LetsEncrypt Challenge
    location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
            default_type text/plain;
            return 200 "$1.authorization_key";
    }

    # base
    location / {
            return 302 www.itworks.com;
    }

Any idea?

Thanks!

_az · July 6, 2018, 9:47am

Is this container persistent - i.e .is it saving the acme.sh settings between runs? The account thumbprint is based on a hash of the ACME account key.

The ACME account key, if missing, is generated and then saved by acme.sh to the filesystem. It is then re-used.

If you run acme.sh in a container that runs from a blank state every time, it's going to keep registering new accounts, with different keys, which will have different thumbprints.

lucianp · July 6, 2018, 10:44am

the registration was done on the VM, outside of the acme container.

so you’re saying that i need to do the registration inside the acme container and then export that key to the nginx container (shared volume) and use it as static content for the config of the virtual host?

_az · July 6, 2018, 11:23am

How does the acme.sh container get access to that registration?

The workflow should look like this.

1. Create persistent storage for acme.sh (it is required so you can re-use the same ACME registration every run)

mkdir acme.sh-data

2. Register an ACME account using the persistent storage

$ docker run --rm -v "$(pwd)/acme.sh-data":/acme.sh neilpang/acme.sh --register-account
[Fri Jul  6 11:18:32 UTC 2018] Registering account
[Fri Jul  6 11:18:35 UTC 2018] Registered
[Fri Jul  6 11:18:35 UTC 2018] ACCOUNT_THUMBPRINT='eKzCWnJVe60tdUezRLP9kuCcEf0IqAXKWsLRMSjxunw'

Resulting in:

$ ls -lR acme.sh-data
acme.sh-data:
total 12
drwxr-xr-x 3 root root 4096 Jul  6 21:18 ca
-rw-r--r-- 1 root root   17 Jul  6 21:20 account.conf
-rw-r--r-- 1 root root  544 Jul  6 21:20 http.header

acme.sh-data/ca:
total 4
drwxr-xr-x 2 root root 4096 Jul  6 21:18 acme-v01.api.letsencrypt.org

acme.sh-data/ca/acme-v01.api.letsencrypt.org:
total 12
-rw-r--r-- 1 root root  580 Jul  6 21:18 account.json
-rw------- 1 root root 1679 Jul  6 21:18 account.key
-rw-r--r-- 1 root root  128 Jul  6 21:20 ca.conf

3. Every time you run the acme.sh container, it will re-use the same account and always have the same thumbprint

$ docker run --rm -v "$(pwd)/acme.sh-data":/acme.sh neilpang/acme.sh --register-account
[Fri Jul  6 11:22:10 UTC 2018] Registering account
[Fri Jul  6 11:22:13 UTC 2018] Already registered
[Fri Jul  6 11:22:13 UTC 2018] ACCOUNT_THUMBPRINT='eKzCWnJVe60tdUezRLP9kuCcEf0IqAXKWsLRMSjxunw'

Once you reach this point, the stateless configuration should work fine because the thumbprint portion will be unchanging.

Neilpang · July 9, 2018, 1:39am

Thanks for your reply

lucianp · July 9, 2018, 7:19am

after i created the “acme.sh-data” folder on the host, i ran the docker run command to create the persisten volume, it worked, i got a new ACCOUNT_THUMBPRINT but no files were written inside my local host “acme.sh-data” folder. am i missing something?

_az · July 9, 2018, 8:47am

If you enter the commands verbatim as presented in my post, then the acme.sh-data directory should contain files after step 2.

If that’s not the case, then something is going on with Docker or permissions on your host.

lucianp · July 9, 2018, 8:59am

you are right, i changed the directory from inside the container, to another location to be used by my local script but i will adapt that to the “/acme.sh”

thanks!

system · August 8, 2018, 8:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.