Hitch proxy with wildcards


#1

I am currently migrating from specific subdomain certificates to wildcard certificates. I’m using hitch as a tls reverse proxy in my server.
To create wildcard certs I have used the command:
sudo certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d *.mydomain.com --renew-hook="/usr/local/bin/hitch-renew-hook" --post-hook="systemctl reload hitch"
It did create the certificate correctly but the renew-hook script seems not be doing what it should, that is to create a certificate bundle for hitch to as pem file.
I need help to figure out what is wrong.
The hitch-renew-hook script is as follows:

#!/bin/bash
# Full path to pre-generated Diffie Hellman Parameters file
dhparams=/etc/hitch/dhparams.pem

if [[ "${RENEWED_LINEAGE}" == "" ]]; then
    echo "Error: missing RENEWED_LINEAGE env variable." >&2
    exit 1
fi

umask 077
cat ${RENEWED_LINEAGE}/privkey.pem \
${RENEWED_LINEAGE}/fullchain.pem \
${dhparams} > ${RENEWED_LINEAGE}/hitch-bundle.pem

In the end I can’t find hitch-bundle.pem file in /etc/letsencrypt/live/mydomain.com/ :frowning:

note: To configure hitch with letsencrypt I have followed this tutorial :wink:


#2

Hi @dannysantos1985,

Renew parameters like --renew-hook (that is the former name now it is --deploy-hook) and --post-hook are only used on renewals, that is, when you run certbot renew.

So with this command:

sudo certbot certonly --agree-tos --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory -d *.mydomain.com --renew-hook="/usr/local/bin/hitch-renew-hook" --post-hook="systemctl reload hitch"

You are issuing a wildcard certificate for *.mydomain.com and saying that… when it is renewed, certbot should execute the commands you have specified in --renew-hook and --post-hook but that won’t happen because you are issuing the cert using dns in manual mode, you are not using any script (--manual-auth-hook) to automate the creation of validation challenges on your dns provider so certbot renew will give you an error because the renew must be interactive.

Hope this helps.

Cheers,
sahsanu


#3

Can you give me an example of what I should do then @sahsanu?
I have also tried sudo certbot renew --force-renewal and I get this error/output:

Processing /etc/letsencrypt/renewal/mydomain.com.conf
-------------------------------------------------------------------------------
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

#4

@dannysantos1985, it will depend on the dns provider for the domain you are issuing the certificate. If the DNS provider allows to create/update TXT records via API then you could find a script which can work with the DNS provider’s API or maybe you should create your own script.

What is the DNS provider for your domain?.

As I said above, that is the problem using manual mode without a hook script to automate the creation of challenges for your domain.

Cheers,
sahsanu


#5

I’m using dynu.com as my DDNS provider. I have put a TXT record successfully in it.

So the problem is in the command that I use to create the wildcard cert? If yes, what command do you suggest that I use?
I’m not very savvy in this stuff
Cheers


#6

@dannysantos1985

Good news is that dynu provides an API but unfortunately, certbot doesn’t have a script to work with dynu’s API, another alternative could be use lexicon (is a tool to manipulate DNS records on various DNS providers in a standardized/agnostic way) but lexicon doesn’t support dynu’s API too.

The good news is that acme.sh client supports dynu’s API so instead of certbot you could use this client instead.

The other way is create your own hook script and use it with certbot.

If you had a script to automate the creation of TXT records for your domain, the command will look like.

sudo certbot certonly --agree-tos --manual --preferred-challenges dns --manual-auth-hook /path/to/tour/manual-hook.script --manual-cleanup-hook /path/to/your/cleanup-hook.script --server https://acme-v02.api.letsencrypt.org/directory -d *.mydomain.com --renew-hook="/usr/local/bin/hitch-renew-hook" --post-hook="systemctl reload hitch"

So, it is your choice, create your own script to be able to work with dynu’s API of using acme.sh client which provides support for dynu’s API out of the box :wink:

Cheers,
sahsanu


#7

@sahsanu But why do I need to automate the creation of TXT records in my domain?
dynu already has wildcard domain support. In my understanding I just have to configure the wildcard domain and then I’m set. That is what I have done


#8

If you don’t automate it, the wildcard certificate for your domain won’t be renewed automatically so you will need to do the same manual steps you are doing right now… every 90 days.


#9

Alright I understand. I have to put the certbot TXT new key text for every renewal in the DNS :wink:
I will try acme.sh


#10

@sahsanu I have done this command:
acme.sh --issue -d domain.com -d '*.mydomain.com' --dns dns_dynu but I get this error:

[Tue Apr 17 18:56:18 UTC 2018] Dynu client id and secret is not specified.
[Tue Apr 17 18:56:18 UTC 2018] Please create you API client id and secret and try again.
[Tue Apr 17 18:56:18 UTC 2018] Error add txt for domain:_acme-challenge.minho.win
[Tue Apr 17 18:56:18 UTC 2018] Please add '--debug' or '--log' to check more details.
[Tue Apr 17 18:56:18 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

I don’t know what to do now… :confused:


#11

Hi @dannysantos1985

Do you have client, token, secret Id for dynu generated?

If you do, just goto dns_dynu.sh and fill in those information on the headers of the file.

If not, You may obtain them from the ‘API Credentials’ section in the control panel.

Thank you


#12

@dannysantos1985, as @stevenzhu said, you need to get the Client ID and secret from dynu, take a look to this link: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#24-use-dynu-api


#13

Thank you @stevenzhu and @sahsanu
I have remove previous TXT records, modified dns_dynu.sh with my API credentials and now everything seems to be working.
There is two issues now, hitch requires to bundle the privkey.pem and the fullchain.pem in order to create a bundle file to use in hitch config.

  1. I can’t find privkey.pem or fullchain.pem files (that are needed for the bundle hitch pem file) on .acme.sh/ directory. I only find mydomain.cer mydomain.key ca.cer and fullchain.cer
  2. I need to run hitch-renew-hook script and also systemctl reload hitch on renewal. How can this be achieved with acme.sh?

#14

This is taken care of. I have found this: https://github.com/Neilpang/acme.sh/wiki/Using-’--pre-hook’,-’--post-hook’,-’--renew-hook’-and-’--reload-cmd’ .

Now I need to know how to modify my hitch-renew-hook to not use privkey.pem and fullchain.pem files and use my files


#15

You can create a symbol link from mydomain.key to privkey and fullchain.cer to fullchain.pem

The command is ln -S (your original file ) (new file)

Thank you


#16
  1. Does ${RENEWED_LINEAGE} work with acme.sh?

Since the mydomain.key varies accordingly with the domain name that I choose I need an approch that my cert key file is a static name, in order to make my script work with all domains that I may choose


#17

Hi @dannysantos1985,

As far as I know acme.sh doesn’t pass any variable to hook script but you can pass a parameter to your script (in this case $Le_Domain):

acme.sh --issue -d domain.com -d '*.mydomain.com' --dns dns_dynu --renew-hook '/usr/local/bin/hitch-renew-hook $Le_Domain' --post-hook 'systemctl reload hitch'

Note: It is important to use simple quotes in --renew-hook param.

And the script /usr/local/bin/hitch-renew-hook modified to work with acme.sh (the only thing you should change is acmehome variable if you are using another path).

#!/bin/bash
# Full path to pre-generated Diffie Hellman Parameters file
dhparams=/etc/hitch/dhparams.pem
acmehome=/root/.acme.sh
domain=$1
set noglob

if [[ "${domain}" == "" ]]; then
    echo "Error: missing domain variable." >&2
    exit 1
fi

umask 077

cat "${acmehome}/${domain}/${domain}.key" \
"${acmehome}/${domain}/fullchain.cer" \
"${dhparams}" > "${acmehome}/${domain}/hitch-bundle.pem"

I’ve tested it and it works, I hope this helps.

Cheers,
sahsanu


#18

I tweaked this thread’s title a little bit to help future readers who (like me) might not know “hitch” is software and not just another word for “problem”. :wink:


#19

Thank you for your great care @sahsanu. I needed that script correction :slight_smile:
One question about acme.sh:
After I have installed and issue a certificate, in order to auto-renew do I need a cron job or it auto-renews automatically?
It seems that it auto-renews automatically but I need a confirmation to be sure, since I can’t understand how the automatically renew works


#20

Another way this could be handled is with the --key-file and --fullchain-file flags to acme.sh, which would (well, could) result in those having static filenames. That might make the script side easier.

To autorenew, there needs to be a cron job that calls acme.sh, but I believe acme.sh sets up such a cron job by default.