Programmatically create account on Boulder with Acme4j

ryanesch · February 14, 2020, 4:32pm

I hope this is a quick question. I am trying to programmatically create an account on Boulder (which is running in a TestContainer) using acme4j. I think I have an incorrect URL when I create the acme4j.Session but I can’t figure out what it is supposed to be. Here is my code:

Session session = new Session(url);
AccountBuilder().useKeyPair(accountKey).onlyExisting().create(session);

At this point, I’m trying any URL I see on the Boulder setup page, variations of:

url = "https://" + container_ip + ":4001/dir";
url = "acme://boulder/" + container_ip + ":14000"; //Modeled after the acme://pebble url that works for pebble

Here is the error I get on create(session) for any URL:

Caused by: org.shredzone.acme4j.exception.AcmeNetworkException: Network error
Caused by: java.net.SocketException: Unexpected end of file from server

I will debug the IP if that’s causing the problem, but what port/endpoint should I be accessing to create the account?

cpu · February 14, 2020, 8:03pm

@shred Can you take a peek at this forum thread? Thank you!

cpu · February 14, 2020, 8:06pm

If you’re using the configuration we ship in Boulder’s tree then you’ll find the ACME v2 interface listening w/ HTTP on port 4001 of the Boulder container and w/ HTTPS on port 4430.

I think this might be a problem given the above. You’d want to use port 4430 for https://.

The 14000 port here is Pebble specific and won’t match the Boulder dev config.

shred · February 20, 2020, 8:43pm

acme4j does not support an acme://boulder URL to a Boulder server, so you need to pass either the http or the https location of Boulder’s directory.

I haven’t used Boulder for a while, but according to its documentation, you should connect to http://localhost:4001/directory or https://localhost:4431/directory.

ryanesch · February 14, 2020, 10:08pm

Thank you for the response! For some reason I had “dir” in my URLs instead of “directory.” I am still having a couple issues here, but I need to investigate a bit before bothering you.

ryanesch · February 20, 2020, 8:43pm

It’s been too long for me to edit my response so I have to make a new response.

I solved another issue I was having. I wasn’t able to hit the correct URL because I was making the attempt before Boulder had completed startup. I need to wait for Boulder’s services to start before starting the test. Oops!

cpu · February 18, 2020, 8:42pm

Thanks for reporting back with your solution @ryanesch. Glad to hear you got things working!

ryanesch · February 20, 2020, 8:14pm

Hi @cpu, is there a built in logging service that could help me determine if the fake dns server is redirecting traffic? Otherwise I’m stuck with tcpdumps.

cpu · February 20, 2020, 8:39pm

Hi @ryanesch

If you’re using Boulder the VA process will log the IP addresses it resolves & uses for validation. E.g.:

I072009 boulder-remoteva 6-nJ7Qk [AUDIT] Validation result JSON={"ID":"186","Requester":99991352,"Hostname":"rand.300c7466.xyz","Challenge":{"type":"tls-alpn-01","status":"valid","token":"jcG840wazZ9PIV-74Zp1VKUlPDW9sIdseZ6vS4Js-Mc","keyAuthorization":"jcG840wazZ9PIV-74Zp1VKUlPDW9sIdseZ6vS4Js-Mc.LelkOAgY6ZHFjo0HDH7-OKNF1xFKI3VNNH1oXSqfPQQ","validationRecord":[{"hostname":"rand.300c7466.xyz","port":"5001","addressesResolved":["10.88.88.88"],"addressUsed":"10.88.88.88"}]},"ValidationLatency":0.036}

The "addressResolved" and "addressUsed" portions of the validation record are the lookup results from the fake DNS server.

The pebble-challtestsrv used by the Boulder docker environment also logs information at startup that includes what the default fake IP address used for A/AAAA queries will be:

pebble-challtestsrv - 2020/02/20 07:16:22 Creating HTTP-01 challenge server on 10.77.77.77:5002
pebble-challtestsrv - 2020/02/20 07:16:22 Creating HTTPS HTTP-01 challenge server on 10.77.77.77:5001
pebble-challtestsrv - 2020/02/20 07:16:22 Creating TCP and UDP DNS-01 challenge server on :8053
pebble-challtestsrv - 2020/02/20 07:16:22 Creating TCP and UDP DNS-01 challenge server on :8054
pebble-challtestsrv - 2020/02/20 07:16:22 Creating TLS-ALPN-01 challenge server on 10.88.88.88:5001
pebble-challtestsrv - 2020/02/20 07:16:22 Answering A queries with 10.77.77.77 by default
pebble-challtestsrv - 2020/02/20 07:16:22 Starting challenge servers
pebble-challtestsrv - 2020/02/20 07:16:22 Starting management server on :8055

The relevant part is " Answering A queries with 10.77.77.77 by default".

Any explicit mock A/AAAA records added above and beyond the default via the management server are also logged, e.g.:

pebble-challtestsrv - 2020/02/20 07:20:08 Added response for DNS A queries to "rand.300c7466.xyz" : 10.88.88.88

Hope that helps!

system · March 21, 2020, 8:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.