autorenew error using acmesmith-google-cloud-dns

Question

autorenew error using acmesmith-google-cloud-dns

proxium opened this issue 6 years ago · 3 comments

Thank you for developing this gem to handle v2. I'm using it to renew our wildcard certificates based on a cronjob and the 3rd party plugin acmesmith-google-cloud-dns

#cronjob
#Ansible: *.muster-domain.de renew
25 1 * * * cd /etc/ssl/acme && /usr/local/rbenv/shims/acmesmith autorenew -d 10 *.muster-domain.de > /dev/null

I use the following post_issuing_hooks:

#acmesmith.yml
directory: https://acme-v02.api.letsencrypt.org/directory

storage:
  type: filesystem
  path: /etc/ssl/acme

challenge_responders:
  - google_cloud_dns:
      project_id: project_id
      private_key_json_file: /etc/ssl/acme/project_id.json
      ttl: 5

post_issuing_hooks:
  "*.muster-domain.de":
    - shell:
        command: /usr/bin/systemctl reload nginx
    - shell:
        command: mail -s "New cert for ${COMMON_NAME} has been issued" devops@muster-domain.de < /dev/null

The first time when I had our certificate being expired soon (in 10 days) I encountered the following error:

/usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client/jwk/rsa.rb:35:in `sign': Private key is needed. (ArgumentError)
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client/jwk/rsa.rb:35:in `sign'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client/jwk/base.rb:23:in `jws'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client/faraday_middleware.rb:19:in `call'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/faraday-0.15.4/lib/faraday/rack_builder.rb:143:in `build_response'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/faraday-0.15.4/lib/faraday/connection.rb:387:in `run_request'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/faraday-0.15.4/lib/faraday/connection.rb:175:in `post'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client.rb:250:in `post'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client.rb:88:in `account'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client.rb:98:in `kid'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client/faraday_middleware.rb:42:in `jws_header'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client/faraday_middleware.rb:19:in `call'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/faraday-0.15.4/lib/faraday/rack_builder.rb:143:in `build_response'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/faraday-0.15.4/lib/faraday/connection.rb:387:in `run_request'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/faraday-0.15.4/lib/faraday/connection.rb:175:in `post'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client.rb:250:in `post'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acme-client-2.0.1/lib/acme/client.rb:113:in `new_order'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acmesmith-2.2.0/lib/acmesmith/client.rb:32:in `order'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acmesmith-2.2.0/lib/acmesmith/client.rb:164:in `block in autorenew'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acmesmith-2.2.0/lib/acmesmith/client.rb:156:in `each'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acmesmith-2.2.0/lib/acmesmith/client.rb:156:in `autorenew'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acmesmith-2.2.0/lib/acmesmith/command.rb:140:in `autorenew'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
        from /usr/local/rbenv/versions/2.4.2/lib/ruby/gems/2.4.0/gems/acmesmith-2.2.0/bin/acmesmith:4:in `<top (required)>'
        from /usr/local/rbenv/versions/2.4.2/bin/acmesmith:23:in `load'
        from /usr/local/rbenv/versions/2.4.2/bin/acmesmith:23:in `<main>'

As a last note, I was able to create the initial certificate using acmesmith order '*.muster-domain.de' , so if any thing is wrong with this configuration I hope that you can point it out 🙂

Answer 1 · 2019-02-27T15:53:10.000Z

@sorah any idea ?

Answer 2 · 2019-03-04T11:42:51.000Z

The issue was solved by removing account.pem file and re-executing
acmesmith new-account mailto:muster-user@muster-project-id.iam.gserviceaccount.com which generated a working private key account.pem

Answer 3 · 2019-03-05T23:46:41.000Z

👍 Sorry for being late! I was busy at this short moment...