Way to manually update Let's Encrypt certificate?
56 views
Skip to first unread message
William Matheson
Apr 19, 2021, 7:56:08 PM4/19/21
to Islandora ISLE
Hello everyone,
This might have been a regression (likely my fault) introduced with an ISLE update, but I just got an e-mail from Let's Encrypt saying the prnewspaperarchives.ca cert expires in 20 days. They seem to be correct. Usually I don't get those e-mails, since the auto-renew had been working.
Is there a way to manually initiate the renewal, from within the Traefik container or something like that?
Thank you,
William Matheson
Library Assistant - Technical
Prince Rupert Library
William Matheson
Apr 20, 2021, 6:00:07 PM4/20/21
to Islandora ISLE
Update: Inspired by https://islandora-collaboration-group.github.io/ISLE/appendices/configuring-lets-encrypt/ I backed up my existing acme.json and made a new acme.json with global rw permissions via: touch acme.json then chmod a+rw acme.json . What happened when I re-upped was I got a security warning because the site was using a self-signed cert. Something seems broken somewhere, though I have no idea what.
William Matheson
Apr 20, 2021, 6:05:10 PM4/20/21
to Islandora ISLE
Hahaha, oh no, now it's stuck on whatever self-signed cert it is, even though I put acme.json back and re-upped!
William Matheson
Apr 20, 2021, 6:12:05 PM4/20/21
to Islandora ISLE
I changed onDemand to true but that didn't help either. Will revert and re-up.
William Matheson
Apr 20, 2021, 6:45:24 PM4/20/21
to Islandora ISLE
Tried to check the Traefik logs to perhaps see what is going on. I couldn't bash into it like I do the other containers: e.g. docker exec -it isle-apache-phx bash works but docker exec -it isle-proxy-phx bash presents OCI runtime exec failed: exec failed: container_linux.go:367: starting container process caused: exec: "bash": executable file not found in $PATH: unknown
I could change the log settings in the toml and put into some kind of shared space between the host and container, but is there any Traefik or Let'sEncrypt logging available by default in ISLE 7.x?
Apparently there's a service that lets you see past certificates: https://crt.sh/?q=prnewspaperarchives.ca
I think for now all I can do is put up an advisory on the main library website that this is happening and suggest that users accept the risk, etc..
Danny Lamb
Apr 21, 2021, 9:36:03 AM4/21/21
to William Matheson, Islandora ISLE
Not sure about 7, but in 8 you can `docker-compose logs -tf traefik` to see if it's complaining about something. Pretty sure the experience should be the same since we don't maintain that container in any way, so I don't see wy it'd be too different. FWIW, the only times I've had to check traefik logs were for certs or if routing was borked in one of Traefik's labels, so hopefully there's something in there for ya.
--
You received this message because you are subscribed to the Google Groups "Islandora ISLE" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora-isl...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora-isle/a51b54a9-00d9-4d5a-9305-3dcb846a7743n%40googlegroups.com.
--
William Matheson
Apr 21, 2021, 12:26:46 PM4/21/21
to Islandora ISLE
Hi Danny,
Thanks very much for the tip! The logs in that form were difficult to read but I got what I needed from using:
docker-compose logs traefik > traefiklogs/2021-04-21.txt
Right at the top it complained that permissions on acme.json were too open, please use 600. So I chmod 600 acme.json , down and re-up, and got the old certificate again. Much better than the self-signed cert but this is only going to work until June 3. ...
For crying out loud, nothing was broken at all! It's not renewing because it's more than 30 days away from expiring! Like I just mentally got ahead of myself, something inside of me thought that June 3 was just 20 days away, because I had gotten into that "expires in 20 days" mindset from the expiration notice e-mail. The certificate actually did renew without my intervention. It said it was issued March 5, though. So I got an e-mail on April 19 saying my Feb 8 - May 9 certificate was going to expire, even though my new one was in use. Could have just been a glitch with the Let's Encrypt Expiry Bot. Anyway, this will teach me to read the dates very carefully.
Cheers,
William Matheson
Library Assistant - Technical
Prince Rupert Library
Thanks very much for the tip! The logs in that form were difficult to read but I got what I needed from using:
docker-compose logs traefik > traefiklogs/2021-04-21.txt
Right at the top it complained that permissions on acme.json were too open, please use 600. So I chmod 600 acme.json , down and re-up, and got the old certificate again. Much better than the self-signed cert but this is only going to work until June 3. ...
(looks at wall calendar, displaying APRIL 2021)
Cheers,
William Matheson
Library Assistant - Technical
Prince Rupert Library
Reply all
Reply to author
Forward
0 new messages