Questions on the LetsEncrypt ControlScript

[mackov83]

I refer to the following: https://github.com/avinetworks/devops/blob/master/cert_mgmt/letsencrypt_mgmt_profile.py/

Is this supported to work with both VS and EVH setups? I am a novice in the coding space, however I do see references to parent / child within the script which suggests it does.

In my case I get the following error (assuming vs.domain.com is the child object):
Error` from certificate management service: STDOUT - "Running version 0.9.6 dry_run is: False disable_check is: False directory_url is https://acme-v02.api.letsencrypt.org/directory Account key not found. Generating account key... Parsing account key... Parsing CSR... Found domains: vs.domain.com Getting directory... Directory found! Registering account... Registered! Creating new order... Order created! Verifying vs.domain.com... Warning: Could not find a VSVIP with fqdn = vs.domain.com ". STDERR - "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( /usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( /usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( Traceback (most recent call last): File "/run/shm/cs/LetsEncrypt_EVH", line 550, in <module> cert = certificate_request(csr, common_name, kwargs) File "/run/shm/cs/LetsEncrypt_EVH", line 522, in certificate_request signed_crt = get_crt(user, password, tenant, api_version, csr_temp_file.name, File "/run/shm/cs/LetsEncrypt_EVH", line 264, in get_crt raise Exception("Could not find a VS with fqdn = {}".format(domain)) Exception: Could not find a VS with fqdn = vs.domain.com Error in sys.excepthook: Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/avi_traceback/avi_exception_hook.py", line 51, in avi_excepthook os.makedirs(output_dir) File "/usr/lib/python3.8/os.py", line 223, in makedirs mkdir(name, mode) OSError: [Errno 30] Read-only file system: '/var/lib/avi/python_crash' Original exception was: Traceback (most recent call last): File "/run/shm/cs/LetsEncrypt_EVH", line 550, in <module> cert = certificate_request(csr, common_name, kwargs) File "/run/shm/cs/LetsEncrypt_EVH", line 522, in certificate_request signed_crt = get_crt(user, password, tenant, api_version, csr_temp_file.name, File "/run/shm/cs/LetsEncrypt_EVH", line 264, in get_crt raise Exception("Could not find a VS with fqdn = {}".format(domain)) Exception: Could not find a VS with fqdn = vs.domain.com "..

[mackov83]

Update: I my previous attempt was with 0.9.6. I saw that you also have 0.9.7 so I tried that too. Below is the output from 0.9.7:

Error from certificate management service: STDOUT - "". STDERR - " File "/run/shm/cs/LetsEncrypt_EVH", line 37 @@ -129,16 +131,21 @@ def _poll_until_not(url, pending_statuses, err_msg): ^ IndentationError: unexpected indent Error in sys.excepthook: Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/avi_traceback/avi_exception_hook.py", line 51, in avi_excepthook os.makedirs(output_dir) File "/usr/lib/python3.8/os.py", line 223, in makedirs mkdir(name, mode) OSError: [Errno 30] Read-only file system: '/var/lib/avi/python_crash' Original exception was: File "/run/shm/cs/LetsEncrypt_EVH", line 37 @@ -129,16 +131,21 @@ def _poll_until_not(url, pending_statuses, err_msg): ^ IndentationError: unexpected indent "..

[mackov83]

Update: I my previous attempt was with 0.9.6. I saw that you also have 0.9.7 so I tried that too. Below is the output from 0.9.7:

Error from certificate management service: STDOUT - "". STDERR - " File "/run/shm/cs/LetsEncrypt_EVH", line 37 @@ -129,16 +131,21 @@ def _poll_until_not(url, pending_statuses, err_msg): ^ IndentationError: unexpected indent Error in sys.excepthook: Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/avi_traceback/avi_exception_hook.py", line 51, in avi_excepthook os.makedirs(output_dir) File "/usr/lib/python3.8/os.py", line 223, in makedirs mkdir(name, mode) OSError: [Errno 30] Read-only file system: '/var/lib/avi/python_crash' Original exception was: File "/run/shm/cs/LetsEncrypt_EVH", line 37 @@ -129,16 +131,21 @@ def _poll_until_not(url, pending_statuses, err_msg): ^ IndentationError: unexpected indent "..

Ignore this error. This came from copying the diff between 0.9.6 and 0.9.7 and missing that the copy brought lines in from 0.9.6.

The original error is the same with 0.9.7 file version.

[mackov83]

Update: by using the 'overwrite_vs' I was able to bypass the error about the VS not being found.

Error from certificate management service: STDOUT - "Running version 0.9.7 dry_run is: False disable_check is: False directory_url is https://acme-v02.api.letsencrypt.org/directory Account key not found. Generating account key... Parsing account key... Parsing CSR... Found domains: vs.domain.com Getting directory... Directory found! Registering account... Registered! Creating new order... Order created! Verifying vs.domain.com... Note: Overwriting VS UUID to virtualservice-5a29daa5-837d-4f28-b4d9-d6d940287c56 Found VS virtualservice-5a29daa5-837d-4f28-b4d9-d6d940287c56 with fqdn vs.domain.com ". STDERR - "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( /usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:853: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings warnings.warn(( Traceback (most recent call last): File "/run/shm/cs/LetsEncrypt_EVH", line 558, in <module> cert = certificate_request(csr, common_name, kwargs) File "/run/shm/cs/LetsEncrypt_EVH", line 530, in certificate_request signed_crt = get_crt(user, password, tenant, api_version, csr_temp_file.name, File "/run/shm/cs/LetsEncrypt_EVH", line 306, in get_crt for service in rsp["results"][0]["services"]: KeyError: 'services' Error in sys.excepthook: Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/avi_traceback/avi_exception_hook.py", line 51, in avi_excepthook os.makedirs(output_dir) File "/usr/lib/python3.8/os.py", line 223, in makedirs mkdir(name, mode) OSError: [Errno 30] Read-only file system: '/var/lib/avi/python_crash' Original exception was: Traceback (most recent call last): File "/run/shm/cs/LetsEncrypt_EVH", line 558, in <module> cert = certificate_request(csr, common_name, kwargs) File "/run/shm/cs/LetsEncrypt_EVH", line 530, in certificate_request signed_crt = get_crt(user, password, tenant, api_version, csr_temp_file.name, File "/run/shm/cs/LetsEncrypt_EVH", line 306, in get_crt for service in rsp["results"][0]["services"]: KeyError: 'services' "..

Any ideas where I could look next?

[patschi]

I believe it is related to EVH. I've never tested it with EVH, I'm only using the Virtual Hosting. Do you have the ability to test VH if it works there?

[mackov83]

I could have, but it would have involved a lot of reconfiguration work as I only have a single public IP. Sure, I could implement different levels of NAT, but then it starts becoming overly complicated for a home lab.

I ended up buying a wildcard cert as I had wasted too much time with the LE control scripts. It seemed as though each time a new version of ALB came along it broke, therefore the yearly cost of the cert was much cheaper than the hours spent continually lost trying to troubleshoot.