Error when acquire ssl cert in auto_ssl

[ryudoawaru]

I use the config as the example here but found following error"

2017/05/05 16:30:26 [error] 14759#0: *29825 ngx_mruby : mrb_run failed: return 500 HTTP status code to client: error: INLINE CODE:8: backquotes not implemented (NotImplementedError) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/05 16:30:26 [crit] 14759#0: *29825 SSL_do_handshake() failed (SSL: error:1408A179:SSL routines:ssl3_get_client_hello:cert cb error) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443

the code in line 8 is:

acme.auto_cert_deploy

[yyamano]

@ryudoawaru Which version of mruby-io do you use?
It must be fixed by iij/mruby-io@728d313

[ryudoawaru]

re-check everything and the error message changed:

2017/05/08 12:30:27 [error] 15751#0: *900 ngx_mruby : mrb_run failed: return 500 HTTP status code to client: error: INLINE CODE:10: expected String (TypeError) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:30:27 [crit] 15751#0: *900 SSL_do_handshake() failed (SSL: error:1408A179:SSL routines:ssl3_get_client_hello:cert cb error) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:30:27 [error] 15751#0: *901 ngx_mruby : mrb_run failed: return 500 HTTP status code to client: error: INLINE CODE:10: expected String (TypeError) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:30:27 [crit] 15751#0: *901 SSL_do_handshake() failed (SSL: error:1408A179:SSL routines:ssl3_get_client_hello:cert cb error) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443

in code:

      ssl = Nginx::SSL.new
      domain = ssl.servername
      acme = Nginx::SSL::ACME.new domain, Userdata.new.dehydrated_opts, Userdata.new.allow_domains
      raise "not allowed servername" unless acme.allow_domain?
      redis = Userdata.new.redis
      if redis["#{domain}.crt"].nil? or redis["#{domain}.key"].nil?
        acme.auto_cert_deploy
      end
      ssl.certificate_data = redis["#{domain}.crt"]
      ssl.certificate_key_data = redis["#{domain}.key"]

[ryudoawaru]

changed the log level to debug and re-run again

2017/05/08 12:40:55 [debug] 21047#0: *1379 ngx_mruby : mruby ssl handler: servername "x.wild.5xruby.com"
2017/05/08 12:40:55 [info] 21047#0: *1379 run acme command: /usr/local/nginx/conf/auto-ssl/dehydrated --cron --lock-suffix x.wild.5xruby.com --domain x.wild.5xruby.com --challenge http-01 --hook /usr/local/nginx/conf/auto-ssl/ngx_mruby-hook.sh --config /usr/local/nginx/conf/auto-ssl/dehydrated.conf while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:40:56 [info] 21047#0: *1379 # INFO: Using main config file /usr/local/nginx/conf/auto-ssl/dehydrated.conf
 while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:40:56 [error] 21047#0: *1379 ngx_mruby : mrb_run failed: return 500 HTTP status code to client: error: INLINE CODE:10: expected String (TypeError) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:40:56 [crit] 21047#0: *1379 SSL_do_handshake() failed (SSL: error:1408A179:SSL routines:ssl3_get_client_hello:cert cb error) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:40:56 [debug] 21047#0: *1380 ngx_mruby : mruby ssl handler: servername "x.wild.5xruby.com"
2017/05/08 12:40:56 [info] 21047#0: *1380 run acme command: /usr/local/nginx/conf/auto-ssl/dehydrated --cron --lock-suffix x.wild.5xruby.com --domain x.wild.5xruby.com --challenge http-01 --hook /usr/local/nginx/conf/auto-ssl/ngx_mruby-hook.sh --config /usr/local/nginx/conf/auto-ssl/dehydrated.conf while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:40:56 [info] 21047#0: *1380 # INFO: Using main config file /usr/local/nginx/conf/auto-ssl/dehydrated.conf
 while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:40:56 [error] 21047#0: *1380 ngx_mruby : mrb_run failed: return 500 HTTP status code to client: error: INLINE CODE:10: expected String (TypeError) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443
2017/05/08 12:40:56 [crit] 21047#0: *1380 SSL_do_handshake() failed (SSL: error:1408A179:SSL routines:ssl3_get_client_hello:cert cb error) while SSL handshaking, client: 61.220.182.115, server: 0.0.0.0:443

[ryudoawaru]

I tried the same command in the log file and found error while executing ngx_mruby-hook.sh

/usr/local/nginx/conf/auto-ssl/dehydrated --cron --lock-suffix x.wild.5xruby.com --domain x.wild.5xruby.com --challenge http-01 --hook /usr/local/nginx/conf/auto-ssl/ngx_mruby-hook.sh --config /usr/local/nginx/conf/auto-ssl/dehydrated.conf
# INFO: Using main config file /usr/local/nginx/conf/auto-ssl/dehydrated.conf
Processing x.wild.5xruby.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for x.wild.5xruby.com...
+ HOOK_SERVER_PORT=11111
+ HANDLER=deploy_challenge
+ shift
+ deploy_challenge x.wild.5xruby.com 4FxMNNIJoP7xTaxmAkyermRuihco-H54pDE3qgpEJ6s 4FxMNNIJoP7xTaxmAkyermRuihco-H54pDE3qgpEJ6s.ZreP6FiQxOPJdqUudU4PjCQQeEaJJFLNWD_yYktC2nM
+ local DOMAIN=x.wild.5xruby.com TOKEN_FILENAME=4FxMNNIJoP7xTaxmAkyermRuihco-H54pDE3qgpEJ6s TOKEN_VALUE=4FxMNNIJoP7xTaxmAkyermRuihco-H54pDE3qgpEJ6s.ZreP6FiQxOPJdqUudU4PjCQQeEaJJFLNWD_yYktC2nM
/usr/local/nginx/conf/auto-ssl/ngx_mruby-hook.sh: line 16: HOOK_SECRET: unbound variable

[matsumotory]

Could you show me the nginx.conf with mruby?

[ryudoawaru]

http {
...
  mruby_init_worker_code '

      Userdata.new.redis = Redis.new "127.0.0.1", 8871
  ';

  mruby_init_code '

      secret_token = SecureRandom.uuid
      # Setup dehydrated example
      #
      # cp -pr ngx_mruby/test/conf/auto-ssl ${NGINX_INSTALL_DIR}/conf/.
      # sudo chown nginx -R ${NGINX_INSTALL_DIR}/conf/auto-ssl

      Userdata.new.dehydrated_opts = {
                          bin: "/usr/local/nginx/conf/auto-ssl/dehydrated",
                          conf: "/usr/local/nginx/conf/auto-ssl/dehydrated.conf",
                          hook: "/usr/local/nginx/conf/auto-ssl/ngx_mruby-hook.sh",
                          secret_token: secret_token,
                        }

      Userdata.new.allow_domains = %w(
                          x.wild.5xruby.com
                          wild.5xruby.com
                          wild.5xruby.jp
                          x.wild.5xruby.jp
                        )

      Userdata.new.auto_ssl_secret = secret_token
      Userdata.new.auto_ssl_port = 11111
  ';
...

server {
    listen 443 ssl;
    server_name *.wild.5xruby.com *.wild.5xruby.jp;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_certificate dummy_key/cert.pem;
    ssl_certificate_key dummy_key/privkey.pem;

    mruby_ssl_handshake_handler_code '
      ssl = Nginx::SSL.new
      domain = ssl.servername
      acme = Nginx::SSL::ACME.new domain, Userdata.new.dehydrated_opts, Userdata.new.allow_domains
      raise "not allowed servername" unless acme.allow_domain?
      redis = Userdata.new.redis
      if redis["#{domain}.crt"].nil? or redis["#{domain}.key"].nil?
        acme.auto_cert_deploy
      end
      Nginx::SSL.log Nginx::LOG_INFO, "FINISH auto_cert_deploy"
      ssl.certificate_data = redis["#{domain}.crt"]
      ssl.certificate_key_data = redis["#{domain}.key"]
    ';

    location / {
        mruby_content_handler_code 'Nginx.rputs "hello #{Nginx::Request.new.hostname} world!"';
    }
    access_log logs/wild443-access.log main;
    error_log logs/wild-error.log debug;
}

server {
    listen 80;
    server_name *.wild.5xruby.com *.wild.5xruby.jp;

    location ^~ /.well-known/acme-challenge/ {
        mruby_content_handler_code '

          Nginx.return -> do
            r = Nginx::Request.new
            redis = Userdata.new.redis
            access_token = Nginx::SSL::ACME.token_filename_from_url(r)
            stored_token = redis["#{r.hostname}_token_filename"]

            if access_token != stored_token
              Nginx.log Nginx::LOG_ERR, "ACME challenge token not found"
              Nginx.log Nginx::LOG_ERR, "access token: #{access_token}"
              Nginx.log Nginx::LOG_ERR, "stored token: #{stored_token}"
              return Nginx::HTTP_NOT_FOUND
            end

            Nginx.rputs redis["#{r.hostname}_token_value"]
          end.call
        ';
    }

    location = /.well-known/acme-challenge/ {
       return 404;
    }
    access_log logs/wild80-access.log main;
    error_log logs/wild-error.log debug;
}

server {
    listen 127.0.0.1:11111;
    server_name localhost;

    location /deploy-cert {
        mruby_enable_read_request_body on;
        mruby_content_handler_code '

          Nginx.return -> do
            r = Nginx::Request.new

            if Userdata.new.auto_ssl_secret == Nginx::SSL::ACME.secret_token(r)
              cert_info = Nginx::SSL::ACME.deploy_cert_information r
              redis = Userdata.new.redis
              redis.mset "#{cert_info[:domain]}.key", cert_info[:key], "#{cert_info[:domain]}.crt", cert_info[:crt]
              Nginx.rputs "deploy cert ok"
              return Nginx::HTTP_OK
            end

            return Nginx::HTTP_UNAUTHORIZED
          end.call
        ';
    }

    access_log logs/wild11111-access.log main;
    error_log logs/wild-error.log debug;

    location /deploy-challenge {
        mruby_enable_read_request_body on;
        mruby_content_handler_code '

          Nginx.return -> do
            r = Nginx::Request.new

            if Userdata.new.auto_ssl_secret == Nginx::SSL::ACME.secret_token(r)
              domain = Nginx::SSL::ACME.challenged_domain r
              redis = Userdata.new.redis
              redis["#{domain}_token_filename"] = Nginx::SSL::ACME.challenged_token_filename r
              redis["#{domain}_token_value"] = Nginx::SSL::ACME.challenged_token_value r
              Nginx.rputs "depoy challenge ok"
              return Nginx::HTTP_OK
            end

            return Nginx::HTTP_UNAUTHORIZED
          end.call
        ';
    }

    location / {
        mruby_content_handler_code "Nginx.rputs 'hello 11111 world'";
    }
}

}

[matsumotory]

fmm, looks good to me. It seems that

res = `HOOK_SECRET=#{@dehydrated[:secret_token]} #{command}``

can't run . Could you retry the code after cleaning up redis and dehydrated_out?

[ryudoawaru]

@matsumotory

I tried to run the dehydrated command with HOOK_SECRET manually without "unbound variable" error, but still can't finish whole process.

HOOK_SECRET=6584e8fa-f865-412b-9aa4-f11e4454c688  /usr/local/nginx/conf/auto-ssl/dehydrated --cron --lock-suffix x.wild.5xruby.com --domain x.wild.5xruby.com --challenge http-01 --hook /usr/local/nginx/conf/auto-ssl/ngx_mruby-hook.sh --config /usr/local/nginx/conf/auto-ssl/dehydrated.conf
# INFO: Using main config file /usr/local/nginx/conf/auto-ssl/dehydrated.conf
Processing x.wild.5xruby.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Aug  6 09:24:00 2017 GMT (Longer than 30 days). Skipping renew!
+ HOOK_SERVER_PORT=11111
+ HANDLER=unchanged_cert
+ shift
+ unchanged_cert x.wild.5xruby.com /usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/privkey.pem /usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/cert.pem /usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/fullchain.pem /usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/chain.pem
+ local DOMAIN=x.wild.5xruby.com KEYFILE=/usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/privkey.pem CERTFILE=/usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/cert.pem FULLCHAINFILE=/usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/fullchain.pem CHAINFILE=/usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/chain.pem
+ curl --silent --show-error --fail -XPOST --header 'X-Hook-Secret: 6584e8fa-f865-412b-9aa4-f11e4454c688' --data domain=x.wild.5xruby.com --data privkey=/usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/privkey.pem --data cert=/usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/cert.pem --data fullchain=/usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/fullchain.pem http://127.0.0.1:11111/deploy-cert
curl: (22) The requested URL returned error: 500 Internal Server Error
+ echo 'hook request failed'
hook request failed
+ exit 1

in Nginx error log:

2017/05/09 11:03:07 [info] 4722#0: *62253 hooked mruby inline content code:

          Nginx.return -> do
            r = Nginx::Request.new

            if Userdata.new.auto_ssl_secret == Nginx::SSL::ACME.secret_token(r)
              cert_info = Nginx::SSL::ACME.deploy_cert_information r
              redis = Userdata.new.redis
              redis.mset "#{cert_info[:domain]}.key", cert_info[:key], "#{cert_info[:domain]}.crt", cert_info[:crt]
              Nginx.rputs "deploy cert ok"
              return Nginx::HTTP_OK
            end

            return Nginx::HTTP_UNAUTHORIZED
          end.call
        , client: 127.0.0.1, server: localhost, request: "POST /deploy-cert HTTP/1.1", host: "127.0.0.1:11111"
2017/05/09 11:03:07 [error] 4722#0: *62253 mrb_run failed: return 500 HTTP status code to client: error: INLINE CODE:7: not found key file: /usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com/privkey.pem (RuntimeError), client: 127.0.0.1, server: localhost, request: "POST /deploy-cert HTTP/1.1", host: "127.0.0.1:11111"
2017/05/09 11:03:07 [info] 4722#0: *62253 ngx_mruby INFO ngx_mrb_run:864: mrb_run info: rputs_chain is null and return NGX_OK, client: 127.0.0.1, server: localhost, request: "POST /deploy-cert HTTP/1.1", host: "127.0.0.1:11111"

The first problem is in my server, I can not see any log of the command result here in auto_accept_terms method, but the method itself returned w/o exception.

[yyamano]

@ryudoawaru What files do you have in /usr/local/nginx/conf/auto-ssl/certs/x.wild.5xruby.com?

[yyamano]

If you try yyamano@6228e90 , you will get better logs.
I don't test it by myself. I don't have domain for the test.