ACME Cert approval.

[Glenn Buckholz]

I am currently trying to leverage the internal ACME plugin to secure the UI and rest endpoints with SSL. I am doing the following:

1. Create and ACME authenticator with my Route53 information
2. Creating a CSR
3. Try to approve CSR with ACME

When we get to step 3 I get an exception:

Code:

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/job.py", line 349, in run
    await self.future
  File "/usr/local/lib/python3.7/site-packages/middlewared/job.py", line 385, in __run_body
    rv = await self.method(*([self] + args))
  File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 961, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/crypto.py", line 1279, in do_create
    job, data
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
    return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 965, in nf
    return f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/crypto.py", line 1325, in __create_acme_certificate
    final_order = self.acme_issue_certificate(job, 25, data, csr_data)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/crypto.py", line 956, in acme_issue_certificate
    normalised_san = ':'.join(self.middleware.call_sync('cryptokey.normalize_san', [domain]))
TypeError: sequence item 0: expected str instance, list found

This seems like it would be easy to fix. Has anyone else encountered or fixed this?

 

[Glenn Buckholz]

So if I change line 956 of /usr/local/lib/python3.7/site-packages/middlewared/plugins/crypto.py:
from:
normalised_san = ':'.join(self.middleware.call_sync('cryptokey.normalize_san', [domain]))
to:
normalised_san = ':'.join(str(self.middleware.call_sync('cryptokey.normalize_san', [domain])))

then :
service middlewared restart

It works.

 

[dparker]

I ran into this too. It is also broken when requesting wildcard certs. I changed line 976 from:
if '*' in domain and not domain.startswith('*.'):
to:
if '*' in domain and not domain.startswith('DNS:*.'):

And after service middlewared restart, it worked for me.

 

[watmin]

So if I change line 956 of /usr/local/lib/python3.7/site-packages/middlewared/plugins/crypto.py:
from:
normalised_san = ':'.join(self.middleware.call_sync('cryptokey.normalize_san', [domain]))
to:
normalised_san = ':'.join(str(self.middleware.call_sync('cryptokey.normalize_san', [domain])))

then :
service middlewared restart

It works.

This worked for me, can we get this committed so it doesn't get lost on update?

 

[watmin]

This worked for me, can we get this committed so it doesn't get lost on update?

Taking that back for the moment, got the error to go away and the cert to go into pending. Not sure why its stuck..

 

[watmin]

Taking that back for the moment, got the error to go away and the cert to go into pending. Not sure why its stuck..

Tried again with the str cast diff and correctly chose the prod flavor of lets encrypt. Thanks for the diff

 

[lc10239]

There is an open bug for this issue.

https://jira.ixsystems.com/browse/NAS-114761