Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problems running standalone script #27

Open
afterthought opened this issue Jun 15, 2017 · 10 comments
Open

Problems running standalone script #27

afterthought opened this issue Jun 15, 2017 · 10 comments

Comments

@afterthought
Copy link

Hi there. I've been trying to work through issues on my own, but figured I would check in to see if you're still active on this project. I have it forked and am trying to boot up in docker. It seems to hang on me when reading the keypair from vault (which doesn't exist on first startup). In my analysis so far, it seems like the node-vault library isn't quite used right here. However, iced coffee is new to me and it seems that several people have used this successfully. Before I started hacking around too much I thought I'd ask for help. I wonder if a library version changed and the interface changed.

@doublerebel
Copy link
Member

Hi @afterthought , I am still using this I just haven't bumped the dependencies in a while.

There should be a bunch of information printed to the logs as it starts, can you copy and paste that here?

Also, you forked+cloned this repo, and did not install from npm? The npm package ten-ply-crest is published with the compiled javascript, it may be easier to install and require it as a normal module if you would like to try that first.

@afterthought
Copy link
Author

Good idea! I just tried it out using "npm install" and integrating using middleware instead. Definitely got further. The reason I originally thought to fork it was because I knew I needed to tweak the consul config. I have port 8500 setup using ssl with client auth. I see that node-consul doesn't support client auth in it's config. I also have port 8501 setup without TLS bound to the loopback. My ideal setup would be to connect to 8500 using ssl because that lets me more easily docker ten-ply-crest using simple bridge networking. Right now my only option is to use host networking and modify ten-ply-crest to use port 8501.

I know I can only get so far testing out locally with docker... It looks like I can start trying to set this up in our dev environment for real testing.

https://gist.github.com/afterthought/4b34f6033a369cc523f6e819057a0241

That gist is the server.js file I made to test the middleware and the resulting logs. It did err out I think with the consul watch. Maybe on the error listener since I'm starting this against vanilla consul/vault running in -dev mode. When I get this running on our servers instead we already have consul, fabio, and nomad all setup.

I'd be happy to type up some "getting started" docs as I go along here. I've read through a bunch of the code already. The parts that are still a little bit fuzzy are what exactly I need to have setup so the LE challenges work in terms of DNS, SSL, etc. Also the fabio integration. I assume that is using the fabio http/s certificate store type and that ten-ply-crest's API works seamlessly there.

I can see the version changes in the package dependencies. So that I can move forward, I will try to get my fork setup to be identical with version numbers. This will let me expose the consul port as an option....

Thanks, Chuck

@afterthought
Copy link
Author

Do you use VAULT_SKIP_VERIFY or are you adding trusted certs somehow for use when connecting to vault? That flag isn't working for me. I'd rather not use that anyway. We have self signed certificates and with other vault clients we just specify the "ca_cert"...

@afterthought
Copy link
Author

I have TLS working on vault and consul now. And I am able to fetch a certificate back from LE on the staging service.

Do you integrate with Fabio? Based on how I understand the code, I assume you use the http certificate store in fabio which will force certificate renewals 15 days before expiration. I can't figure out the http endpoint to use. /certs hangs on me. Any advice for this? Thanks!

@doublerebel
Copy link
Member

Oh great, glad you were able to get vault working! I do all this in Joyent SmartOS instances and not Docker images so my networking setup is pretty different.

Back when I did this, Fabio didn't have the cert store or Vault integration yet, and didn't proxy TCP. These days I'd probably use the Vault integration. I actually patched Fabio to enable routing */.well-known to a single app and I do my SSL termination with indutny/bud because it's super fast and allows me to dynamically proxy to TCP endpoints.

It looks like I haven't published the renewal logic for ten-ply-crest either.

I'll take a look at how Fabio does it now and ping back here with a recommendation. Let me know if you work it out and feel free to post here any further questions.

@afterthought
Copy link
Author

I was just trying to figure out the renewal... and started to realize it wasn't quite there. I setup the vault cert store and it worked first try, so that's cool. I'm pretty close now. Thanks for the link to the patch. I realized earlier tonight that such a feature would be needed. Or I'll be hard coding all my domains against ten-ply.

@doublerebel
Copy link
Member

Since you also find it useful, I can submit the config change as a PR to Fabio in the long-term. Ping me if you have any trouble with the patch.

@afterthought
Copy link
Author

fabiolb/fabio@e007d1e

@doublerebel
Copy link
Member

Excellent! Are there any pieces left or does that complete the integration for you?

@afterthought
Copy link
Author

Just the renewal logic. If you are too busy to push that I'll have to code something in. If you want to give me some pointers/direction it might be more useful as a pull request. I was trying to work it out and I think persisting the expiration on the cert model so a check can trigger the renewal makes sense. I see the consul watch seem to trigger quite frequently. I'm not sure if we'd use that to trigger a renewal function after the check for new domains?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants