Update lets-proxy to lets-proxy2 with inplace change binary

[realleoman]

@rekby

Since Let's Encrypt deprecated this month the V1 API , I'm having a hard time making my let's proxy work (I’m using this version: v0.15.1.9 commit 5092600a725e48e16abae6e8cb7134e9244c1ce6 os=linux-amd64)

This is one of the entries in my log:
time="2020-06-25T22:09:17Z" level=error msg="Can't create new authorization for domain 'hvacservicehouston.com': HTTP error: 403 Forbidden\nmap[Date:[Thu, 25 Jun 2020 22:09:12 GMT] Content-Type:[application/problem+json] Content-Length:[230] Boulder-Requester:[54508640] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0002VNfonRNGw9QGfcKd-ZTo05afir-QEwOCdfFXGA-Ez8U] Server:[nginx]]\n{\n \"type\": \"urn:acme:error:unauthorized\",\n \"detail\": \"Error creating new authz :: Validations for new domains are disabled in the V1 API (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430)\",\n \"status\": 403\n}"

and this is the script I used to run it as a service in my Ubuntu box:

../lets-proxy --service-name=lets-proxy --service-action=stop
./lets-proxy \
	-allowed-ips=1.1.1.1. \
	--service-name=lets-proxy \
	--service-action=reinstall \
	-in-memory-cnt=20000 \
	-real-ip-header=X-Forwarded-For \
	-loglevel=warning \
	-logout=log/lets-proxy.log \
	-logrotate-count=2
./lets-proxy --service-name=lets-proxy --service-action=start

Then, I updated the script to use a new acme-server by adding the -acme-server parameter

./lets-proxy --service-name=lets-proxy --service-action=stop
./lets-proxy \
	-allowed-ips=1.1.1.1 \
	--service-name=lets-proxy \
	--service-action=reinstall \
	-in-memory-cnt=20000 \
        -acme-server="https://acme-v02.api.letsencrypt.org/directory" \
	-real-ip-header=X-Forwarded-For \
	-loglevel=warning \
	-logout=log/lets-proxy.log \
	-logrotate-count=2
./lets-proxy --service-name=lets-proxy --service-action=start

but now, I'm getting this error

time="2020-06-25T22:56:18Z" level=error msg="Can't get acme client for authorize domain 'hvacservicehouston.com': context deadline exceeded" 
time="2020-06-25T22:56:18Z" level=error msg="Can't get acme client for authorize domain 'www.hvacservicehouston.com': context deadline exceeded" 
time="2020-06-25T22:56:18Z" level=error msg="Retrieve certificate for domains '[hvacservicehouston.com www.hvacservicehouston.com]' has error 'Authorized domains doesn't contain main domain', create temporary self-signed certificate"

I installed lets-proxy2 (Version: 'v0.23.11+build-837, Build time 2020-03-07 22:24:36+00:00, commit 9307175, go version go1.10 linux/amd64', Os: 'linux', Arch: ‘amd64') but I’m stuck in how to configure the config_default.toml file to use the same values as I am using them with the current setup.

Please help, I'm stuck on that and ACME V1 will be disconnected in a few more days.

[rekby]

Hello.

Yes, I understand your problem.
lets-proxy of first version is very difficult to support, including add new acme protocol and it no support yet.

I see how I can support old command-line parameters for update by change binary inplace.

For config:
config_default.toml is example of default values only. It isn't parse for work.
For config - create file config.toml (or you can specify config path with --config flag). In config.toml you can set only values, what changed from default.

For exapmple your config with same as:
config.toml

[Log]
LogLevel = "warning"
File="log/lets-proxy.log"
MaxCount=2

[Proxy]
Headers = [ "X-Forwarded-For:{{SOURCE_IP}}" ]

[CheckDomains]
IPWhiteList = "1.1.1.1"

[realleoman]

@rekby Thank you for your answer. Also, one last thing:

How can I run the lets-proxy2 as a service? I mean, using the commands below with the new version?

--service-name=lets-proxy --service-action=reinstall

[realleoman]

Hi @rekby

I was able to runt it using a custom config.toml file and I started lets-encrypt2 using this command:

./lets-proxy -config config.toml

Here is the config file I used:
config.toml

The log file was showing a lot of these errors below

2020-06-26T16:37:58.410Z	error	domain_checker/ip_list_sources.go:131	Get ipv6	{"mac": "12:c8:18:aa:09:16", "ipv6": "", "error": "EC2MetadataError: failed to make EC2Metadata request\n\tstatus code: 404, request id: \ncaused by: <?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n\t\t \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">\n <head>\n  <title>404 - Not Found</title>\n </head>\n <body>\n  <h1>404 - Not Found</h1>\n </body>\n</html>\n"}


2020-06-26T17:30:59.757Z	error	cert_manager/manager.go:498	accept authorization	{"connection_id": "c204136c-097c-4074-bdde-f3bea5b916d5", "domain": "hawaiiangrillmo.com (punycode:hawaiiangrillmo.com)", "cert_name": "hawaiiangrillmo.com.ecdsa", "domain": "hawaiiangrillmo.com (punycode:hawaiiangrillmo.com)", "authorized_challenge": null, "error": "400 : <html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n<

2020-06-26T16:38:54.277Z	error	cert_manager/manager.go:610	Got certificate key from cache and reuse old key	{"connection_id": "4ba9707e-c681-4023-99b9-df33067fb01c", "domain": "www.locksmithwestland.com (punycode:www.locksmithwestland.com)", "cert_name": "locksmithwestland.com.ecdsa", "error": "lets proxy: cache miss"}


2020-06-26T17:30:59.857Z	dpanic	cert_manager/cert-state.go:51	Must be cert exactly one: cert or last error. Cert set as nil.	{"connection_id": "31d1f03c-e30f-4e40-877c-dd46f43d6573", "domain": "www.pueblonuevomexicanrestaurant.com (punycode:www.pueblonuevomexicanrestaurant.com)", "cert_name": "


2020-06-26T17:30:59.857Z	dpanic	cert_manager/manager.go:924	Panic handled	{"connection_id": "31d1f03c-e30f-4e40-877c-dd46f43d6573", "domain": "www.pueblonuevomexicanrestaurant.com (punycode:www.pueblonuevomexicanrestaurant.com)", "panic": "runtime error: invalid memory address or nil pointer dereference"}

Then, the files that werer generated in the certificates folder are like this one:

> autorestorationserviceorange.com.ecdsa.cer
> autorestorationserviceorange.com.ecdsa.key
> behealthystayfitbistro.com.ecdsa.cer
> behealthystayfitbistro.com.ecdsa.key
> championssportsbargrillny.com.ecdsa.cer
> championssportsbargrillny.com.ecdsa.key

No .crt, no .key were generated for the domains.

Thank you very much for your help again!!

[rekby]

How can I run the lets-proxy2 as a service? I mean, using the commands below with the new version?

lets-proxy2 doesn't has self-contained installer (and hasn't installer at all now)
If your linux have systemd - you can get .service file from https://github.com/rekby/lets-proxy2/wiki
If your haven't systemd - you have to create own script wrap to start lets-proxy2

No .crt, no .key were generated for the domains.

.cer - same as crt - it is public certificate file.
.key is .key, lets-proxy2 support two cert/key algorithm: rsa and ecdsa and suffix now is .ecdsa.key/.rsa.key/.ecdsa.cer/.rsa.cer

And I create two issues from your log:
#133
#134

[adviserportals]

@rekby we've also been using 'lets-proxy' which uses ACMEv1. It looks like this has now been depreciated by Let's Encrypt as since the 14th July, we've been unable to issue certificates, new and renewals.

Is there a suggested way to upgrade to 'lets-proxy-2'? Or is it a case of removing 'lets-proxy' and then implementing 'lets-proxy-2'?

Any tips on best practice here would be appreciated as I don't want to affect the certificates we've already issued on the server.

Thanks for your help.

[adviserportals]

@realleoman what process did you use to compile the lets-proxy executable? Normally I'd use go build but this set up seems a little different. I'm using on Linux Ubuntu 16.04 and 18.04

Cheers

[adviserportals]

@realleoman what process did you use to compile the lets-proxy executable? Normally I'd use go build but this set up seems a little different. I'm using on Linux Ubuntu 16.04 and 18.04

Cheers

I think I've found the releases here - https://github.com/rekby/lets-proxy2/releases

Cheers

[realleoman]

@adviserportals Yeah, I used the releases already compiled by @rekby They worked great at my end.

[adviserportals]

@adviserportals Yeah, I used the releases already compiled by @rekby They worked great at my end.

I've just got this working on my test environment, it's great. Setting up as a service is definitely the way to go.

I just need to figure out whitelisting domains now...

[rekby]

@adviserportals now It hasn't any special instuctions and need reconfigure lets-proxy2 from scratch.

I think about add support of lets-proxy flags for backward compatible.
lets-proxy2 not support full functions of lets-proxy:

1. It doesn't support daemon-mode (not need if you use systemd)
2. KeepAlive settings for backend.
3. Set acceptes SSL/TLS versions
4. Disable idn-decode domains in log
5. Set key length
6. Proxy in tcp mode
7. Self-install
8. Remove expect header

If you don't use any of it - I can add support of other flags/flag-stubs for change binary inplace. But I can't test it in my environment because don't use lets-proxy now.

[adviserportals]

@rekby thanks for coming back, that's useful information.

Having backwards compatibility may not be necessary. Maybe more of a 'nice to have' than 'essential'.

I suppose just removing all the current lets-proxy files and then implementing the new lets-proxy2 files would be enough without causing issues?

It would then just be a case of re-issuing all the certificates with the new software, which should be fine?

[adviserportals]

I have my own custom config.toml file running with some updated values, which is great.

I can not figure out how to whitelist domains though? Is there a specific format that these should be in, or can it be in a separate file like vs1?

[rekby]

Sorry for two years late :((

I didn't see the question.

Lets-proxy2 allow set domain filters in the config, with options BlackList, WhiteList in section "CheckDomains".

[adviserportals]

That's great - Thanks for letting me know 👍