pfSense Gold Subscription

Author Topic: HAProxy + Acme Timeout Error  (Read 131 times)

0 Members and 1 Guest are viewing this topic.

Offline cplmayo

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +1/-0
    • View Profile
HAProxy + Acme Timeout Error
« on: November 23, 2017, 09:23:10 pm »
I have been trying to get this working all day with no luck. Hoping that posting here someone will be able to help me figure this out.

Followed doktornotor's post https://forum.pfsense.org/index.php?topic=101186.msg690924#msg690924

When I click renew/issue there is a timeout error in the logs. I also see an error in haproxy referencing the lua script.

I tried to post as much information as possible; hoping someone has seen this before and can point me the right direction. I'm sure there is just some setting that I have wrong and it is something simple but I am not seeing it.

Thanks for the help.

acme_issuecert.log

Code: [Select]
[Thu Nov 23 20:08:54 CST 2017] curl exists=0
[Thu Nov 23 20:08:54 CST 2017] wget exists=127
[Thu Nov 23 20:08:54 CST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/pfsense.gateway//http.header '
[Thu Nov 23 20:08:54 CST 2017] _ret='0'
[Thu Nov 23 20:08:54 CST 2017] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Unable to update challenge :: The challenge is not pending.",
  "status": 400
}'
[Thu Nov 23 20:08:54 CST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Fri, 24 Nov 2017 02:08:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 132
Boulder-Requester: 5123731
Replay-Nonce: lnZRLdr7724IkUOd53cly6xyTmn3z1-R2aoPk634CNM
Expires: Fri, 24 Nov 2017 02:08:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 24 Nov 2017 02:08:54 GMT
Connection: close
'
[Thu Nov 23 20:08:54 CST 2017] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}'
[Thu Nov 23 20:08:54 CST 2017] code='400'

haproxy.cfg

Code: [Select]
# Automaticaly generated, dont edit manually.
# Generated on: 2017-11-23 19:46
global
        maxconn                 1000
        stats socket /tmp/haproxy.socket level admin
        uid                     80
        gid                     80
        nbproc                  1
        chroot                  /tmp/haproxy_chroot
        daemon
        tune.ssl.default-dh-param       2048
        server-state-file /tmp/haproxy_server_state
        lua-load                /var/etc/haproxy/luascript_acme-http01-webroot.lua

listen HAProxyLocalStats
        bind 127.0.0.1:#### name localstats
        mode http
        stats enable
        stats refresh 20
        stats admin if TRUE
        stats uri /haproxy/haproxy_stats.php?haproxystats=1
        timeout client 5000
        timeout connect 5000
        timeout server 5000

frontend ACME-Challenege
        bind                    ###.###.###.### name ###.###.###.###:80
        mode                    http
        log                     global
        option                  http-keep-alive
        timeout client          30000
        acl                     url_acme_http01 path_beg -i /.well-known/acme-challenge/
        http-request use-service lua.acme-http01  if  METH_GET url_acme_http01

acme-http01-webroot.lua

Code: [Select]
-- ACME http-01 domain validation plugin for Haproxy 1.6+
-- copyright (C) 2015 Jan Broer
--

acme = {}
acme.version = "0.1.1"

--
-- Configuration
--
-- When HAProxy is *not* configured with the 'chroot' option you must set an absolute path here and pass
-- that as 'webroot-path' to the letsencrypt client

acme.conf = {
        ["non_chroot_webroot"] = ""
}

--
-- Startup
--
acme.startup = function()
        core.Info("[acme] http-01 plugin v" .. acme.version);
end

--
-- ACME http-01 validation endpoint
--
acme.http01 = function(applet)
        local response = ""
        local reqPath = applet.path
        local src = applet.sf:src()
        local token = reqPath:match( ".+/(.*)$" )

        if token then
                token = sanitizeToken(token)
        end

        if (token == nil or token == '') then
                response = "bad request\n"
                applet:set_status(400)
                core.Warning("[acme] malformed request (client-ip: " .. tostring(src) .. ")")
        else
                auth = getKeyAuth(token)
                if (auth:len() >= 1) then
                        response = auth .. "\n"
                        applet:set_status(200)
                        core.Info("[acme] served http-01 token: " .. token .. " (client-ip: " .. tostring(src) .. ")")
                else
                        response = "resource not found\n"
                        applet:set_status(404)
                        core.Warning("[acme] http-01 token not found: " .. token .. " (client-ip: " .. tostring(src) .. ")")
                end
        end

        applet:add_header("Server", "haproxy/acme-http01-authenticator")
        applet:add_header("Content-Length", string.len(response))
        applet:add_header("Content-Type", "text/plain")
        applet:start_response()
        applet:send(response)
end

--
-- strip chars that are not in the URL-safe Base64 alphabet
-- see https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md
--
function sanitizeToken(token)
        _strip="[^%a%d%+%-%_=]"
        token = token:gsub(_strip,'')
        return token
end

--
-- get key auth from token file
--
function getKeyAuth(token)
        local keyAuth = ""
        local path = acme.conf.non_chroot_webroot .. "/.well-known/acme-challenge/" .. token
        local f = io.open(path, "rb")
        if f ~= nil then
                keyAuth = f:read("*all")
                f:close()
        end
        return keyAuth
end

core.register_init(acme.startup)
core.register_service("acme-http01", "http", acme.http01)

system.log

Code: [Select]
Nov 23 19:46:51 gateway php-fpm[92184]: haproxy: reload old pid:39670
Nov 23 19:46:51 gateway php-fpm[92184]: haproxy: started new pid:96805
Nov 23 19:46:51 gateway php-fpm[92184]: haproxy: startup error output!: [info] 326/194651 (96259) : [acme] http-01 plugin v0.1.1

Acme settings

« Last Edit: November 23, 2017, 09:26:37 pm by cplmayo »

Offline cplmayo

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +1/-0
    • View Profile
Re: HAProxy + Acme Timeout Error
« Reply #1 on: November 25, 2017, 04:49:45 pm »
Got it working today, firewall rule was blocking the traffic. Knew it would be something stupid that I missed.