Problems running standalone script #27
Comments
|
Hi @afterthought , I am still using this I just haven't bumped the dependencies in a while. There should be a bunch of information printed to the logs as it starts, can you copy and paste that here? Also, you forked+cloned this repo, and did not install from |
|
Good idea! I just tried it out using "npm install" and integrating using middleware instead. Definitely got further. The reason I originally thought to fork it was because I knew I needed to tweak the consul config. I have port 8500 setup using ssl with client auth. I see that node-consul doesn't support client auth in it's config. I also have port 8501 setup without TLS bound to the loopback. My ideal setup would be to connect to 8500 using ssl because that lets me more easily docker ten-ply-crest using simple bridge networking. Right now my only option is to use host networking and modify ten-ply-crest to use port 8501. I know I can only get so far testing out locally with docker... It looks like I can start trying to set this up in our dev environment for real testing. https://gist.github.com/afterthought/4b34f6033a369cc523f6e819057a0241 That gist is the server.js file I made to test the middleware and the resulting logs. It did err out I think with the consul watch. Maybe on the error listener since I'm starting this against vanilla consul/vault running in -dev mode. When I get this running on our servers instead we already have consul, fabio, and nomad all setup. I'd be happy to type up some "getting started" docs as I go along here. I've read through a bunch of the code already. The parts that are still a little bit fuzzy are what exactly I need to have setup so the LE challenges work in terms of DNS, SSL, etc. Also the fabio integration. I assume that is using the fabio http/s certificate store type and that ten-ply-crest's API works seamlessly there. I can see the version changes in the package dependencies. So that I can move forward, I will try to get my fork setup to be identical with version numbers. This will let me expose the consul port as an option.... Thanks, Chuck |
|
Do you use VAULT_SKIP_VERIFY or are you adding trusted certs somehow for use when connecting to vault? That flag isn't working for me. I'd rather not use that anyway. We have self signed certificates and with other vault clients we just specify the "ca_cert"... |
|
I have TLS working on vault and consul now. And I am able to fetch a certificate back from LE on the staging service. Do you integrate with Fabio? Based on how I understand the code, I assume you use the http certificate store in fabio which will force certificate renewals 15 days before expiration. I can't figure out the http endpoint to use. /certs hangs on me. Any advice for this? Thanks! |
|
Oh great, glad you were able to get vault working! I do all this in Joyent SmartOS instances and not Docker images so my networking setup is pretty different. Back when I did this, Fabio didn't have the cert store or Vault integration yet, and didn't proxy TCP. These days I'd probably use the Vault integration. I actually patched Fabio to enable routing It looks like I haven't published the renewal logic for ten-ply-crest either. I'll take a look at how Fabio does it now and ping back here with a recommendation. Let me know if you work it out and feel free to post here any further questions. |
|
I was just trying to figure out the renewal... and started to realize it wasn't quite there. I setup the vault cert store and it worked first try, so that's cool. I'm pretty close now. Thanks for the link to the patch. I realized earlier tonight that such a feature would be needed. Or I'll be hard coding all my domains against ten-ply. |
|
Since you also find it useful, I can submit the config change as a PR to Fabio in the long-term. Ping me if you have any trouble with the patch. |
|
Excellent! Are there any pieces left or does that complete the integration for you? |
|
Just the renewal logic. If you are too busy to push that I'll have to code something in. If you want to give me some pointers/direction it might be more useful as a pull request. I was trying to work it out and I think persisting the expiration on the cert model so a check can trigger the renewal makes sense. I see the consul watch seem to trigger quite frequently. I'm not sure if we'd use that to trigger a renewal function after the check for new domains? |
Hi there. I've been trying to work through issues on my own, but figured I would check in to see if you're still active on this project. I have it forked and am trying to boot up in docker. It seems to hang on me when reading the keypair from vault (which doesn't exist on first startup). In my analysis so far, it seems like the node-vault library isn't quite used right here. However, iced coffee is new to me and it seems that several people have used this successfully. Before I started hacking around too much I thought I'd ask for help. I wonder if a library version changed and the interface changed.
The text was updated successfully, but these errors were encountered: