Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] ACME tool not able to get new certificates #307

Closed
pkirsche opened this issue Sep 16, 2024 · 7 comments
Closed

[BUG] ACME tool not able to get new certificates #307

pkirsche opened this issue Sep 16, 2024 · 7 comments
Assignees
@PassiveLemon
Labels
bug Something isn't working docker This issue related to docker version of zoraxy

Comments

@pkirsche
Copy link

Describe the bug
Trying to create a wildcard certificate within zoraxy for my domain using dns challenge with cloudflare failes with latest version. In the past, I was able to perform this task without problems.

During the attempt, I receive the following log entries from zoraxy:

zoraxy  | [2024-09-16 10:38:44.399504] [ACME] [system:info] Obtaining certificate for: *.********.de
zoraxy  | [2024-09-16 10:38:44.399714] [ACME] [system:info] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
zoraxy  | [2024-09-16 10:38:44.878095] [ACME] [system:error] Failed to spawn new ACME client from current config: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": tls: failed to verify certificate: x509: certificate signed by unknown authority

As far as I can say, it looks like the local request from zoraxy doesn't trust the delivered (ca-) certificate of https://acme-v02.api.letsencrypt.org/directory anymore. So I checked the provided certificate from this page and indeed, it has been reissued on 4th of september this year.
After some research, I found this article:
https://developers.cloudflare.com/ssl/reference/migration-guides/lets-encrypt-chain/#lets-encrypt-chain-update

I'm not really sure if this is related to my actual issue, but the following block got my attention:
"The expiration of the cross-signed chain will primarily affect older devices, for example Android 7.0 and earlier. Systems that solely rely on the cross-signed chain, lacking the ISRG Root X1 chain in their trust store, will also be affected."

Might it be possible that we don't have this latest root certificate within the certificate store of the current docker image and thats causing the call to the acme directory to fail because of an untrusted tls connection due to an not trusted (new) root ca?

To Reproduce
Steps to reproduce the behavior:
Use ACME tool within zoraxy and try to create an (wildcard-)certificate from letsencrypt using dns challenge.

Expected behavior
Certificates are generated and deployed inside zoraxy successfully and automatic.
@pkirsche pkirsche added the bug Something isn't working label Sep 16, 2024
@pkirsche
Copy link
Author

pkirsche commented Sep 16, 2024
edited
Loading

It seems to really be an issue with the ca certificates bundled within the docker image beeing outdated (or something else related to them).
After installing the ca-certificates bundle directly from inside the container, I was able to generate the certificates without any problems using zoraxy and the ACME tool.

I also see the same error ("certificate signed by unknown authority") when testing my email settings. My mail server also uses TLS.
So it seems that the whole CA certificate handling is currently broken within the docker image?

@silycr
Copy link

silycr commented Sep 16, 2024
edited
Loading

I also faced the same issue.
Docker with latest tag.
I've updated ca-certificates in the container issued a domain certificate, also using cloudflare with dns challenge
$ apt install ca-certificates | update-ca-certificates

Docker logs
[2024-09-16 22:01:24.163143] [ACME] [system:info] Obtaining certificate for: *dom*.*ain* [2024-09-16 22:01:24.163527] [ACME] [system:info] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL [2024-09-16 22:01:28.666026] [ACME] [system:error] Failed to spawn new ACME client from current config: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": tls: failed to verify certificate: x509: certificate signed by unknown authority

Can certificates be updated on start of the container, and/or periodic?

@tobychui tobychui added the docker This issue related to docker version of zoraxy label Sep 16, 2024
@tobychui
Copy link
Owner

@PassiveLemon would you mind take a look at this at your convenience? Thanks!

@PassiveLemon
Copy link
Collaborator

Hmm this is interesting. Did this work on the previous Alpine based images?

@pkirsche
Copy link
Author

@PassiveLemon The issue didn't exist in 3.1.0 but exists within 3.1.1r2 (maybe other versions between 3.1.0 and 3.1.1r2, but there are no other versions on dockerhub).

Due to the fact, that the same error message (unknown authority) is also causing an error when trying to send a test email via my mailserver using tls, I could verify this.

So it must be some change with the latest image 3.1.1r2 or at least later 3.1.0.
In 3.1.0 TLS and CA certs are OK.

@PassiveLemon
Copy link
Collaborator

I can recreate this issue, I will look into it

@PassiveLemon PassiveLemon mentioned this issue Sep 16, 2024
Closed
tobychui added a commit that referenced this issue Sep 17, 2024
@tobychui
Merge pull request #308 from PassiveLemon/Fix_307
75d7738 
Fix #307
@RTechSn
Copy link

RTechSn commented Nov 2, 2024

I've just fresh-installed Zoraxy with docker-compose, and i get this error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PassiveLemon PassiveLemon

Labels
bug Something isn't working docker This issue related to docker version of zoraxy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tobychui @silycr @pkirsche @PassiveLemon @RTechSn