Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploy Hook Strongswan.sh doesn't account for _ecc directory names - fails to place certs #4480

Open
rotor-head opened this issue Jan 30, 2023 · 4 comments
Open

Deploy Hook Strongswan.sh doesn't account for _ecc directory names - fails to place certs #4480

rotor-head opened this issue Jan 30, 2023 · 4 comments

Comments

@rotor-head
Copy link

rotor-head commented Jan 30, 2023
edited
Loading

Steps to reproduce

Issue cert on Ubiquiti EdgeRouter then deploy to strongswan.

Domain string is appended with _ecc. The strongswan.sh deploy script uses basename to build the path file, however, the resulting .key and .cer file names exclude the _ecc in the actual filename. This causes the cat command to fail with "file not found".

See snippet of log below for details in this case.

Debug log

acme.sh  --deploy .....  --deploy-hook strongswan --debug 2

Running cmd: deploy
https://github.com/acmesh-official/acme.sh
v3.0.6
[Sun Jan 29 21:06:59 CST 2023] Running cmd: deploy
[Sun Jan 29 21:06:59 CST 2023] Using config home:/config/.acme.sh
[Sun Jan 29 21:06:59 CST 2023] default_acme_server
[Sun Jan 29 21:06:59 CST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sun Jan 29 21:06:59 CST 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Sun Jan 29 21:06:59 CST 2023] _ACME_SERVER_PATH='v2/DV90'
[Sun Jan 29 21:06:59 CST 2023] DOMAIN_PATH='/config/.acme.sh/rt-1.clientfqdn-redacted.com_ecc'
[Sun Jan 29 21:06:59 CST 2023] _deployApi='/config/.acme.sh/deploy/strongswan.sh'
[Sun Jan 29 21:06:59 CST 2023] Using strongswan
[Sun Jan 29 21:06:59 CST 2023] _ipsec='/usr/sbin/ipsec'
[Sun Jan 29 21:06:59 CST 2023] _confdir='/etc'
[Sun Jan 29 21:06:59 CST 2023] _cdomain='rt-1.clientfqdn-redacted.com_ecc'
[Sun Jan 29 21:06:59 CST 2023] _ckey='/config/.acme.sh/rt-1.clientfqdn-redacted.com_ecc/rt-1.clientfqdn-redacted.com_ecc.key'
[Sun Jan 29 21:06:59 CST 2023] _ccert='/config/.acme.sh/rt-1.clientfqdn-redacted.com_ecc/rt-1.clientfqdn-redacted.com_ecc.cer'
[Sun Jan 29 21:06:59 CST 2023] _cca='/config/.acme.sh/rt-1.clientfqdn-redacted.com_ecc/ca.cer'
[Sun Jan 29 21:06:59 CST 2023] _cfullchain='/config/.acme.sh/rt-1.clientfqdn-redacted.com_ecc/fullchain.cer'
cat: can't open '/config/.acme.sh/rt-1.clientfqdn-redacted.com_ecc/rt-1.clientfqdn-redacted.com_ecc.key': No such file or directory
cat: can't open '/config/.acme.sh/rt-1.clientfqdn-redacted.com_ecc/rt-1.clientfqdn-redacted.com_ecc.cer': No such file or directory
@acmesh-official acmesh-official deleted a comment from github-actions bot Jan 30, 2023
@Neilpang
Copy link
Member

full log please

@rotor-head
Copy link
Author

Log uploaded:
acme.sh.log

@leonade
Copy link

leonade commented Jan 31, 2023

Similar issue here.

It seems like the default setting is now to use ECC for key generation instead of RSA-2048, which triggered compatibility issues. You may manually overwrite this with the --keylength argument like

bash acme.sh --issue -domain your_domain ... --keylength 2048

@rotor-head
Copy link
Author

@leonade Thanks for pointing out that ECC is the default cert gen. I wrongly presumed it was related to Ubitquiti's build of vyatta OS. The RSA flag is an acceptable work-a-round in my case.

I suspect the _ecc will affect a good many other deploy hooks than just strongswan.

@noraab noraab mentioned this issue Mar 13, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rotor-head @Neilpang @leonade