Page MenuHomeVyOS Platform
Create Task
Maniphest T7122

PKI: Unable to switch from custom cert to ACME when haproxy service is running
In progress, NormalPublicBUG
Actions

Description

Running Configuration

set pki ca AAACertificateServices certificate 'MIIEMj...'
set pki ca CAcert_Signing_Authority certificate 'MIIEMj...'
set pki ca Sectigo_RSA certificate 'MIIEMj...'
set pki ca USERTrust certificate 'MIIEMj...'
set pki ca USERTrust_RSA certificate 'MIIEMj...'
set pki certificate cloud.XXX.net certificate 'MIIEMj...'
set pki certificate cloud.XXX.net private key 'MIIEMj...'

set load-balancing reverse-proxy backend cloud server lnx03 address '172.16.36.40'
set load-balancing reverse-proxy backend cloud server lnx03 port '443'
set load-balancing reverse-proxy backend cloud ssl ca-certificate 'CAcert_Class_3_Root'
set load-balancing reverse-proxy global-parameters tls-version-min '1.2'
set load-balancing reverse-proxy service cloud backend 'cloud'
set load-balancing reverse-proxy service cloud port '443'
set load-balancing reverse-proxy service cloud redirect-http-to-https
set load-balancing reverse-proxy service cloud rule 10 set redirect-location '/remote.php/dav/'
set load-balancing reverse-proxy service cloud rule 10 url-path exact '/.well-known/caldav'
set load-balancing reverse-proxy service cloud ssl certificate 'cloud.XXX.net'

Enable ACME

set pki certificate LE_cloud acme domain-name cloud.XXX.net
set pki certificate LE_cloud acme email [email protected]
set pki certificate LE_cloud acme rsa-key-size 4096
ACME certbot request failed for "LE_cloud"! failed to run command:
certbot certonly --non-interactive --config-dir /config/auth/letsencrypt
--cert-name LE_cloud --standalone --agree-tos --no-eff-email --expand
--server https://acme-v02.api.letsencrypt.org/directory --email
[email protected] --key-type rsa --rsa-key-size 4096 --domains
cloud.XXX.net --dry-run returned:  exit code: 1

The reason is that certbot can not bind to port 443 which is already in use by haproxy

In addition dry-run complains about:

[email protected]# sudo certbot certonly --non-interactive --config-dir /config/auth/letsencrypt --cert-name LE_cloud --standalone --agree-tos --no-eff-email --expand --server https://acme-v02.api.letsencrypt.org/directory --email [email protected] --key-type rsa --rsa-key-size 4096 --domains cloud.XXX.net --dry-run
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
           ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 202, in load
    module = import_module(match.group('module'))
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1206, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1178, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1149, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 690, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 21, in <module>
    from acme import client as acme_client
  File "/usr/lib/python3/dist-packages/acme/client.py", line 29, in <module>
    from acme import messages
  File "/usr/lib/python3/dist-packages/acme/messages.py", line 20, in <module>
    from acme import fields
  File "/usr/lib/python3/dist-packages/acme/fields.py", line 8, in <module>
    import pyrfc3339
  File "/usr/lib/python3/dist-packages/pyrfc3339/__init__.py", line 17, in <module>
    from pyrfc3339.generator import generate
  File "/usr/lib/python3/dist-packages/pyrfc3339/generator.py", line 1, in <module>
    import pytz
  File "/usr/lib/python3/dist-packages/pytz/__init__.py", line 38, in <module>
    OLSON_VERSION = _read_olson_version()
                    ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/pytz/__init__.py", line 29, in _read_olson_version
    with tzdata_zi.open(encoding="utf-8") as tzdata_zi_file:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/pathlib.py", line 1045, in open
    return io.open(self, mode, buffering, encoding, errors, newline)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/usr/share/zoneinfo/tzdata.zi'
[edit]

Note: File is missing in 1.4.1 but present in 1.4-stable-202501230755

Details

Version
1.4.1
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

c-po created this task.Sat, Feb 1, 6:33 PM
c-po changed the task status from Open to In progress.
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po edited projects, added VyOS 1.4 Sagitta (1.4.3); removed VyOS 1.4 Sagitta.
c-po updated the task description. (Show Details)Sat, Feb 1, 6:40 PM
c-po updated the task description. (Show Details)Sat, Feb 1, 7:40 PM
pasik subscribed.Sat, Feb 1, 11:21 PM
Marvitex subscribed.Thu, Feb 13, 8:46 AM