How to manage OpenBalena Certificate expiration

MaxFerretti78 · November 15, 2021, 5:27pm

I’m making some integration on the previous request.
We tried to set the Production certificate using letsencrypt using the quickstart -c option.
At first we got some errors, but we managed to overcome them thanks to this post:

Commenting the lines 182:183 on cert-provider.sh AND update the Dockerfile to use version 3.0.1 of ACME script “seems” to have solved the installation.
Now the log actually say it has installed a PRODUCTION certificate.

But actually when we test the api.mydomain.com we still don’t have a trusted certificate.
The issuer appear to be (STAGING) Artificial Apricot R3

Why it isn’t a PRODUCTION certificate?
Could we use a self-signed certificate that expires in 100 years?
It’s important to us not to interrupt workload and communications for a certificate expiration, and we will have a lot of devices.

Here is the log from the cert-providers container:

[Info] VALIDATION not set. Using default: http-01
[Info] Waiting for api.eci2.cloud to be available via HTTP...
[Info] (1/3) Connecting...
[Info] (1/3) Failed. Retrying in 5 seconds...
[Info] (2/3) Connecting...
[Info] (2/3) Failed. Retrying in 5 seconds...
[Info] (3/3) Connecting...
[Info] (3/3) Failed!
[Info] Unable to access api.eci2.cloud on port 80. This is needed for certificate validation. Retrying in 30 seconds...
[Info] Waiting for api.eci2.cloud to be available via HTTP...
[Info] (1/3) Connecting...
[Info] (1/3) Success!
cat: can't open '/usr/src/app/certs/last_run_mode': No such file or directory
[Info] Last acquired certificate for 
[Info] Using STAGING mode
[Info] Waiting for api.eci2.cloud to be available via HTTP...
[Info] (1/3) Connecting...
[Info] (1/3) Success!
[Info] Issuing certificates...
[Mon Nov 15 16:29:10 UTC 2021] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Nov 15 16:29:10 UTC 2021] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Nov 15 16:29:10 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:10 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:10 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:11 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:11 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:11 UTC 2021] Create account key ok.
[Mon Nov 15 16:29:11 UTC 2021] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Nov 15 16:29:12 UTC 2021] Registered
[Mon Nov 15 16:29:12 UTC 2021] ACCOUNT_THUMBPRINT='vWqfkRV8I-oTrgg6PCEPIiphzi8RZF17KtjS3iLAiBo'
[Mon Nov 15 16:29:12 UTC 2021] Creating domain key
[Mon Nov 15 16:29:12 UTC 2021] The domain key is here: /usr/src/app/certs/api.eci2.cloud/api.eci2.cloud.key
[Mon Nov 15 16:29:12 UTC 2021] Multi domain='DNS:api.eci2.cloud,DNS:registry.eci2.cloud,DNS:s3.eci2.cloud,DNS:vpn.eci2.cloud,DNS:tunnel.eci2.cloud'
[Mon Nov 15 16:29:12 UTC 2021] Getting domain auth token for each domain
[Mon Nov 15 16:29:18 UTC 2021] Getting webroot for domain='api.eci2.cloud'
[Mon Nov 15 16:29:18 UTC 2021] Getting webroot for domain='registry.eci2.cloud'
[Mon Nov 15 16:29:18 UTC 2021] Getting webroot for domain='s3.eci2.cloud'
[Mon Nov 15 16:29:18 UTC 2021] Getting webroot for domain='vpn.eci2.cloud'
[Mon Nov 15 16:29:18 UTC 2021] Getting webroot for domain='tunnel.eci2.cloud'
[Mon Nov 15 16:29:18 UTC 2021] Verifying: api.eci2.cloud
[Mon Nov 15 16:29:18 UTC 2021] Standalone mode server
[Mon Nov 15 16:29:19 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Nov 15 16:29:22 UTC 2021] Success
[Mon Nov 15 16:29:22 UTC 2021] Verifying: registry.eci2.cloud
[Mon Nov 15 16:29:22 UTC 2021] Standalone mode server
[Mon Nov 15 16:29:23 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Nov 15 16:29:26 UTC 2021] Success
[Mon Nov 15 16:29:26 UTC 2021] Verifying: s3.eci2.cloud
[Mon Nov 15 16:29:26 UTC 2021] Standalone mode server
[Mon Nov 15 16:29:28 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Nov 15 16:29:30 UTC 2021] Success
[Mon Nov 15 16:29:30 UTC 2021] Verifying: vpn.eci2.cloud
[Mon Nov 15 16:29:30 UTC 2021] Standalone mode server
[Mon Nov 15 16:29:32 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Nov 15 16:29:34 UTC 2021] Success
[Mon Nov 15 16:29:34 UTC 2021] Verifying: tunnel.eci2.cloud
[Mon Nov 15 16:29:34 UTC 2021] Standalone mode server
[Mon Nov 15 16:29:36 UTC 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Nov 15 16:29:38 UTC 2021] Success
[Mon Nov 15 16:29:38 UTC 2021] Verify finished, start to sign.
[Mon Nov 15 16:29:38 UTC 2021] Lets finalize the order.
[Mon Nov 15 16:29:38 UTC 2021] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/33811898/1024739498'
[Mon Nov 15 16:29:42 UTC 2021] Downloading cert.
[Mon Nov 15 16:29:42 UTC 2021] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/faafb47d6f8f567c71b75813a432e106291d'
[Mon Nov 15 16:29:42 UTC 2021] Cert success.
-----BEGIN CERTIFICATE-----
[Edited: Obfuscated certificate]
-----END CERTIFICATE-----
[Mon Nov 15 16:29:42 UTC 2021] Your cert is in: /usr/src/app/certs/api.eci2.cloud/api.eci2.cloud.cer
[Mon Nov 15 16:29:42 UTC 2021] Your cert key is in: /usr/src/app/certs/api.eci2.cloud/api.eci2.cloud.key
[Mon Nov 15 16:29:42 UTC 2021] The intermediate CA cert is in: /usr/src/app/certs/api.eci2.cloud/ca.cer
[Mon Nov 15 16:29:42 UTC 2021] And the full chain certs is there: /usr/src/app/certs/api.eci2.cloud/fullchain.cer
[Info] Installing certificates...
[Mon Nov 15 16:29:42 UTC 2021] Installing cert to: /tmp/cert.pem
[Mon Nov 15 16:29:42 UTC 2021] Installing key to: /tmp/key.pem
[Mon Nov 15 16:29:42 UTC 2021] Installing full chain to: /tmp/fullchain.pem
[Mon Nov 15 16:29:42 UTC 2021] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem
[Mon Nov 15 16:29:42 UTC 2021] Reload success
[Info] Using PRODUCTION mode
[Info] Waiting for api.eci2.cloud to be available via HTTP...
[Info] (1/3) Connecting...
[Info] (1/3) Success!
[Info] Issuing certificates...
[Mon Nov 15 16:29:43 UTC 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Nov 15 16:29:43 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:43 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:43 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:43 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:43 UTC 2021] Standalone mode.
[Mon Nov 15 16:29:44 UTC 2021] Create account key ok.
[Mon Nov 15 16:29:44 UTC 2021] No EAB credentials found for ZeroSSL, let's get one
[Mon Nov 15 16:29:44 UTC 2021] acme.sh is using ZeroSSL as default CA now.
[Mon Nov 15 16:29:44 UTC 2021] Please update your account with an email address first.
[Mon Nov 15 16:29:44 UTC 2021] acme.sh --register-account -m my@example.com
[Mon Nov 15 16:29:44 UTC 2021] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Mon Nov 15 16:29:44 UTC 2021] Please add '--debug' or '--log' to check more details.
[Mon Nov 15 16:29:44 UTC 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Info] Installing certificates...
[Mon Nov 15 16:29:44 UTC 2021] Installing cert to: /tmp/cert.pem
[Mon Nov 15 16:29:44 UTC 2021] Installing key to: /tmp/key.pem
[Mon Nov 15 16:29:44 UTC 2021] Installing full chain to: /tmp/fullchain.pem
[Mon Nov 15 16:29:44 UTC 2021] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem
[Mon Nov 15 16:29:44 UTC 2021] Reload success
[Success] Done!
[Info] Running cron...
crond: crond (busybox 1.33.1) started, log level 7
crond: USER root pid 3617 cmd run-parts /etc/periodic/15min
[Info] VALIDATION not set. Using default: http-01
[Info] Waiting for api.eci2.cloud to be available via HTTP...
[Info] (1/3) Connecting...
[Info] (1/3) Failed. Retrying in 5 seconds...
[Info] (2/3) Connecting...
[Info] (2/3) Failed. Retrying in 5 seconds...
[Info] (3/3) Connecting...
[Info] (3/3) Failed!
[Info] Unable to access api.eci2.cloud on port 80. This is needed for certificate validation. Retrying in 30 seconds...
[Info] Waiting for api.eci2.cloud to be available via HTTP...
[Info] (1/3) Connecting...
[Info] (1/3) Success!
[Info] Last acquired certificate for PRODUCTION
[Success] Done!
[Info] Running cron...
crond: crond (busybox 1.33.1) started, log level 7
crond: USER root pid  26 cmd run-parts /etc/periodic/15min
crond: USER root pid  27 cmd run-parts /etc/periodic/15min
crond: USER root pid  28 cmd run-parts /etc/periodic/hourly
[Info] VALIDATION not set. Using default: http-01
[Info] Waiting for api.eci2.cloud to be available via HTTP...
[Info] (1/3) Connecting...
[Info] (1/3) Failed. Retrying in 5 seconds...
[Info] (2/3) Connecting...
[Info] (2/3) Failed. Retrying in 5 seconds...
[Info] (3/3) Connecting...
[Info] (3/3) Failed!
[Info] Unable to access api.eci2.cloud on port 80. This is needed for certificate validation. Retrying in 30 seconds...
[Info] Waiting for api.eci2.cloud to be available via HTTP...
[Info] (1/3) Connecting...
[Info] (1/3) Success!
[Info] Last acquired certificate for PRODUCTION
[Success] Done!
[Info] Running cron...
crond: crond (busybox 1.33.1) started, log level 7
crond: USER root pid  26 cmd run-parts /etc/periodic/15min

UPDATE:
I still cannot find a solution.
I’ve done

docker system prune -a
docker volume prune
quickstart -U {email} -P {password} -c -d {domain}

But no luck so far…

I’ve connected to cert-provider container and made some tests with the file cert-provider.sh
STAGING certificate does install, but doesn’t verify, so the operation is aborted.
Commenting lines 182:183 as suggested in the other topic skips to the PRODUCTION certificate, but it gives this error:
cat: can't open '/usr/src/app/certs/{domain}/{domain}.cer': No such file or directory

That’s the reason we cannot get a PRODUCTION certificate I guess…
Can someone point me to the right direction?