Docker only instalation

[rmsferreira]

Hi, can you help please.

I follow the process of use Docker Only instalation:

git clone https://github.com/hakwerk/labca.git
cd labca/build
export LABCA_FQDN=labca.example.com

However , when i run "docker compose up bsetup" i have the following error:

"Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "labca/certs/generate.sh": stat labca/certs/generate.sh: no such file or directory: unknown"

Can you help.

Thanks.

[hakwerk]

I'm sorry but you can actually skip that step now and just do docker compose up -d.
I have updated the README to remove that step

[GuyGuy-59]

Hi,
I have an installation problem with the latest version.
At the end of the installation I get this error in docker compose logs control
raceback (most recent call last):
control-1 | File "/opt/labca/acme_tiny.py", line 199, in
control-1 | main(sys.argv[1:])
control-1 | File "/opt/labca/acme_tiny.py", line 195, in main
control-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
control-1 | File "/opt/labca/acme_tiny.py", line 160, in get_crt
control-1 | _send_signed_request(order['finalize'], {"csr": _b64(csr_der)}, "Error finalizing order")
control-1 | File "/opt/labca/acme_tiny.py", line 60, in _send_signed_request
control-1 | return _do_request(url, data=data.encode('utf8'), err_msg=err_msg, depth=depth)
control-1 | File "/opt/labca/acme_tiny.py", line 46, in _do_request
control-1 | raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
control-1 | ValueError: Error finalizing order:
control-1 | Url: http://boulder:4001/acme/finalize/1/2
control-1 | Data: b'{"protected": "confidential", "payload": "confidential"}'
control-1 | Response Code: 500
control-1 | Response: {'type': 'urn:ietf:params:acme:error:serverInternal', 'detail': 'Error finalizing order', 'status': 500}

and docker compose logs labca
gui-1 | created by net/http.(*Server).Serve in goroutine 1
gui-1 | /usr/local/go/src/net/http/server.go:3290 +0x4b4
gui-1 | 2024/09/08 05:53:41 GET /accounts
gui-1 | 2024/09/08 05:53:41 GET /setup
gui-1 | 2024/09/08 05:53:55 GET /setup
gui-1 | 2024/09/08 05:54:13 GET /final
gui-1 | 2024/09/08 05:54:18 GET /final
gui-1 | 2024/09/08 05:54:23 ERROR: Message from server: 'ERROR! On line 69 in commander script
gui-1 | '
gui-1 | 2024/09/08 05:54:23 errorHandler: err=ERROR! On line 69 in commander script

Can you help.

Thanks.

[thenetworkdoctor]

I had some sort of the same issue (webserver couldn't download its certificate from the http acme page).
managed to solve it by adding this (line 150) to the compose file (don't know if this is related)

144   nginx:
145     image: nginx:1.26.0
146     restart: always
147     networks:
148       bouldernet:
149         aliases:
150           - ${LABCA_FQDN:-notset}

[hakwerk]

control-1 | Response: {'type': 'urn:ietf:params:acme:error:serverInternal', 'detail': 'Error finalizing order', 'status': 500}

This is only the client side error, it does not contain any information on why the server returns the status 500. Please have a look at the boulder log files, also see https://github.com/hakwerk/labca/tree/master?tab=readme-ov-file#troubleshooting

[GuyGuy-59]

Here is the error
boulder-1 | 2024-09-10T11:43:41.702991+00:00Z boulder-ra[341]: 6 boulder-ra ruXosQY [AUDIT] Certificate request - error JSON={"ID":"TbvMKe2eOu3mMCUbHvyRHNEBqHax-3B8DHqYgkMPMTo","Requester":1,"OrderID":1,"VerifiedFields":["subject.commonName","subjectAltName"],"NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","RequestTime":"2024-09-10T11:43:41.688579815Z","ResponseTime":"2024-09-10T11:43:41.702868114Z","Error":"issuing precertificate: no issuers found for public key algorithm RSA","Authorizations":{"pki.domain.tld":{"ID":"1","ChallengeType":"http-01"}}}

[hakwerk]

Thanks, that will help me in analysing this issue and hopefully solving it

[alebo-iX]

issuing precertificate: no issuers found for public key algorithm ECDSA

Issue min. on LabCA 24.08

on run certbot with additinal "--key-type rsa" from client it works. LabCA v24.09

• could it mean the CA Cert or labca didn't support ECDSA?
• or should be regenerate the ca and subca cert?

[GuyGuy-59]

Hi,
I still have the same problem with version 24.09.
Did you find the problem?

[GuyGuy-59]

I'll be back to give you a little more information. The installation works fine using rsa 4094 but not ecdsa 384.
However, with the CA in RSA, I can't create an ECDSA certificate.
I think if you use an ecdsa CA with an ecdsa intermediary, it can't generate the server cert for the labca gui using RSA. Would it be possible to generate an ecdsa server certificate for the gui?