Pingap in docker does not create certificate correctly by acme

[podpress]

-> http://staging.swiftpress.io/

[podpress]

[vicanso]

Would you mind providing the complete configuration?

[adammakowskidev]

Hi @vicanso
We are working together with @podpress .
What can this error mean for https?

Error message
write EPROTO 0078E828A77F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:354:

[podpress]

I'd like to add onto this again, still seeing:

HTTPStatus context: Io error No such file or directory (os error 2), /opt/pingap/conf/pingap-acme-tokens/TLO1MdHO4ZZJOswJ85p8cFSB4ZsrDkeA1GMtNRZgkBg cause: InternalError

Regardless of Docker environment, I've tried EFS, NFS, S3, bare-metal docker, nothing is fixing this error.

[podpress]

cache_directory = "/var/cache"
cache_max_size = "100.0 MB"
log_level = "INFO"
user = "root"

[certificates."proxy.swiftpress.io"]
acme = "lets_encrypt"
domains = "proxy.swiftpress.io"

[certificates."www.hosting-benchmark.myft.cloud"]
acme = "lets_encrypt"
domains = "www.hosting-benchmark.myft.cloud"
tls_cert = """
-----BEGIN CERTIFICATE-----
MIIDozCCAyigAwIBAgISBOGHik/mK8y8aFR2COZl5b42MAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNTAxMTExMjA0NTdaFw0yNTA0MTExMjA0NTZaMCsxKTAnBgNVBAMTIHd3
dy5ob3N0aW5nLWJlbmNobWFyay5teWZ0LmNsb3VkMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAEJl9FULA+DaofeocDAWG/dQ274zhbjPb2OoQnY0F0V3Ldr6kImAko
LBRRNCrYR2Dl1J3RE9he71F1ykKfQb2xoaOCAiMwggIfMA4GA1UdDwEB/wQEAwIH
gDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQUURhKyLR8laGyVhGC2yrACLcX9NwwHwYDVR0jBBgwFoAUnytfzzwh
T50Et+0rLMTGcIvS1w0wVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxlbmNy
Lm9yZy8wKwYDVR0RBCQwIoIgd3d3Lmhvc3RpbmctYmVuY2htYXJrLm15ZnQuY2xv
dWQwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEA
dgDm0jFjQHeMwRBBBtdxuc7B0kD2loSG+7qHMh39HjeOUAAAAZRVdl1lAAAEAwBH
MEUCIQDDcW19XhFkuBpxgwEG6VI2gRrsIkpgWp+y3hLEabhjtQIgcYFS5qutLrxu
L9X3kZcJrXnQyjyCsZsJDMN4HEQbm2IAdwDgkrP8DB3I52g2H95huZZNClJ4GYpy
1nLEsE2lbW9UBAAAAZRVdl16AAAEAwBIMEYCIQC+bu9UfeY3RN5aBRpNXs8ax2MI
VVZIxY0xhO8h7rgz5QIhANgWxRDUwprW2AzoJ6NJM3P3QRw5xgglGK44PhgIm8k2
MAoGCCqGSM49BAMDA2kAMGYCMQDB8mnuxOU9jeJPUwUMgumSXYGSDxcpS6fAcc9G
YEaZf0rnyFtBFo4nd1S/ANR9irACMQDdzjtXWfnPIVsWQ+UcVrJrqAYDnfY+Hh/z
OEWgOEOMwr8NNOblsGHV9Vhq0iPMg80=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK
a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO
VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw
i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C
2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+
bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG
6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV
XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO
koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq
cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI
E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e
K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
VQD9F6Na/+zmXCc=
-----END CERTIFICATE-----
"""
tls_key = """
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgS5hq357RI9nT2Foh
Z7GODDRSQl3Y+RJFZ2h/nvK9TVmhRANCAAQmX0VQsD4Nqh96hwMBYb91DbvjOFuM
9vY6hCdjQXRXct2vqQiYCSgsFFE0KthHYOXUndET2F7vUXXKQp9BvbGh
-----END PRIVATE KEY-----
"""

[locations."proxy.swiftpress.io"]
host = "proxy.swiftpress.io"
plugins = [
    "Cache",
    "Compression",
    "pingap:stats",
    "pingap:requestId",
    "Encoding",
    "Response",
]
proxy_add_headers = ["cache-control:max-age=3600"]
proxy_set_headers = ["cache-control:max-age=3600"]
upstream = "77.68.81.111"

[locations."www.hosting-benchmark.myft.cloud"]
enable_reverse_proxy_headers = true
host = "www.hosting-benchmark.myft.cloud"
plugins = [
    "pingap:requestId",
    "pingap:acceptEncodingAdjustment",
]
proxy_set_headers = [
    "Host:www.hosting-benchmark.myft.cloud",
    "Access-Control-Allow-Origin:*",
]
upstream = "hosting-benchmark.myft.cloud"

[plugins.Cache]
category = "cache"
check_cache_control = false
eviction = false
headers = ["x-swiftpress"]
max_file_size = "1gb"
max_ttl = "1h"

[plugins.Compression]
br_level = 11
category = "compression"
decompression = true
gzip_level = 9
zstd_level = 22

[plugins.Encoding]
category = "accept_encoding"
encodings = "zstd,br,gzip"
only_one_encoding = true

[plugins.Response]
add_headers = []
category = "response_headers"
remove_headers = ["server"]
set_headers = []
set_headers_not_exists = ["cache-control:max-age=3600"]

[servers.HTTP]
addr = "0.0.0.0:80"
enabled_h2 = true
global_certificates = false
locations = [
    "www.hosting-benchmark.myft.cloud",
    "proxy.swiftpress.io",
]

[servers.HTTPS]
addr = "0.0.0.0:443"
enabled_h2 = true
global_certificates = true
locations = ["www.hosting-benchmark.myft.cloud"]
threads = 1
tls_max_version = "tlsv1.3"
tls_min_version = "tlsv1.2"

[upstreams."77.68.81.111"]
addrs = ["77.68.81.111"]
alpn = "H2H1"
discovery = "common"
enable_tracer = true
tcp_fast_open = true
update_frequency = "30s"

[upstreams."hosting-benchmark.myft.cloud"]
addrs = ["hosting-benchmark.myft.cloud"]
alpn = "H2"
discovery = "common"
enable_tracer = true
ipv4_only = false
sni = "hosting-benchmark.myft.cloud"
tcp_fast_open = true
update_frequency = "30s"
verify_cert = true```

[vicanso]

Hi @vicanso We are working together with @podpress . What can this error mean for https?

Error message
write EPROTO 0078E828A77F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:354:

It can be confirmed that the TLS version supported by the client?

[vicanso]

I'd like to add onto this again, still seeing:

HTTPStatus context: Io error No such file or directory (os error 2), /opt/pingap/conf/pingap-acme-tokens/TLO1MdHO4ZZJOswJ85p8cFSB4ZsrDkeA1GMtNRZgkBg cause: InternalError

Regardless of Docker environment, I've tried EFS, NFS, S3, bare-metal docker, nothing is fixing this error.

Are there multiple pingap instances?

[vicanso]

[servers.HTTP]
addr = "0.0.0.0:80"
enabled_h2 = true
global_certificates = false
locations = [
    "www.hosting-benchmark.myft.cloud",
    "proxy.swiftpress.io",
]


[locations."proxy.swiftpress.io"]
host = "proxy.swiftpress.io"

The host is proxy.swiftpress.io, you should be visit http://proxy.swiftpress.io/.

[podpress]

I'd like to add onto this again, still seeing:
HTTPStatus context: Io error No such file or directory (os error 2), /opt/pingap/conf/pingap-acme-tokens/TLO1MdHO4ZZJOswJ85p8cFSB4ZsrDkeA1GMtNRZgkBg cause: InternalError
Regardless of Docker environment, I've tried EFS, NFS, S3, bare-metal docker, nothing is fixing this error.

Are there multiple pingap instances?

Just one. I cannot get it to generate at all. I think the Docker version is borked as fuck.

[vicanso]

Does pingap have write permission to this directory?

[podpress]

Does pingap have write permission to this directory?

Yes, it does, or it wouldn't be able to write the conf directory, or any of the conf toml.

[vicanso]

Can you get all logs of acme? You can use grep 'category="acme"'.

And please confirm whether the folder /opt/pingap/conf/pingap-acme-tokens exists or not.

2025-01-25T11:17:56.206563+08:00  INFO pingap::acme::lets_encrypt: acme from let's encrypt category="acme" domains="pingap.io"
2025-01-25T11:18:01.145406+08:00  INFO pingap::acme::lets_encrypt: acme from let's encrypt category="acme" status="Pending"
2025-01-25T11:18:01.147462+08:00  INFO pingap::acme::lets_encrypt: let's encrypt well known path category="acme" token="n72C4sQcGNER7BPL3LpsVZVC4sQLE8EaB8VPlZSt4AE"
2025-01-25T11:18:01.929701+08:00  INFO pingap::acme::lets_encrypt: order is not ready, waiting category="acme" delay="500ms"

[podpress]

No this is what I have been saying /opt/pingap/conf/pingap-acme-tokens doesn't exist, isn't created.

[adammakowskidev]

In short:
Everything works fine in docker build except creating certificates.
http server works, plugins, upstreams, locations etc.
Pingap in docker version cannot create the acme token folder and files in it itself. Configurations all with toml files work and are created correctly.

[vicanso]

OK, I'll test the docker image.

[vicanso]

@adammakowskidev @podpress

Please try to add -v /etc/ssl:/etc/ssl:ro \ for docker run command.

[vicanso]

@adammakowskidev @podpress

Does it work?

[podpress]

No sorry, it does not.

[vicanso]

Can you grep the logs using this grep 'acme'? It's like this:

2025-01-28T13:00:38.125152944Z ERROR failed to get certificate category="acme" error=Let's Encrypt operation failed: X509 error, category: parse_x509_pem, Parsing Error: MissingHeader, category: new_certificate name="pingap"
2025-01-28T13:00:38.125159113Z  INFO acme from let's encrypt category="acme" domains="pingap.io"
2025-01-28T13:00:38.125229746Z ERROR certificate renewal failed, will retry later category="acme" error=ACME instant error: no native root CA certificates found (errors: []), category: create_account domains="pingap.io" name="pingap"

[vicanso]

@podpress

Is the problem solved?

[vicanso]

This issue has been closed because it has been stalled with no activity.