Third party SSL not working: No sets found

techwilk · 2 May 2024 20:09

Problem Description

I’ve been trying to get third party SSL certificates to work, but sympl-ssl doesn’t seem to be able to see them. I’ve written up my steps in here, but in short I’m using Dehydrated to generate DNS-verified SSL certificates (which generate fine) then trying to load them on a sympl site.

I’ve copied the certificates as an SSL set directory, but when I use sympl-ssl to select them (as per the wiki), it just errors out with the message No sets found and I haven’t been able to get any further.

cat > /etc/dehydrated/hooks/deploy-cert/sympl <<EOF
#!/bin/sh
echo 'false' > /srv/\$DOMAIN/config/ssl-provider
mkdir -p /srv/\$DOMAIN/config/ssl/sets/dehydrated
cat "\${CERTFILE}" > /srv/\$DOMAIN/config/ssl/sets/dehydrated/ssl.crt
cat "\${CHAINFILE}" > /srv/\$DOMAIN/config/ssl/sets/dehydrated/ssl.bundle
cat "\${KEYFILE}" > /srv/\$DOMAIN/config/ssl/sets/dehydrated/ssl.key
cat "\${FULLCHAINFILE}" "\${KEYFILE}" > /srv/\$DOMAIN/config/ssl/sets/dehydrated/ssl.combined
sympl-ssl \$DOMAIN --verbose --select dehydrated
EOF

Full reproduction steps

Any Error Messages

sympl@[hostname]:/srv/[subdomain.example.com]/config$ ls -la ssl/sets/dehydrated/
total 24
drwxr-sr-x 2 root sympl 4096 May  1 19:41 .
drwxr-sr-x 3 root sympl 4096 May  1 19:36 ..
-rw-r--r-- 1 root sympl 1827 May  1 19:41 ssl.bundle
-rw-r--r-- 1 root sympl 3748 May  1 19:41 ssl.combined
-rw-r--r-- 1 root sympl 1562 May  1 19:41 ssl.crt
-rw-r--r-- 1 root sympl  359 May  1 19:41 ssl.key

sympl@[hostname]:/srv/[subdomain.example.com]/config$ sudo sympl-ssl [subdomain.example.com] --verbose --select dehydrated
[sudo] password for sympl: 
Certificate sets for [subdomain.example.com]:
	** No sets found

Environment

Sympl Version 12:
Sympl Testing Version? No
Debian Version: Bookworm
Hardware Type? Virtual
Hosted On? DNS on Mythic, VPS on Proxmox locally

techwilk · 4 May 2024 20:28

Ok, so it looks like the first of the issues is that Dehydrated generated an ECC private key, which sympl-ssl doesn’t support (though the error messages don’t make this clear at all). Changing KEY_ALGO from secp384r1 to rsa in the Dehydrated config gets things one step closer.

However, I now hit an actual bug in sympl-ssl. While I’m no Ruby developer, it looks to me like it could be a alphabetical sorting algorithm not handling a single item list properly.

sympl@[hostname]:$ sudo sympl-ssl [subdomain.example.com] --verbose --select dehydrated
Certificate sets for [subdomain.example.com]:
	SSL set dehydrated: signed by /C=US/O=Let's Encrypt/CN=R3, expires 2024-08-02 19:10:52 UTC
/usr/lib/ruby/vendor_ruby/symbiosis/ssl/certificate_set.rb:82:in `<=>': undefined method `name' for nil:NilClass (NoMethodError)

        self.name <=> other.name
                           ^^^^^
	from /usr/sbin/sympl-ssl.rb:225:in `=='
	from /usr/sbin/sympl-ssl.rb:225:in `block in <main>'
	from /usr/sbin/sympl-ssl.rb:196:in `each'
	from /usr/sbin/sympl-ssl.rb:196:in `<main>'

Kelduum · 13 May 2024 11:03

@techwilk Awesome work on this, and your merge request has been accepted, and the changes are now in Sympl!

techwilk · 13 May 2024 19:36

Great, thank you!
Glad to see it fixed

system · 23 May 2024 19:37

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.