Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

drop --user on pip install dns plugin #2971

Merged

Conversation

wolviex
Copy link
Contributor

@wolviex wolviex commented Jun 1, 2023

Do not install dns_plugin (via pip) into the user site because it will lack sys.path precedence to urllib3 in /opt/certbot/lib/python3.7/site-packages.
resolves #2921 and #2844
solution recommended by certbot engineer: https://community.letsencrypt.org/t/nginx-proxy-manager-and-cert/198147
Tested with docker image 'jc21/nginx-proxy-manager:latest', Godaddy DNS API credentials and wildcard certificate.

Do not install dns_plugin into the user site because it will lack sys.path precedence to urllib3 in /opt/certbot/lib/python3.7/site-packages
@wolviex wolviex changed the title drop --user on pip install dns plugin godaddy drop --user on pip install dns plugin Jun 1, 2023
@nginxproxymanagerci
Copy link

Docker Image for build 1 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-2971

Note: ensure you backup your NPM instance before testing this PR image! Especially if this PR contains database changes.

@wolviex
Copy link
Contributor Author

wolviex commented Jun 6, 2023

Docker Image for build 1 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-2971

Note: ensure you backup your NPM instance before testing this PR image! Especially if this PR contains database changes.

PR image is functioning as expected and stable.

@biggen1684
Copy link

biggen1684 commented Jun 8, 2023

Can confirm this patch fixes issues with DNS validation of SSLs through Godaddy. Should definitely be merged with the main branch. Good job @wolviex!

@martindur
Copy link

Worked smoothly with Route53 as well. Thanks for the effort @wolviex 🙏

@jeffshead
Copy link

jeffshead commented Jun 12, 2023

Doesn't fix issue with ClouDNS: #2844

@wolviex
Copy link
Contributor Author

wolviex commented Jun 12, 2023

Doesn't fix issue with ClouDNS: #2844

Sounds like you're facing a different issue. Note that the error changed when you tried this PR, it did indeed resolve the issue #2921. I'll make some comments on that issue.

@justSem
Copy link

justSem commented Jun 14, 2023

Your proposed fix does seem to throw some issues with the TransIP API
This error also occurs on a clean install.

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-5" --agree-tos --email "redacted@domain.tls" --domains "*.domain.tls" --authenticator dns-transip --dns-transip-credentials "/etc/letsencrypt/credentials/credentials-5"
Traceback (most recent call last):
  File "/usr/bin/certbot", line 5, in 
    from certbot.main import main
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 6, in 
    from certbot._internal import main as internal_main
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 21, in 
    import josepy as jose
  File "/opt/certbot/lib/python3.7/site-packages/josepy/__init__.py", line 40, in 
    from josepy.json_util import (
  File "/opt/certbot/lib/python3.7/site-packages/josepy/json_util.py", line 14, in 
    from OpenSSL import crypto
  File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/__init__.py", line 8, in 
    from OpenSSL import crypto, SSL
  File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1517, in 
    class X509StoreFlags(object):
  File "/opt/certbot/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1537, in X509StoreFlags
    CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

This error can be fixed by exec-ing to the container and executing:
. /opt/certbot/bin/activate && pip install --upgrade pyopenssl

@wolviex
Copy link
Contributor Author

wolviex commented Jun 14, 2023

Your proposed fix does seem to throw some issues with the TransIP API This error also occurs on a clean install.

Are you saying you get this same error on an fresh container pulled with the 'jc21/nginx-proxy-manager:latest' image tag?
OR are you saying this PR introduces the error not found on the latest?

@justSem
Copy link

justSem commented Jun 14, 2023

Your proposed fix does seem to throw some issues with the TransIP API This error also occurs on a clean install.

Are you saying you get this same error on an fresh container pulled with the 'jc21/nginx-proxy-manager:latest' image tag? OR are you saying this PR introduces the error not found on the latest?

Good point. I may have spoken a bit to soon.
But no, this error is not introduced by your PR, it just came apparent when testing your proposed solution.

When manualy applying the PR to the :latest container this error is present as well.

@unixorn
Copy link

unixorn commented Jun 15, 2023

I was having the sys.path precedence to urllib3 problem with Route 53 and this fixes it.

@wolviex
Copy link
Contributor Author

wolviex commented Jun 16, 2023

Appears to resolve #2844 as well

Copy link

@justSem justSem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since I can't push to your PR branch; I'd propose the line

const prepareCmd = '. /opt/certbot/bin/activate && pip install --no-cache-dir ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies + ' && deactivate';

to be changed to

const prepareCmd = '. /opt/certbot/bin/activate && pip install --upgrade pyopenssl  && pip install --no-cache-dir ' + dns_plugin.package_name + (dns_plugin.version_requirement || '') + ' ' + dns_plugin.dependencies + ' && deactivate';

@wolviex wolviex mentioned this pull request Jun 20, 2023
Copy link
Contributor Author

@wolviex wolviex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR directly addresses the error Will not install to user site and nothing else.
This is as recommended by a certbot engineer.

Please explain why the pyopenssl upgrade is to be considered a part of this PR.

@justSem
Copy link

justSem commented Jun 23, 2023

This PR directly addresses the error Will not install to user site and nothing else. This is as recommended by a certbot engineer.

Please explain why the pyopenssl upgrade is to be considered a part of this PR.

I figured, since it fixes a subsequent issue, it might as well be integrated into the same PR. But if you wish, I'll create a separate PR for it.

@wolviex
Copy link
Contributor Author

wolviex commented Jun 23, 2023

I figured, since it fixes a subsequent issue, it might as well be integrated into the same PR. But if you wish, I'll create a separate PR for it.

I thought you clarified that your issue is also present on the :latest ?
It seems like a dependancy issue, due to deprecated functionality in pyopenssl
pyca/pyopenssl#1142

It may be something that should be addressed in another module

@biggen1684
Copy link

Crazy that this PR hasn't been merged yet with the official since it clearly fixes an issue. @jc21 still around?

@wolviex
Copy link
Contributor Author

wolviex commented Jun 27, 2023

Crazy that this PR hasn't been merged yet with the official since it clearly fixes an issue. @jc21 still around?

My Guess is this is backburner since it looks like a v3 based in golang is in the works.
BTW, this is the same fix process as already merged in commit 05307aa

@a1ad
Copy link

a1ad commented Jul 11, 2023

@wolviex I still need your version, so I guess it is still not fixed in latest with 05307aa

@wolviex
Copy link
Contributor Author

wolviex commented Jul 11, 2023

@wolviex I still need your version, so I guess it is still not fixed in latest with 05307aa

Sorry for the confusion - no, the issue is not fixed in 05307aa. I only meant it is the same fix method used in that commit, just for reference. 05307aa is also not latest (2a06384 is and my PR is on top of that).

@a1ad
Copy link

a1ad commented Jul 11, 2023

Ok, no problem. I hope the PR is merging soon!

@jc21
Copy link
Member

jc21 commented Jul 20, 2023

I'm almost happy to merge the PR, however I'd ask that someone (or more than one) test this image with PUID/PGID set and also test without it being set.

The certbot install stuff may behave differently when the process is run as a non-root user vs a root user.

@jc21 jc21 added the requires-verification Waiting for one or more people to confirm the fix label Jul 20, 2023
@Nightreaver
Copy link

I can confirm its working on AWS R53.
Have it running with

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:github-pr-2971'
    restart: unless-stopped
    environment:
      PUID: 1000
      PGID: 1000
    ports:
      - '80:80'
      - '81:81'
      - '443:443'

and got my cert without issues

@mashb1t
Copy link

mashb1t commented Jul 25, 2023

tested and works for me too using Route53

@jc21
Copy link
Member

jc21 commented Jul 26, 2023

I also only have Route53 in use for my hosts, but yeah I'd like to see other certbot plugins tested too.

@wolviex
Copy link
Contributor Author

wolviex commented Jul 26, 2023

I use GoDaddy, and have PUID/PGID set to 1000. This is what worked for me in the first place.
created new container without PUID/PGID and was still functional.
Note that I did have to workaround certbot-dns-godaddy issue with certbot/acme version mismatching by manually downgrading acme. I beleive this is unrelated.
miigotu/certbot-dns-godaddy#27

@jc21
Copy link
Member

jc21 commented Jul 30, 2023

Ok sounds good I'll merge it.

@jc21 jc21 merged commit 3333a32 into NginxProxyManager:develop Jul 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
requires-verification Waiting for one or more people to confirm the fix
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SSL DNS Challenge Issue
10 participants