DnsException: Login Required #77

chrisabrams · 2017-09-28T12:56:59Z

Got this error after deploying a controller to Google Cloud. Is this a Google Cloud error or a Let's Encrypt error?

Exception in thread "Thread-2" com.google.cloud.dns.DnsException: Login Required
	at com.google.cloud.dns.spi.DefaultDnsRpc.translate(DefaultDnsRpc.java:183)
	at com.google.cloud.dns.spi.DefaultDnsRpc.listZones(DefaultDnsRpc.java:244)
	at com.google.cloud.dns.DnsImpl$2.call(DnsImpl.java:154)
	at com.google.cloud.dns.DnsImpl$2.call(DnsImpl.java:151)
	at com.google.cloud.RetryHelper.doRetry(RetryHelper.java:179)
	at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:244)
	at com.google.cloud.dns.DnsImpl.listZones(DnsImpl.java:150)
	at com.google.cloud.dns.DnsImpl.listZones(DnsImpl.java:142)
	at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.fetchMatchingZones(CloudDnsResponder.kt:112)
	at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.findMatchingZone(CloudDnsResponder.kt:95)
	at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.updateCloudDnsRecord(CloudDnsResponder.kt:55)
	at in.tazj.k8s.letsencrypt.acme.CloudDnsResponder.addChallengeRecord(CloudDnsResponder.kt:26)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.prepareDnsChallenge(CertificateRequestHandler.kt:176)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.authorizeDomain(CertificateRequestHandler.kt:77)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.access$authorizeDomain(CertificateRequestHandler.kt:27)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler$requestCertificate$1.accept(CertificateRequestHandler.kt:41)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler$requestCertificate$1.accept(CertificateRequestHandler.kt:27)
	at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
	at java.util.Collections$2.tryAdvance(Collections.java:4717)
	at java.util.Collections$2.forEachRemaining(Collections.java:4725)
	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
	at java.util.stream.ForEachOps$ForEachTask.compute(ForEachOps.java:291)
	at java.util.concurrent.CountedCompleter.exec(CountedCompleter.java:731)
	at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
	at java.util.concurrent.ForkJoinTask.doInvoke(ForkJoinTask.java:401)
	at java.util.concurrent.ForkJoinTask.invoke(ForkJoinTask.java:734)
	at java.util.stream.ForEachOps$ForEachOp.evaluateParallel(ForEachOps.java:160)
	at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateParallel(ForEachOps.java:174)
	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:233)
	at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
	at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:583)
	at in.tazj.k8s.letsencrypt.acme.CertificateRequestHandler.requestCertificate(CertificateRequestHandler.kt:41)
	at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager.handleCertificateRequest(ServiceManager.kt:64)
	at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager.access$handleCertificateRequest(ServiceManager.kt:20)
	at in.tazj.k8s.letsencrypt.kubernetes.ServiceManager$reconcileService$1.run(ServiceManager.kt:45)
	at java.lang.Thread.run(Thread.java:745)
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 401 Unauthorized
{
  "code" : 401,
  "errors" : [ {
    "domain" : "global",
    "location" : "Authorization",
    "locationType" : "header",
    "message" : "Login Required",
    "reason" : "required"
  } ],
  "message" : "Login Required"
}
	at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:145)
	at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
	at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:321)
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1056)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
	at com.google.cloud.dns.spi.DefaultDnsRpc.listZones(DefaultDnsRpc.java:241)

The text was updated successfully, but these errors were encountered:

tazjin · 2017-09-28T13:02:30Z

That's a Google Cloud error and it seems a bit odd if you've deployed it to a GCP-environment.

GCP usually provides the metadata service which lets you fetch the service account token for the instance.

If your instance does not have DNS management permissions I'd expect it to error with "Permission denied [for the service account of your instance]" rather than "Login required" which implies that you're not logged in at all.

Regardless, if your instance does not have the required permissions for Cloud DNS you can create a service account and make a private key for it. Setting the environment variable GOOGLE_APPLICATION_CREDENTIALS to the location of the key JSON file will cause the Google Cloud SDK to pick them up.

chrisabrams · 2017-09-28T13:05:14Z

I did create a service account for this, and gave it the correct permissions. Since this is a test project/cluster I actually gave it Editor permissions for the whole project.

tazjin · 2017-09-28T13:07:19Z

Hmm, and you mounted the key JSON into the container and set the environment variable correctly?

chrisabrams · 2017-09-28T13:08:58Z

Yes. Here's that piece of the config:

spec:
      containers:
        - image: tazjin/letsencrypt-controller:1.8-SNAPSHOT
          imagePullPolicy: Always
          name: letsencrypt-controller
          env:
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: "/etc/ce"
          volumeMounts:
          - name: ce
            mountPath: "/etc/ce"
            readOnly: true
      volumes:
      - name: ce
        secret:
          secretName: ce

I created the secret as so:

 kubectl create secret generic ce --from-file=./credentials.json -n kube-system

Where credentials.json is the private key file from the service account created.

I also explicitly added DNS Administrator to the service account, but no go.

tazjin · 2017-09-28T13:18:32Z

Oh, the path has to point at the file itself, i.e. /etc/ce/credentials.json (see docs)

chrisabrams · 2017-09-28T13:42:21Z

Ah I see. Thanks that fixed it!

chrisabrams closed this as completed Sep 28, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DnsException: Login Required #77

DnsException: Login Required #77

chrisabrams commented Sep 28, 2017

tazjin commented Sep 28, 2017

chrisabrams commented Sep 28, 2017 •

edited

Loading

tazjin commented Sep 28, 2017

chrisabrams commented Sep 28, 2017

tazjin commented Sep 28, 2017

chrisabrams commented Sep 28, 2017

DnsException: Login Required #77

DnsException: Login Required #77

Comments

chrisabrams commented Sep 28, 2017

tazjin commented Sep 28, 2017

chrisabrams commented Sep 28, 2017 • edited Loading

tazjin commented Sep 28, 2017

chrisabrams commented Sep 28, 2017

tazjin commented Sep 28, 2017

chrisabrams commented Sep 28, 2017

chrisabrams commented Sep 28, 2017 •

edited

Loading