Cannot unmashall EC keys #3014
Description
Do you want to request a feature or report a bug?
I believe this is both.
What did you do?
I was having serious issues getting traefik to register an acme account and generate certificates so I tried to use the xenolf/lego command line utility to generate them and then, following the template here try to get traefik to pick them up.
What did you expect to see?
I expected traefik to read the acme.json file I created and use it as basis for the certificates.
What did you see instead?
This is the first error I encountered:
traefik | time="2018-03-14T22:15:22Z" level=info msg="Loading ACME Account..."
traefik | time="2018-03-14T22:15:22Z" level=info msg="Loaded ACME config from store /etc/traefik/acme.json"
traefik | time="2018-03-14T22:15:22Z" level=error msg="Cannot unmarshall private key [<privatekeydata>]"
traefik | time="2018-03-14T22:15:22Z" level=error msg="Failed to build ACME client: private key was nil
Let's Encrypt functionality will be limited until traefik is restarted."
...
traefik | time="2018-03-14T22:15:54Z" level=error msg="Error getting ACME client: ACME client still not built"So I went to look at the code and found that this function https://github.com/containous/traefik/blob/8d468925d37f05dd529a3c02f0638be88eac961e/acme/account.go#L99 can only accept an RSA private key:
func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error)and looking back at what lego did, I found that the certificates generated were EC and not RSA.
$ CLOUDFLARE_EMAIL=<email> CLOUDFLARE_API_KEY=<api> lego --email <email> --dns cloudflare --accept-tos --domains <domain> --path . runThe above is the command I used and below the account.json file that lego generated:
{
"email": "<email>",
"registration": {
"body": {
"resource": "reg",
"id": 3,
"key": {
"kty": "EC",
"crv": "P-384",
"x": "<X>",
"y": "<Y>"
},
"contact": [
"mailto:<email>"
],
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/reg/<ID>",
"new_authzr_uri": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
}
}EC keys can't be unmarshalled by that function and this is an issue.
Output of traefik version: (What version of Traefik are you using?)
Version: v1.5.3
Codename: cancoillotte
Go version: go1.9.4
Built: 2018-02-27_02:47:04PM
OS/Arch: linux/arm
What is your environment & configuration (arguments, toml, provider, platform, ...)?
service:
traefik:
command:
- --loglevel=INFO
- --defaultentrypoints=http,https
- --entryPoints=Name:http Address::80 Redirect.EntryPoint:https
- --entryPoints=Name:https Address::443 Compress:true TLS TLS.MinVersion:VersionTLS12
- --entryPoints=Name:api Address::8080
- --api.entrypoint=api
- --acme=true
- --acme.acmelogging=true
- --acme.email=${EMAIL}
- --acme.domains=${DOMAIN}
- --acme.storage=/etc/traefik/acme.json
- --acme.entrypoint=https
- --acme.onhostrule=true
- --acme.dnschallenge=true
- --acme.dnschallenge.provider=cloudflare
- --acme.tlsconfig=true
- --docker=true
- --docker.debugloggeneratedtemplate=true
- --docker.domain='${DOMAIN}'
- --docker.exposedbydefault=false
- --docker.usebindportip=true
- --docker.watch=true
- --file=true
- --file.filename=/etc/traefik/external.toml
- --file.watch=truefrom the docker container using docker-compose