Docker only instalation

[rmsferreira]

Hi, can you help please.

I follow the process of use Docker Only instalation:

git clone https://github.com/hakwerk/labca.git
cd labca/build
export LABCA_FQDN=labca.example.com

However , when i run "docker compose up bsetup" i have the following error:

"Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "labca/certs/generate.sh": stat labca/certs/generate.sh: no such file or directory: unknown"

Can you help.

Thanks.

[hakwerk]

I'm sorry but you can actually skip that step now and just do docker compose up -d.
I have updated the README to remove that step

[GuyGuy-59]

Hi,
I have an installation problem with the latest version.
At the end of the installation I get this error in docker compose logs control
raceback (most recent call last):
control-1 | File "/opt/labca/acme_tiny.py", line 199, in
control-1 | main(sys.argv[1:])
control-1 | File "/opt/labca/acme_tiny.py", line 195, in main
control-1 | signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
control-1 | File "/opt/labca/acme_tiny.py", line 160, in get_crt
control-1 | _send_signed_request(order['finalize'], {"csr": _b64(csr_der)}, "Error finalizing order")
control-1 | File "/opt/labca/acme_tiny.py", line 60, in _send_signed_request
control-1 | return _do_request(url, data=data.encode('utf8'), err_msg=err_msg, depth=depth)
control-1 | File "/opt/labca/acme_tiny.py", line 46, in _do_request
control-1 | raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
control-1 | ValueError: Error finalizing order:
control-1 | Url: http://boulder:4001/acme/finalize/1/2
control-1 | Data: b'{"protected": "confidential", "payload": "confidential"}'
control-1 | Response Code: 500
control-1 | Response: {'type': 'urn:ietf:params:acme:error:serverInternal', 'detail': 'Error finalizing order', 'status': 500}

and docker compose logs labca
gui-1 | created by net/http.(*Server).Serve in goroutine 1
gui-1 | /usr/local/go/src/net/http/server.go:3290 +0x4b4
gui-1 | 2024/09/08 05:53:41 GET /accounts
gui-1 | 2024/09/08 05:53:41 GET /setup
gui-1 | 2024/09/08 05:53:55 GET /setup
gui-1 | 2024/09/08 05:54:13 GET /final
gui-1 | 2024/09/08 05:54:18 GET /final
gui-1 | 2024/09/08 05:54:23 ERROR: Message from server: 'ERROR! On line 69 in commander script
gui-1 | '
gui-1 | 2024/09/08 05:54:23 errorHandler: err=ERROR! On line 69 in commander script

Can you help.

Thanks.

[thenetworkdoctor]

I had some sort of the same issue (webserver couldn't download its certificate from the http acme page).
managed to solve it by adding this (line 150) to the compose file (don't know if this is related)

144   nginx:
145     image: nginx:1.26.0
146     restart: always
147     networks:
148       bouldernet:
149         aliases:
150           - ${LABCA_FQDN:-notset}

[hakwerk]

control-1 | Response: {'type': 'urn:ietf:params:acme:error:serverInternal', 'detail': 'Error finalizing order', 'status': 500}

This is only the client side error, it does not contain any information on why the server returns the status 500. Please have a look at the boulder log files, also see https://github.com/hakwerk/labca/tree/master?tab=readme-ov-file#troubleshooting

[GuyGuy-59]

Here is the error
boulder-1 | 2024-09-10T11:43:41.702991+00:00Z boulder-ra[341]: 6 boulder-ra ruXosQY [AUDIT] Certificate request - error JSON={"ID":"TbvMKe2eOu3mMCUbHvyRHNEBqHax-3B8DHqYgkMPMTo","Requester":1,"OrderID":1,"VerifiedFields":["subject.commonName","subjectAltName"],"NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","RequestTime":"2024-09-10T11:43:41.688579815Z","ResponseTime":"2024-09-10T11:43:41.702868114Z","Error":"issuing precertificate: no issuers found for public key algorithm RSA","Authorizations":{"pki.domain.tld":{"ID":"1","ChallengeType":"http-01"}}}

[hakwerk]

Thanks, that will help me in analysing this issue and hopefully solving it

[alebo-iX]

issuing precertificate: no issuers found for public key algorithm ECDSA

Issue min. on LabCA 24.08

on run certbot with additinal "--key-type rsa" from client it works. LabCA v24.09

• could it mean the CA Cert or labca didn't support ECDSA?
• or should be regenerate the ca and subca cert?

[GuyGuy-59]

Hi,
I still have the same problem with version 24.09.
Did you find the problem?

[GuyGuy-59]

I'll be back to give you a little more information. The installation works fine using rsa 4094 but not ecdsa 384.
However, with the CA in RSA, I can't create an ECDSA certificate.
I think if you use an ecdsa CA with an ecdsa intermediary, it can't generate the server cert for the labca gui using RSA. Would it be possible to generate an ecdsa server certificate for the gui?

[wbedard]

@hakwerk Hi there. While following along in the Docker-only wiki page, I came across the same issue as this ticket. I noted your patch of Dec 21 and confirmed that was included in my git clone of your project. I reviewed the Docker logs and confirmed I am getting the same message/error as @GuyGuy-59 posted above. I realize this ticket is still open but wanted to provide some feedback after noting your patch. Thanks in advance for your time and effort on this (fantastic!) project.

[hakwerk]

This should now be fixed in the latest release (v25.01), ECDSA and RSA now can be mixed

[wbedard]

@hakwerk Made some time to test out the 25.01 release and ran into a likely minor issue. During final setup of the CA, when the cert for the webpage is being created, the process appears to not complete and I note the following error in the Docker logs:
...
boulder-1 | incidents_sa_integration
boulder-1 | Already exists - skipping create
boulder-1 | Applied 0 migrations
boulder-1 | Added users from ../db-users/incidents_sa.sql
boulder-1 |
boulder-1 | database setup complete
boulder-1 | Generating webpki/...
boulder-1 | ./labca/certs/generate.sh: line 66: make: command not found
boulder-1 exited with code 127

I noticed in your latest code commit, you do modify "patches/test_certs_generate.patch" to include the call to "make" but it's unclear to me whether the build env needs to be created by you in the Docker images or me in the VM. For my part, make is installed in my VM when running this. Thanks in advance for your time and attention to this issue.

[iarspider]

I also have the same issue. It is preventing boulder container from starting (thus, I guess, making everything broken?). I think mysql container is also not configured properly - this is reported in the logs:

bmysql-1    | 2025-01-15 16:07:09 112 [Warning] Aborted connection 112 to db: 'unconnected' user: 'unauthenticated' host: '10.77.77.77' (This connection closed normally without authentication)

[wbedard]

@hakwerk Just a quick update after noting your recent code update (8852d49). I tested out the updated Docker images (export LABCA_IMAGE_VERSION=edge) and wanted to confirm that they proceed successfully through the setup process and I was able to issue an ECC-384 cert from the new CA. Thanks again for all your work!

[hakwerk]

Thanks for confirming! I have created a new release v25.01.1 now

[hakwerk]

@iarspider that message is nothing to worry about. The boulder container contains many running processes that try to connect to the database and sometimes this happens, but the code is made robust against that and it will just retry.

I see it occasionally as well on systems that are otherwise running fine.

[iarspider]

Using edge version, I've managed to progress further.

First, it took me a while to figure out that web-gui is only accessible on localhost (the server on which I run labca is headless, only accessible with SSH).

Second, generating certificate for labca itself failed:

ValueError: Challenge did not pass for labca.home: {'identifier': {'type': 'dns', 'value': 'labca.home'}, 'status': 'invalid', 'expires': '2025-01-29T22:02:11Z', 'challenges': [{'type': 'http-01', 'url': 'http://boulder:4001/acme/chall/1/1/o040hg', 'status': 'invalid', 'validated': '2025-01-22T22:02:11Z', 'error': {'type': 'urn:ietf:params:acme:error:dns', 'detail': 'DNS problem: NXDOMAIN looking up CAA for home - check that a DNS record exists for this domain', 'status': 400}, 'token': '0NSocQcrJgKx0FZA0Ld5spwv5Rptw5PhVDyBZtg79Z8', 'validationRecord': [{'url': 'http://labca.home/.well-known/acme-challenge/0NSocQcrJgKx0FZA0Ld5spwv5Rptw5PhVDyBZtg79Z8', 'hostname': 'labca.home', 'port': '80', 'addressesResolved': ['192.168.1.3'], 'addressUsed': '192.168.1.3'}]}]}

For context, I'm using my router (Mikrotik) as DNS server, and it doesn't support CAA records. So, I wonder if it's possible to configure boulder to not do CAA check? Or I need to add proper DNS server to run labca?