XOA letsencrpyt module not setting acmeDomain
-
@peb2 Oh, last night I forget to mention you also need to set the https hostname, as well as redirect to https and then after making the alterations. The file must be saved, the editor exited and then the xo-server service (daemon) restarted. When the xo-server service (daemon) is restarted you will lose connection to XOA, but briefly not as long as it would be if the appliance itself was restarted.
-
@john-c Thanks for your help sofar! The FQDN and email fields were changed for the post online, they're corrected in the actual config.toml.
I tried adding the hostname line with the FQDN to both the #basic HTTP and #basic HTTPS sections but it still doesn't seem to be grabbing the acmeDomain correctly.
This is what the Certificate says when I view it:
Common Name (CN) <Not Part Of Certificate>
Organization (O) Internet Widgits Pty Ltd
Organizational Unit (OU) <Not Part Of Certificate>There doesn't seem to be a manpage for xo-server, is there somewhere I can see the full set of configuration options?
edit: nevermind I found the journal entries and it looks like the problem is:
Jul 29 15:33:40 xoa xo-server[3893]: strict mode: required property "discoveryURL" is not defined at "#/anyOf/0" (strictRequired)
-
@peb2 said in XOA letsencrpyt module not setting acmeDomain:
@john-c Thanks for your help sofar! The FQDN and email fields were changed for the post online, they're corrected in the actual config.toml.
I tried adding the hostname line with the FQDN to both the #basic HTTP and #basic HTTPS sections but it still doesn't seem to be grabbing the acmeDomain correctly.
This is what the Certificate says when I view it:
Common Name (CN) <Not Part Of Certificate>
Organization (O) Internet Widgits Pty Ltd
Organizational Unit (OU) <Not Part Of Certificate>There doesn't seem to be a manpage for xo-server, is there somewhere I can see the full set of configuration options?
edit: nevermind I found the journal entries and it looks like the problem is:
Jul 29 15:33:40 xoa xo-server[3893]: strict mode: required property "discoveryURL" is not defined at "#/anyOf/0" (strictRequired)
- Did you install XO as an appliance or from the sources?
- If from the sources what commit are you using?
- If as an appliance what version of XOA are you using?
- Also if as an appliance what update channel are you on?
@olivierlambert Could the journal entry above be evidence of a bug in the Xen Orchestra source code?
-
I'm running the appliance, XOA version 5.95.1, stable release channel.
I'm also seeing this error in the journal:
Jul 29 15:33:59 xoa xo-server[3893]: 2024-07-29T19:33:59.287Z xo:mixins:sslCertificate WARN couldn't renew ssl certificate { Jul 29 15:33:59 xoa xo-server[3893]: acmeDomain: 'www.mydomain.com', Jul 29 15:33:59 xoa xo-server[3893]: error: Error: The request must include a value for the "externalAccountBinding" field
So it looks like there may be some letsencrypt account setup I need to do before this will work.
-
@peb2 said in XOA letsencrpyt module not setting acmeDomain:
I'm running the appliance, XOA version 5.95.1, stable release channel.
I'm also seeing this error in the journal:
Jul 29 15:33:59 xoa xo-server[3893]: 2024-07-29T19:33:59.287Z xo:mixins:sslCertificate WARN couldn't renew ssl certificate { Jul 29 15:33:59 xoa xo-server[3893]: acmeDomain: 'www.mydomain.com', Jul 29 15:33:59 xoa xo-server[3893]: error: Error: The request must include a value for the "externalAccountBinding" field
So it looks like there may be some letsencrypt account setup I need to do before this will work.
The config file isn't for Let's Encrypt but for the ZeroSSL provider. However ZeroSSL has been recently requiring EAB for users of the ACME protocol. The Let's Encrypt provider doesn't require this currently, but only issues certificates for 90 days.
Till the EAB issue is fixed with the XOA module it may be best to use the Let's Encrypt provider as this will work.
@olivierlambert Can the acme-client nodejs package please be updated in Xen Orchestra and add extra config parameters in the Xen Orchestra integration plugin for ACME to support EAB? The most recent versions of acme-client nodejs npm software will support External Account Binding (EAB) this is required for ZeroSSL and/or other CA services which have separate systems for customer management.
-
That's a question for @julien-f when he's back. Please create a GH issue
-
Thank you!
I switched the provider over to 'letsencrypt/production' and now everything is working. The 90 day renewal isn't an issue for me since the server renews automatically.
-
@olivierlambert said in XOA letsencrpyt module not setting acmeDomain:
That's a question for @julien-f when he's back. Please create a GH issue
Would you classify it as a bug and/or feature request for the GitHub issue?
-
Doesn't really matter, what matters is to explain in details the "why"
-
This post is deleted! -
@olivierlambert I created the issue on GithHub. https://github.com/vatesfr/xen-orchestra/issues/7884