-
Notifications
You must be signed in to change notification settings - Fork 445
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Change of dns name #1814
Comments
Hey @jojof2024, did you send the |
Hey, yes we did restart the CA. And the old DNS name is no where to be found in the ca.json or the default.json. Do we have to remove the old DNS name somewhere else to. How can this happen? |
It also says that it runs with the latest dns name. certbot certonly --standalone -d example --server https://latest.lhgroup.de/acme/acme1day/directory -m email -vvv Please read the Terms of Service at None. You must agree in order to register (Y)es/(N)o: y |
Have you tried executing It looks like there's a proxy in between: |
step ca Health is ok. and |
The CA will reply with |
We tried it also with different clients (certbot (redhat client) and win-acme) all with the same responce. The win-acme client was just recently set up and did not send any request before this test. |
What's shown when you go to https://latest.lhgroup.de/acme/acme1day/directory in a browser? |
I get the exact same responce: |
What response headers does the browser console show? |
Cache-Control: |
I still suspect the proxy may have something to do with it. Can you try it without going through the proxy in your browser? |
I just tested this locally and I get the correct urls being served from the
I agree with @hslatman that there may be an issue with cacheing in your proxy layer? |
We run our tests now without the proxy in the middle but unfortunately the ca did respond with the wrong url. Is there a way we can assure that the ca responds with the primary url? Because it says that it runs primarly with our latest url but in the responce message is the wrong url. |
@jojof2024 the CA will always return the URL in the directory with the one it is requested with, as long as it can determine the right value from the HTTP request, in which case it will fallback to the one that's configured on the CA side. If you're still seeing the old URL, there must be something else interfering with the request. |
Steps to Reproduce
init the step ca with the following dns name xxxlhgroup.de.
I changed the dns name in ca.json and default.json to latest.lhgroup.de.
And now I send a certificate request over certbot.
Your Environment
step-ca
Version - 0.25.2Expected Behavior
The ca uses the dns name latest.lhgroup.de for the certificate request.
Actual Behavior
I make a certificate request over certbot (certbot certonly --standalone -d example --server https://latest.lhgroup.de/acme/acme1day/directory) and it changes the dns name from latest.lhgroup.de to xxxlhgroup.de in the ca response.
INFO[0021] duration="131.201µs" duration-ns=131201 fields.time="2024-04-29T16:21:36+02:00" method=GET name=ca path=/acme/acme1day/directory protocol=HTTP/1.1 referer= remote-address=xxxx request-id=conqps7a49jreql0aaeg response="{"newNonce":"
https://xxxlhgroup.de/acme/acme1day/new-nonce","newAccount":"https://xxxx.lhgroup.de/acme/acme1day/new-account","newOrder":"https://xxxx.lhgroup.de/acme/acme1day/new-order","revokeCert":"https://xxxlhgroup.de/acme/acme1day/revoke-cert","keyChange":"https://xxxlhgroup.de/acme/acme1day/key-change"}"
size=382 status=200 user-agent="CertbotACMEClient/1.22.0 (certbot; Red Hat Enterprise Linux 8.9 (Ootpa)) Authenticator/standalone Installer/None (certonly; flags: ) Py/3.6.8" user-id=
Additional Context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: