configuration of CertWarden Client

peanutlasko

Yes I've regenerated it several times without any success. It doesnt accept any key I use

gregtwallace

My best guess is that the environment variable isn't setting or accesible for some reason.

peanutlasko

gregtwallace hmm well that really stinks, I've spent a good amount of time getting the server setup and im 90% of the way finished with the client, but I cannot get this key to work. Can you give me any other ideas what I might be doing incorrect?

peanutlasko

example docker compose:

certwardenclient:
image: ghcr.io/gregtwallace/certwarden-client:latest
container_name: certwardenclient
networks:
- docker_network
ports:
- "5055:5055"
volumes:
#- /var/run/docker.sock:/var/run/docker.sock
- $CERTPATH:/opt/certwarden/certs
environment:
- TZ=$TZ
- PUID=$PUID
- PGID=$PGID
- CW_CLIENT_FILE_UPDATE_TIME_START='04:30'
- CW_CLIENT_FILE_UPDATE_TIME_END='05:45'
- CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK='Mon Wed Thu'
#- CW_CLIENT_RESTART_DOCKER_CONTAINER0='cert_using_app'
- CW_CLIENT_AES_KEY_BASE64='QJJBfCeyQ6JnlbZQS8Us0GFQN06nUGfHfMjNZnZXYfc'
- CW_CLIENT_SERVER_ADDRESS=$CERTWARDENADDRESS
- CW_CLIENT_KEY_NAME=$DOMAINNAME2
- CW_CLIENT_KEY_APIKEY='<key here>'
- CW_CLIENT_CERT_NAME=$DOMAINNAME2
- CW_CLIENT_CERT_APIKEY='<key here>'

gregtwallace

I'll update the error message to log the invalid key and we'll see what that yields. I'll try to work on it tomorrow or Thursday night.

peanutlasko

So I've made a bit of progress on this. I've fixed the issue by adding this line:

env_file: certwarden.env

Inside my file, I have listed:

CW_CLIENT_AES_KEY_BASE64='QJJBfCeyQ6JnlbZQS8Us0GFQN06nUGfHfMjNZnZXYfc'

This allows the cert to run and properly pull a cert. However, I'm now facing a seperate problem. I cannot figure out how to properly configure the client and server to pull down a new certificate once it's updated.

The client pulls the cert on a "fresh" start. But when the server updates, it complains that it cannot connect to the client:

11/20/2024, 3:17:30 PM, error, orders/post_process_do_client.go:104, orders: post processing worker 2: order 3: notify client failed: failed to post to client (Post "https://domain.com:5055/certwardenclient/api/v1/install": context deadline exceeded (Client.Timeout exceeded while awaiting headers)) (cert: 1, cn: domain.com)

I dont understand why the server is trying to connect to the client on https://domain.com ?

The guide says the client needs to be configured on CW_CLIENT_SERVER_ADDRESS (CLIENT ---> SERVER) but where is the connection in the opposite direction specified? I see there is an optional ENV variable called "CW_CLIENT_BIND_ADDRESS", but I cannot get the client to start up using anything for this value.

Error:
2024-11-20T15:30:20.973-0600 info main/config.go:148 starting Cert Warden Client v0.3.1
2024-11-20T15:30:20.974-0600 info main/config.go:258 new key/cert files will be permitted to write on Sunday Monday Tuesday Wednesday Thursday Friday Saturday between 03:00 and 05:00
2024-11-20T15:30:21.056-0600 info main/update_common.go:198 running key/cert update of client's cert
2024-11-20T15:30:21.057-0600 info main/update_common.go:208 new tls key/cert installed in https server
2024-11-20T15:30:21.057-0600 info main/update_common.go:185 key/cert file(s) write: not performed, but a write is needed
2024-11-20T15:30:21.058-0600 info main/https_server.go:33 starting https server bound to 192.168.1.109:5055
2024-11-20T15:30:21.058-0600 info main/update_schedule.go:117 scheduling write certs job for 2024-11-21 03:00:37 -0600 CST
2024-11-20T15:30:21.058-0600 fatal main/main.go:53 could not start https server (%s)

peanutlasko

peanutlasko and for clarity, its not actually "domain.com", its MY personal domain, ive just hid this for obvious security reasons

gregtwallace

Solved, but also: https://github.com/gregtwallace/certwarden/issues/67

fissilemind

Very nice app! I am running the direct install version of certwarden and so far it has worked very well. The problem I am having is with the certwarden client. I cannot get it a single certificate no matter how I configure it so I use curl to retrieve my certificates from certwarden. It seems like I'm doing this the hard way but when I pull a certificate using curl it works every time. It is a bit of a slog to write a reliable crontab scripts and I have not been successful pulling certificates on time but it works. This is just a home network/lab and nothing critical. I use your documented docker run command and the only changes I make are to the certificate and key names and tokens. Again, no problems using curl. I just wish I could change the result in some small way but I cannot find any environment variable that seems to matter other than complete failure of the client. I am wondering if perhaps you could suggest something that I might change other than the certificate names and api keys (which I've regenerated several times) that might make a difference. If not, I will stick with the curl command and a crontab script. As I mentioned, my docker command is exactly as your documentation shows in the example. While I know from experience this is not the most reliable way to get a working baseline configuration but there does not seem to be a single parameter in the github certwarden client pages that seems to matter. I've even converted your docker run command to a docker compose yaml and I get the exact same result so it must be something I'm doing but I'm at a loss to figure what that 'something' might be. The configuration shown earlier in this particular thread is very similar to what i'm using so I think I'm in the right discussion. Thanks for any assistance.

fissilemind

Nevermind! I found the problem; it is in the cockpit. Sorry about bring this to the forum. The client is working just fine now that Captain Obvious noticed a glaring typo.

gregtwallace

fissilemind Great 🙂