configuration of CertWarden Client

peanutlasko

Hello,

I've got CertWarden setup and working properly. However, I'm going through the documentation for setting up the client and hitting a stumbling block.

I've generated a Client AES Key by going to Post-processing under my cert and enabling it.

Then using Docker Compose, I've taken that key and passed it into the CW_CLIENT_AES_KEY_BASE64 environment variable. However, when running compose up I'm getting an error "CW_CLIENT_AES_KEY_BASE64 is not a valid base64 raw url encoded string"

Any ideas why?

gregtwallace

Have you tried other keys? E.g. regenerating the key and trying again?

If not, please save the non-working key before doing so. If it is a “sometime” bug I’ll need an example that triggers the bug.

peanutlasko

Yes I've regenerated it several times without any success. It doesnt accept any key I use

gregtwallace

My best guess is that the environment variable isn't setting or accesible for some reason.

peanutlasko

gregtwallace hmm well that really stinks, I've spent a good amount of time getting the server setup and im 90% of the way finished with the client, but I cannot get this key to work. Can you give me any other ideas what I might be doing incorrect?

peanutlasko

example docker compose:

certwardenclient:
image: ghcr.io/gregtwallace/certwarden-client:latest
container_name: certwardenclient
networks:
- docker_network
ports:
- "5055:5055"
volumes:
#- /var/run/docker.sock:/var/run/docker.sock
- $CERTPATH:/opt/certwarden/certs
environment:
- TZ=$TZ
- PUID=$PUID
- PGID=$PGID
- CW_CLIENT_FILE_UPDATE_TIME_START='04:30'
- CW_CLIENT_FILE_UPDATE_TIME_END='05:45'
- CW_CLIENT_FILE_UPDATE_DAYS_OF_WEEK='Mon Wed Thu'
#- CW_CLIENT_RESTART_DOCKER_CONTAINER0='cert_using_app'
- CW_CLIENT_AES_KEY_BASE64='QJJBfCeyQ6JnlbZQS8Us0GFQN06nUGfHfMjNZnZXYfc'
- CW_CLIENT_SERVER_ADDRESS=$CERTWARDENADDRESS
- CW_CLIENT_KEY_NAME=$DOMAINNAME2
- CW_CLIENT_KEY_APIKEY='<key here>'
- CW_CLIENT_CERT_NAME=$DOMAINNAME2
- CW_CLIENT_CERT_APIKEY='<key here>'

gregtwallace

I'll update the error message to log the invalid key and we'll see what that yields. I'll try to work on it tomorrow or Thursday night.

peanutlasko

So I've made a bit of progress on this. I've fixed the issue by adding this line:

env_file: certwarden.env

Inside my file, I have listed:

CW_CLIENT_AES_KEY_BASE64='QJJBfCeyQ6JnlbZQS8Us0GFQN06nUGfHfMjNZnZXYfc'

This allows the cert to run and properly pull a cert. However, I'm now facing a seperate problem. I cannot figure out how to properly configure the client and server to pull down a new certificate once it's updated.

The client pulls the cert on a "fresh" start. But when the server updates, it complains that it cannot connect to the client:

11/20/2024, 3:17:30 PM, error, orders/post_process_do_client.go:104, orders: post processing worker 2: order 3: notify client failed: failed to post to client (Post "https://domain.com:5055/certwardenclient/api/v1/install": context deadline exceeded (Client.Timeout exceeded while awaiting headers)) (cert: 1, cn: domain.com)

I dont understand why the server is trying to connect to the client on https://domain.com ?

The guide says the client needs to be configured on CW_CLIENT_SERVER_ADDRESS (CLIENT ---> SERVER) but where is the connection in the opposite direction specified? I see there is an optional ENV variable called "CW_CLIENT_BIND_ADDRESS", but I cannot get the client to start up using anything for this value.

Error:
2024-11-20T15:30:20.973-0600 info main/config.go:148 starting Cert Warden Client v0.3.1
2024-11-20T15:30:20.974-0600 info main/config.go:258 new key/cert files will be permitted to write on Sunday Monday Tuesday Wednesday Thursday Friday Saturday between 03:00 and 05:00
2024-11-20T15:30:21.056-0600 info main/update_common.go:198 running key/cert update of client's cert
2024-11-20T15:30:21.057-0600 info main/update_common.go:208 new tls key/cert installed in https server
2024-11-20T15:30:21.057-0600 info main/update_common.go:185 key/cert file(s) write: not performed, but a write is needed
2024-11-20T15:30:21.058-0600 info main/https_server.go:33 starting https server bound to 192.168.1.109:5055
2024-11-20T15:30:21.058-0600 info main/update_schedule.go:117 scheduling write certs job for 2024-11-21 03:00:37 -0600 CST
2024-11-20T15:30:21.058-0600 fatal main/main.go:53 could not start https server (%s)

peanutlasko

peanutlasko and for clarity, its not actually "domain.com", its MY personal domain, ive just hid this for obvious security reasons