-
Notifications
You must be signed in to change notification settings - Fork 455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Most of the time certificates can't be issued: failure saving error to acme challenge: error saving acme challenge; changed since last read #2121
Comments
Hey @LokiMidgard, what does your Docker storage setup look like? It sounds like BadgerDB can't commit file operation transactions. You could try the FileIO mode: https://smallstep.com/docs/step-ca/configuration/#badger |
Thanks for the fast response :) I changed the config to fileIO: "db": {
"type": "badgerv2",
"dataSource": "/home/step/db",
"badgerFileLoadingMode": "FileIO"
}, the db is created (the home directory is a mounted volume next to the docker compose) ~/step-ca $ ls data/db/
000000.vlog 000008.sst KEYREGISTRY LOCK MANIFEST Memory could be a problem since I running it for tests on a pi and I just checked it seems to be one with only 1 GB RAM. I could search if i get another device with more RAM, but that may take some time. |
@LokiMidgard with the change to In the logs I also saw some time indications with |
Yes it persisted after I set FileIo, I did restart the contaner after that, to reload. The characters are from the combination of |
Or I'm too dumb to look through the logs ¬_¬ |
I tried to enable debug log by setting the enviroment variable STEPDEBUG=1 but it dose not seem to yeald more output. on the Acme client I noticed following error:
when posting to I'll assume that is when the transaction error occures. logs for later referencestep-ca
.well-known
acme-client
|
I'm not sure why there's an error related to the badger transaction yet, but I do see that the process fails to validate the challenge for the The badger transaction error looks like a red herring for this specific issue (but, it does look like something is off, so we may need to look into that separately). |
On second thought, maybe it's not an issue with the DNS, and still something related with the badger transaction. But it's an unusual case that I haven't observed before. |
I got it working. I changed two things:
After moving the dns I got several clients working on the same docker with step-ca (with exception of step-ca itself since it would resvol to itself instead of nginx where the files are hosted). After I set the correct IPs for the domain in the DNS and no longer relying on CNAME records everything worked as expected. It would be nice if I could use CNAME sicne then I would only have one place to change when changing the IP of an machine, but it should not happen that often. I'm not sure if I made a mistake creating the CNAME records, while nslookup worked, curl could not resolve the host. But now it's working. Thank you for the help :) |
Steps to Reproduce
I was able to issue a valid certificate once, but normally it fails.
It happens on a brand new docker setup. For reproduction I pushed my reproduction in this repo
deleting all containers and volums dose not fix it…
this is the complete log:
Your Environment
step-ca
Version - smallstep/step-ca:latest (0.28.1 if I see that correctly)Expected Behavior
issue certificate
Actual Behavior
no certificate issued
Additional Context
the nginx (acme-companion) outputs
I set
STEPDEBUG=1
in the docker compose file, but it seems not to print more infos.the pi.hole is actually my dns server, but since it exposes port 53 directly I have no problems resolving dns names in the host machine. howerver nslookup can't resolve inside the step-ca container even when providing the ip of the resolver (host) is this expected? ping works, so the ip is reachable.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: