We Keep Coding

dns entries for wilcard certificate with traefik [closed]

Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 days ago.
Improve this question
I'm trying to setup traefik to generate wildcard certificates for my domain, such that containers that I create can automatically use a subdomain. For that I've installed traefik on docker (compose) with the following settings:
version: "3.3"
services:
traefik:
image: "traefik:v2.9"
container_name: "traefik"
command:
# Tell Traefik to discover containers using the Docker API
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# Enable the Trafik dashboard
- "--api.dashboard=true"
- "--api.insecure=true"
# Set up LetsEncrypt
- "--certificatesresolvers.myresolver.acme.dnschallenge=true"
- "--certificatesresolvers.myresolver.acme.dnschallenge.provider=hetzner"
#- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=my#email.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
# Set up an insecure listener that redirects all traffic to TLS
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
# Set up the TLS configuration for our websecure listener
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.websecure.http.tls.certResolver=myresolver"
- "--entrypoints.websecure.http.tls.domains[0].main=domain.tld"
- "--entrypoints.websecure.http.tls.domains[0].sans=*.domain.tld"
... (some other things like ports and volumes)
As you can see I'm using the Hetzner DNS to manage the DNS records. This also works fine (I can see the _acme-challenge entries being created).
But how exactly do I need to setup the DNS records for this? I'm confused with the trailing "dots".
Here is how the zone currently looks like:
$ORIGIN domain.tld.
$TTL 7200
; SOA Records
# IN SOA ns1.your-server.de. postmaster.your-server.de. 123455678 86400 10800 3600000 3600
; NS Records
# IN NS helium.ns.hetzner.de
# IN NS hydrogen.ns.hetzner.com
# IN NS oxygen.ns.hetzner.com.
; A Records
*.domain.tld. 60 IN A 123.123.123.123
domain.tld. 60 IN A 123.123.123.123
The error I get from traefik is:
level=error msg="Unable to obtain ACME certificate for domains \"domain.tld,*.domain.tld\"" ACME CA="https://acme-v02.api.letsencrypt.org/directory" providerName=myresolver.acme routerName=MY_SERVICE#docker rule="Host(`MY_SERVICE.domain.tld`)" error="unable to generate a certificate for the domains [domain.tld *.domain.tld]: error: one or more domains had a problem:\n[*.domain.tld] time limit exceeded: last error: dial udp: lookup helium.ns.hetzner.de.domain.tld.: i/o timeout\n[domain.tld] time limit exceeded: last error: read udp 172.19.0.2:34189->123.123.123.123:53: i/o timeout\n"

For everybody coming to this thread with the same issue. I solved my problem by appending the dot to the name servers (NS entries). Thanks #PatrickMevzek I saw that the NS entries are not a sub-domain. With this zone file everything is working now:
$ORIGIN domain.tld.
$TTL 7200
; SOA Records
# IN SOA ns1.your-server.de. postmaster.your-server.de. 123 86400 10800 3600000 3600
; NS Records
# 60 IN NS helium.ns.hetzner.de.
# 60 IN NS hydrogen.ns.hetzner.com.
# 60 IN NS oxygen.ns.hetzner.com.
; A Records
* 60 IN A 123.123.123.123
# 60 IN A 123.123.123.123
domain.tld 60 IN A 1123.123.123.123
Note the trailing dots after the NS entries.

Error: com.sun.mail.smtp.SMTPAddressFailedException: 554 5.7.1 : Recipient address rejected: SASLUsername Domain and Sender Domain Are Differnet [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
This post was edited and submitted for review last year and failed to reopen the post:
Original close reason(s) were not resolved
Improve this question
I am tying to send email using JavaMailSender. I am able to send email to my gmail account using this configuration.
mail:
host: smtp.gmail.com
port: 587
username: xyz*****#gmail.com
password: ***************
protocol: smtp
properties.mail.smtp:
auth: true
starttls.enable: true
ssl.trust: smtp.gmail.com
But when I use another server with the following config I get this error : "com.sun.mail.smtp.SMTPAddressFailedException: 554 5.7.1 **********#gmail.com: Recipient address rejected: SASLUsername Domain and Sender Domain Are Differnet - Sender Blocked"
mail:
host: mail.xyz***xyz.com
port: 25 (or 587)
username: noreply#xyz***xyz.com
password: **************
protocol: smtp
properties.mail.smtp:
auth: true
starttls.enable: false
ssl.trust: mail.xyz***xyz.com
sockeFactory.class: javax.net.ssl.SSLSocketFactory
ssl.protocols: TLSv1
When I change starttls.enable: true I get error: javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
After I remove sockeFactory.class: javax.net.ssl.SSLSocketFactory and ssl.protocols: TLSv1 I get Error : the-server-selected-protocol-version-tls10-is-not-accepted-by-client-preferences
Can anyone help me out resolving these configurational issues.

This is happening because Zimbra has a setting which ensures that the credentials used for sending and authentication need to be same. Please check your code to ensure that your javamail From and auth are using the same email address. This should solve the error.

Timeout during allocate while making RFC call

I am trying to create a SAP RFC connection to a new system.
AFAIK the firewall (in this case to port 3321) is open.
I get this message at the client:
RFC_COMMUNICATION_FAILURE (rc=1): key=RFC_COMMUNICATION_FAILURE, message=
LOCATION SAP-Gateway on host ax-swb-q06.prod.lokal / sapgw21
ERROR timeout during allocate
TIME Thu Jul 26 16:45:48 2018
RELEASE 753
COMPONENT SAP-Gateway
VERSION 2
RC 242
MODULE /bas/753_REL/src/krn/si/gw/gwr3cpic.c
LINE 2210
DETAIL no connect of TP sapdp21 from host 10.190.10.32 after 20 sec
COUNTER 3
[MSG: class=, type=, number=, v1-4:=;;;]
And this message on the SAP server
Any clue what needs to be done, to get RFC working?

With this little info no one can know what the issue is here.
But it is something related to your network and SAP system configuration.
I guess your firewall does some network address translation (NAT) and the new IP behind the firewall does not match anymore with the known one. SAP is doing some own IP / host name security checks.
If not already done, check with opening the ports 3221, 3321 and 4821 in the firewall. Also check the SAP gateway configuration which IP addresses and host names are configured to be valid ones for it (look at what is traced in the beginning of the gateway trace file dev_rd at ABAP side).
Also consider if maybe the usage of a SAProuter would be the better option for your needs.

it works in my case if ashost is the host name, and not an IP address!
Do not ask me why, but this fails:
Connection(user='x', passwd='...', ashost='10.190.10.32', sysnr='21', client='494')
But this works:
Connection(user='x', passwd='...', ashost='ax-swb-q06.prod.lokal', sysnr='21', client='494')
This is strange, since DNS resolution happens before TCP communication.
It seems that the ashost value gets used inside the connection. Strange. For most normal protocols (http, ftp, pop3, ...) this does not matter. Or you get at least a better error message.

Error installing Crashlytics - SSL peer handshake failed [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
While trying to install Crashlytics I have received this error:
Installing Crashlytics (3.7.2)
[!] /usr/bin/curl -f -L -o >/var/folders/7x/kpl0j8gs4bj_7d9mtcw0_13r0000gp/T/d20160804-54108->w1kqku/file.zip https://kit->downloads.fabric.io/cocoapods/crashlytics/3.7.2/crashlytics.zip --create-dirs ->-netrc-optional
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- >0curl: (35) SSL peer handshake failed, the server most likely requires a client >certificate to connect
Anyone knows how to fix it?

This error disappeared under another OS X user account

Puppet agent fail to connect to master [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 7 years ago.
Improve this question
I'm struggling since 2 days with signing of Puppet-Agents now. The Problem is as follows:
On the master I delete all existing signatures with
puppet cert clean esx-poc-1.xxx.de
On the agent I delete the whole ssl directory with
rm -rf /var/lib/puppet/ssl/
After running one of the following commands on the agent...
puppet certificate generate esx-poc-1.xxx.de --ca-location remote
puppet agent --server puppetmaster.int.xxx.com --waitforcert 60 --test
...I can list the certificates on the master with:
puppet cert list --all
The output is:
"esx-poc-1.xxx.de" (SHA256)
71:72:D8:3E:09:9E:B1:5C:DA:78:A8:B8:A1:2B:E4:09:B8:00:8A:AF:49:02:CC:B2:B5:C3:25:79:59:0D:A8:F5
+ "puppetmaster.int.xxx.com" (SHA256) 7B:00:8C:4F:CE:B2:0D:2F:A1:BB:A7:C4:25:B0:11:01:2B:EC:90:46:D1:CB:BE:AA:AD:3F:B4:70:0C:83:3F:78
(alt names: "DNS:puppet", "DNS:puppet.xxx.de",
"DNS:puppetmaster.int.xxx.com")
After signing the agent with:
puppet cert sign esx-poc-1.xxx.de
The fingerprint differs from the one above:
"esx-poc-1.xxx.de" (SHA256) 49:F6:59:FD:3C:28:C6:54:7F:6E:A7:56:56:DB:64:9A:E2:08:10:90:11:83:7A:A6:0E:E1:CD:39:F0:E0:1C:25
Is that correct?
Performing an agent-run aferwards results in the following error:
Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 400 on SERVER: Could not retrieve facts for esx-poc-1.xxx.de: Failed to submit 'replace facts' command for esx-poc-1.xxx.de to PuppetDB at puppetmaster.int.xxx.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=puppetmaster.int.xxx.com] Info: Retrieving plugin Info: Loading facts in /var/lib/puppet/lib/facter/last_run.rb Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppi_projects.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb Info: Loading facts in /var/lib/puppet/lib/facter/iptables.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for esx-poc-1.xxx.de to PuppetDB at puppetmaster.int.xxx.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=puppetmaster.int.xxx.com] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run
Thx for any help!

Ran into this exact same issue myself. The problem ended up being that the puppetdb-terminus package was at version 1.1.0 while puppetdb itself was still at 1.0.5.
After downgrading puppetdb-terminus down to 1.0.5 everything operated normally.

In puppet 3.4 I noticed that if the hostnames are not set this error could be thrown.
For example; I had two debian boxes; one was named debian1 and the other debian2 in the hosts file. But, both of their /etc/hostname settings where debian; after I changed their name with hostname and set their names in /etc/hostname they worked just fine.

This might be a dumb question, but, do you have a node definition for this machine? I.e.,
node 'esx-poc-1.xxx.de' {
.....
}

I had this error after changing permission of files in /etc/puppet.
Changing them back to 'pe-puppet' (for an enterprise version) solved it for me

After completely reinstalling puppetdb it's finally working...