Swag setup fails with certbot error: argument --eab-kid: expected one argument

RichardJRL · 19 January 2021 20:31

Hello! I’m going through the guide to setting up swag that I found at
https://docs.linuxserver.io/general/swag
and am attempting to create a container with http validation but it fails with the following error:

certbot: error: argument --eab-kid: expected one argument

full logs are below:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing... 
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing... 

URL=REDACTED.com
SUBDOMAINS=FOO,BAR
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=http
CERTPROVIDER=zerossl
:Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3.8/json/__init__.py", line 293, in load
    return loads(fp.read(),
  File "/usr/lib/python3.8/json/__init__.py", line 357, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.8/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.8/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 2 column 1 (char 1)
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3.8/json/__init__.py", line 293, in load
    return loads(fp.read(),
  File "/usr/lib/python3.8/json/__init__.py", line 357, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python3.8/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python3.8/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 2 column 1 (char 1)
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: argument --eab-kid: expected one argument
DNSPLUGIN=
EMAIL=REDACTED@REDACTED.net
STAGING=false

Created .donoteditthisfile.conf
ZeroSSL is selected as the cert provider, registering cert with richardjrl@posteo.net
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are:  -d FOO.REDACTED.com -d BAR.REDACTED.com
E-mail address entered: REDACTED@REDACTED.net
http validation is selected
Retrieving EAB from ZeroSSL
Generating new certificate
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Any ideas what the problem might be?

aptalca · 19 January 2021 20:46

It looks like it failed to get the eab from zerossl using your e-mail address. Do you have connection issues to https://api.zerossl.com/acme/eab-credentials-email ?
If you have pihole or something like that, disable and retry

RichardJRL · 19 January 2021 23:24

Thanks for the suggestion: I’m trying to set the swag container up on a brand new Linode. I have no pihole anywhere near it. (Although FYI on my home network where there is a pihole I can connect to the zerossl API without any problems.)

I walked away from the problem for a couple of hours to clear my head, but have now come back to it. Here’s what I have discovered now:

I can create a linuxserver/nginx container on the same Linode and immediately access the default homepage on both http and https, so hopefully that proves I’ve set up the DNS correctly and not done anything stupid with the firewall. I can also do this inside the nginx container:

docker exec -it nginx bash
curl -s REDACTEDapi.zerossl.com/acme/eab-credentials-email --data "email=REDACTED"
{"success":true,"eab_kid":"REDACTED","eab_hmac_key":"REDACTED"}

But when I start a new linuxserver/swag container, follow the logs until I get the aforementioned error and then try the same, I get:

docker exec -it swag bash
curl -s REDACTEDapi.zerossl.com/acme/eab-credentials-email --data "email=REDACTED"

i.e no output from curl at all. Nothing, not even an error if I deliberately leave out the email. This seems to tally with the python json decoding error that the logs show too. It falls over because its expected input does not exist.

One more thing… removing -s from the curl command in the swag container gives

curl: (6) Could not resolve host: api.zerossl.com

Anything else I can do to further troubleshoot this?

(additional redactions in the curl commands due to new user limits on links!)

RichardJRL · 19 January 2021 23:51

Ok, I’ve been further investigating the DNS resolution differences between the linuxserver/nginx and linuxserver/swag containers and compared the contents of their

/etc/resolv.conf

files:

On nginx:

nameserver 178.79.182.5
nameserver 109.74.193.20
nameserver 151.236.220.5
search members.linode.com

I did a reverse DNS lookup and the nameservers listed are unsurprisingly all Linode nameservers .

On swag:

search members.linode.com
nameserver 127.0.0.11
options ndots:0

Which is quite a considerable difference. I think I see why swag isn’t resolving any domains but I’m unsure how to fix it. Mapping a handmade resolv.conf to the container with a docker bind mount might well solve the problem but seems like a kludge?

aptalca · 20 January 2021 00:04

What docker arguments did you use to create the two containers? It’s weird that they have different dns settings as the images are extremely similar and are built on the same nginx baseimage

RichardJRL · 20 January 2021 00:04

Ok, I’ve solved the problem but it’s one of those things that makes no sense. I rm’ed the docker image, pulled it again, executed my docker run command and everything works as expected. No idea why that worked, but it did and thank you for your help @aptalca

RichardJRL · 20 January 2021 00:17

Further to my hasty reply where I said I’d solved the error but had no idea why, I have identified a particular docker run option that broke swag!

--net=swag-net

having earlier created swag-net with

docker network create swag-net

I guess I need to brush up on docker networks again. It’s been a while since I set up a reverse proxy with nginx and docker (manually, without any swag/letsencrypt) but I was sure I remembered putting the reverse proxy container and those associated with it on the same named docker bridge network so that containers could address each other by hostname.

EDIT: No, I’d remembered correctly. I’ve now removed the swag-net bridge network I’d created earlier and re-created it and now the swag container still works when I specify --net=swag-net with the newly created swag-net. Oh what a frustrating day!