Troubleshooting and Managing Keyfactor ACME

The following are some troubleshooting tips and guidance on specific issues you may encounter.

Logs

When troubleshooting, multiple logs can be helpful resources:

ACME Logs

Keyfactor ACME logs contain log entries generated by the Keyfactor ACME server and the Keyfactor ACME API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command..
Keyfactor Command Logs

The log entries from Keyfactor Command can be useful to track any errors or to troubleshoot activity generated by Keyfactor Command. For information on Keyfactor Command logging, see Editing NLog in the Keyfactor Command Reference Guide.

The Command_API_Log.txt may be helpful for troubleshooting enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). requests from Keyfactor ACME through Keyfactor Command.
Let's Encrypt Logs

Access Let's Encrypt logs from the Linux server where Certbot is installed. The latest log file will be found at /var/log/letsencrypt/letsencrypt.log. Previous logs will be numbered letsencrypt.log.xx where is xx is a number value with most recent at the lowest value (1) and earlier logs at higher values.

Keyfactor ACME Installations on Windows

By default for Windows installations, Keyfactor ACME logs are found at C:\Keyfactor\logs\ACME_log.txt on the Keyfactor ACME server. There are two configuration files that funnel log information to the same output file. These are in the following paths by default:

C:\Program Files\Keyfactor\ACME\Configuration\Configuration\NLog.config

C:\Program Files\Keyfactor\ACME\API\Configuration\NLog.config

The first controls log output for configuration of the Keyfactor ACME server (running the configure tool). The second controls log output for API requests.

If you wish to change these defaults:

On the Keyfactor ACME server where you wish to adjust logging, open a text editor (e.g. Notepad) using the Run as administrator option.
In the text editor, browse to open the NLog.config file(s) in the configuration directory for the component you wish to update under the directory in which you installed the Keyfactor ACME server. By default, these are the following directories:

C:\Program Files\Keyfactor\ACME\Configuration\Configuration\NLog.config

C:\Program Files\Keyfactor\ACME\API\Configuration\NLog.config
Your NLog.config files may have a slightly different layout than shown here, but will contain the fields highlighted in the below figure. The fields you may wish to edit are:
- The path and file name of the active Keyfactor ACME log file:
  fileName="C:\Keyfactor\logs\ACME_Log.txt"
- The path and file name of previous days' Keyfactor ACME log files:
  archiveFileName="C:\Keyfactor\logs\ACME_Log_Archive_{#}.txt"
  The Keyfactor ACME server rotates log files daily and names the previous files using this naming convention.
- The number of archive files to retain before deletion:
  maxArchiveFiles="2"
- The level of log detail that should be generated:
  name="*" minlevel="Info"
  The default Info level logs error and some informational data but at a minimal level to avoid generating large log files. For troubleshooting, it may be desirable to set the logging level to Debug or Trace. Available log levels (in order of increasing verbosity) are:
  - OFF – No logging
  - FATAL – Log severe errors that cause early termination
  - ERROR – Log severe errors and other runtime errors or unexpected conditions that may not cause early termination
  - WARN – Log errors and use of deprecated APIs, poor use of APIs, almost errors, and other runtime situations that are undesirable or unexpected but not necessarily wrong
  - INFO – Log all of the above plus runtime events (startup/shutdown)
  - DEBUG – Log all of the above plus detailed information on the flow through the system
  - TRACE – Maximum log information—this option can generate VERY large log files

Figure 13: NLog.config File for the Keyfactor ACME

Keyfactor ACME Installations in Containers (Kubernetes)

By default, the Keyfactor ACME installed in containers under Kubernetes outputs logging information to the standard Kubernetes logging system and generates file system logs at the Info logging level. The logging level can be configured in the custom values file with the workloadDefaults > logLevel parameter A parameter or argument is a value that is passed into a function in an application.. For a complete list of the parameters, see Values File Settings for Containers Under Kubernetes. The supported log levels are:

OFF

No logging
FATAL

Log severe errors that cause early termination
ERROR

Log severe errors and other runtime errors or unexpected conditions that may not cause early termination
WARN

Log errors and use of deprecated APIs, poor use of APIs, almost errors, and other runtime situations that are undesirable or unexpected but not necessarily wrong
INFO

Log all of the above plus runtime events (startup/shutdown)
DEBUG

Log all of the above plus detailed information on the flow through the system
TRACE

Maximum log information—this option can generate VERY large log files

The maximum size and number of logs to retain are controlled with the following Kubernetes configuration settings:

containerLogMaxWorkers
containerLogMonitorInterval

For more information, see:

https://kubernetes.io/docs/concepts/cluster-administration/logging/#log-rotation

In addition, log customizations can be added using a custom nlog.config file to add, for example, log filters or reference third-party libraries or other files that support log aggregation.

For container installations under Kubernetes, custom NLog configuration can be added with either a ConfigMap or a PersistentVolume. If you’re just adding filters, a ConfigMap is the simpler route. If you need to include libraries or other files for log aggregation, you’ll need a PersistentVolume.

NLog Customization with a Config Map

To add NLog customization with a config map:

Create an nlogconfig.yaml file with contents similar with the following:

Important: When editing the file, be sure to preserve the indenting exactly as shown. YAML requires a very specific file layout to function. If the indenting (multiples of two spaces) or layout is incorrect, you will receive an error when trying to apply the file.

apiVersion: v1
data:
  nlog.config: |
    <?xml version="1.0" encoding="utf-8" ?>
    <nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        autoReload="true">
      <extensions>
        <add assembly="NLog.Extensions.Logging" />
      </extensions>
      <targets>
        <target xsi:type="AsyncWrapper" name ="ConsoleAsync">
          <target xsi:type="Console" name="console" layout="${longdate} ${uppercase:${activityId}} ${logger} [${level}] - ${message}"/>
        </target>
      </targets>
      <rules>
        <logger name="*" minlevel="Debug" writeTo="ConsoleAsync">
          <filters defaultAction="Log">
            <when condition="starts-with('${logger}', 'Microsoft.') and level &lt; LogLevel.Warn" action="Ignore" />
            <when condition="ends-with('${logger}', 'DeferedAuthenticationHandler') and level &lt; LogLevel.Warn" action="Ignore" /><when condition="ends-with('${logger}', 'StatusService') and level &lt; LogLevel.Warn" action="Ignore" /><when condition="ends-with('${logger}', 'NonceService') and level &lt; LogLevel.Warn" action="Ignore" />
          </filters>
        </logger>
      </rules>
    </nlog>
kind: ConfigMap
metadata:
  name: nlog.config

Customize the filters and logging level to meet your needs. The example filters shown above will hide messages that tend to be very verbose and not generally needed in the course of regular troubleshooting.

Create a ConfigMap containing the NLog configuration based on the yaml file you created. For example:

sudo kubectl apply --filename /opt/kyf_acme/nlogconfig.yaml --namespace keyfactor-acme

Edit your values file to add a volume and volumeMount for the ConfigMap of the NLog.config. For example, the following values file section shows the example root trusts volume (see Installing Keyfactor ACME in Containers Under Kubernetes) and the NLog.confg.

Note: The Keyfactor ACME server installed in container under Kubernetes does not have a separate log file for API and Configuration logging; the NLog.config file under Configuration manages all logging.


volumes:
  - name: root-cas
    configMap:
      name: ca-roots
      items:
        - key: ca-certificates.crt
          path: ca-certificates.crt
  - name: nlog
    configMap:
      name: nlog.config
      items:
        - key: nlog.config
          path: NLog.config
volumeMounts:
  - name: root-cas
    mountPath: /etc/ssl/certs/ca-certificates.crt
    subPath: ca-certificates.crt
  - name: nlog
    mountPath: /app/Configuration/NLog.config
    subPath: NLog.config
    readOnly: false

Load the new values, referencing the deployment name, namespace, your customized values file, the helm chart, and version. For example:

sudo helm upgrade Helm_Deployment_Name --namespace keyfactor-acme --values values.yaml oci://repo.keyfactor.com/charts/command/acme --version 1.0.0

NLog Customization with a PersistentVolume

To add NLog customization with a PersistentVolume:

On your Kubernetes server, create an NLog.config file containing any customized filter rules you wish to apply and the configuration for any log aggregation solution you wish to use. For example, the following filters will hide messages that tend to be very verbose and not generally needed in the course of regular troubleshooting and configure the log aggregation solution to do a push to Loki by Grafana:

<?xml version="1.0" encoding="utf-8" ?>
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        autoReload="true">
  <extensions>
    <add assembly="NLog.Extensions.Logging" />
    <add assemblyFile="/app/Configuration/Loki/NLog.Loki.dll" />
  </extensions>
  <targets>
    <target xsi:type="AsyncWrapper" name ="ConsoleAsync">
      <target xsi:type="Console" name="console" layout="${longdate} ${uppercase:${activityId}} ${logger} [${level}] - ${message}"/>
    </target>
    <target xsi:type="loki"
        name="loki"
        endpoint="${environment:LOKI_ENDPOINT_URL}"
        tenant="nlog-forwarding">
      <layout xsi:type="JsonLayout" includeEventProperties="true">
        <attribute name="level" layout="${level} "/>
        <attribute name="source" layout="${logger}" />
        <attribute name="message" layout="${message}" />
        <attribute name="exception" encode="false">
          <layout xsi:type="JsonLayout">
            <attribute name="type" layout="${exception:format=type}" />
            <attribute name="message" layout="${exception:format=message}" />
            <attribute name="stacktrace" layout="${exception:format=tostring}" />
          </layout>
        </attribute>
      </layout>
      <label name="level" layout="${level:lowercase=true}" />
      <label name="server" layout="${hostname:lowercase=true}" />
      <label name="app" layout="acme" />
      <label name="helm" layout="${environment:HELM_NAME}" />
    </target>
  </targets>
  <rules>
    <logger name="*" minlevel="Trace" writeTo="loki">
      <filters defaultAction="Log">
        <when condition="starts-with('${logger}', 'Microsoft.') and level &lt; LogLevel.Warn" action="Ignore" />
        <when condition="ends-with('${logger}', 'DeferedAuthenticationHandler') and level &lt; LogLevel.Warn" action="Ignore" />
        <when condition="ends-with('${logger}', 'StatusService') and level &lt; LogLevel.Warn" action="Ignore" />
        <when condition="ends-with('${logger}', 'NonceService') and level &lt; LogLevel.Warn" action="Ignore" />
      </filters>
    </logger>
    <logger name="*" minlevel="Info" writeTo="ConsoleAsync">
      <filters defaultAction="Log">
        <when condition="starts-with('${logger}', 'Microsoft.') and level &lt; LogLevel.Warn" action="Ignore" />
        <when condition="ends-with('${logger}', 'DeferedAuthenticationHandler') and level &lt; LogLevel.Warn" action="Ignore" />
        <when condition="ends-with('${logger}', 'StatusService') and level &lt; LogLevel.Warn" action="Ignore" />
        <when condition="ends-with('${logger}', 'NonceService') and level &lt; LogLevel.Warn" action="Ignore" />
      </filters>
    </logger>
  </rules>
</nlog>

You don’t necessarily need to set any filters at the NLog.config level if you’re using a log aggregation solution, but the option is available. Notice that this NLog.config file contains two logger name sections—one directing log messages to Loki and the other continuing to write log messages to the default Kubernetes standard out. The filters can be configured separately for these. The HELM_NAME and LOKI_ENDPOINT An endpoint is a URL that enables the API to gain access to resources on a server._URL are environment variables referenced from your Helm values.yaml file.

Note: If you load a custom NLog.config file, the logging level set with the workloadDefaults > logLevel parameter will be ignored in favor of the logging level(s) set in the NLog.config file.

Create a PersistentVolume in Kubernetes to contain your NLog.config file, the libraries it references, and any supporting files. The steps for this will vary depending on your Kubernetes implementation and the intended storage location used by your PersistentVolume.
Tip: You can create a PersistentVolume in the local file system for testing purposes as follows:
1. Create a directory that your PersistentVolume will reference and which will contain the files to be mounted via the persistent volume. For example:
  mkdir /opt/files/nlog
2. Create a YAML file to define the PersistentVolume similar to the following:
```
apiVersion: v1
kind: PersistentVolume
metadata:
  name: nlog-pv
spec:
  storageClassName: manual
  capacity:
    storage: 10Gi
accessModes:
  - ReadWriteOnce
hostPath:
  path: "/opt/files/nlog"
```
3. Create the PersistentVolume based on the yaml file you created. For example:
  sudo kubectl apply --filename=/opt/kyf_acme/nlog-pv.yaml
  PersistentVolumes are cluster-scoped resources, meaning they are not associated with a specific namespace.
4. Create a YAML file to define a PersistentVolumeClaim associated with the PersistentVolume similar to the following:
```
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nlog-pvc
spec:
  storageClassName: manual
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
```
5. Create the PersistentVolumeClaim based on the yaml file you created. For example:
  sudo kubectl apply --filename=/opt/kyf_acme/nlog-pvc.yaml --namespace keyfactor-acme
  Unlike PersistentVolumes, PersistentVolumeClaims are associated with a specific namespace.
6. Place the files that should be mounted in the container into the directory you specified in the file system. For example:
  /opt/files/nlog/NLog.config
  /opt/files/nlog/NLog.Loki.dll
Important: This method should not be used for a production PersistentVolume.
Edit your values file to add an additionalEnvironmentVariables section, if one does not already exist, with a reference to your HELM_NAME and LOKI_ENDPOINT_URL values. Add a volume and volumeMount for the PersistentVolume containing the NLog.config file, any required libraries, and any supporting files.

For example, the following values file section shows the example root trusts volume (see Installing Keyfactor ACME in Containers Under Kubernetes) and the NLog.config.
- Your PersistentVolume claim name should match the claimName referenced here.
- The HELM_NAME value is a reference name you can use from within Grafana to query logs.
- The LOKI_ENDPOINT_URL should be set to the HTTP push endpoint for Loki without any path (server name or IP and port only).
```
additionalEnvironmentVariables:

  - name: HELM_NAME
    value: ACME
  - name: LOKI_ENDPOINT_URL
    value: http://appsrvr185-loki.keyexample.com:32000

volumes:
  - name: root-cas
    configMap:
      name: ca-roots
      items:
        - key: ca-certificates.crt
          path: ca-certificates.crt
  - name: nlog-custom-volume
    persistentVolumeClaim:
      claimName: nlog-pvc
volumeMounts:
  - name: root-cas
    mountPath: /etc/ssl/certs/ca-certificates.crt
    subPath: ca-certificates.crt
  - name: nlog-custom-volume
    mountPath: /app/Configuration/NLog.config
    subPath: NLog.config
  - name: nlog-custom-volume
    mountPath: /app/Configuration/Loki/NLog.Loki.dll
    subPath: NLog.Loki.dll
```
Load the new values, referencing the deployment name, namespace, your customized values file, the helm chart, and version. For example:

sudo helm upgrade Helm_Deployment_Name --namespace keyfactor-acme --values values.yaml oci://repo.keyfactor.com/charts/command/acme --version 1.0.0

Tip: To view the logs in Grafana, you can use a query similar to this:

{app="acme"} | json | line_format "{{.source}} {{.level_extracted}} {{.message}}" != "-EVENT" | server=~"acme-server.*"

The app label is defined in the NLog.config file. The server name is made up of the Helm deployment name, the application, and some additional IDs. The above query requests the app where the value is acme, formats the returned results in a manner similar to expected NLog output, excludes messages tagged -EVENT, and includes only messages for the server application for the Helm deployment acme. Given a Helm deployment name of acme, possible server tags would start with:

acme-server
acme-config (this container is short-lived)

Keyfactor ACME Server Management Tools

The Keyfactor ACME server can be managed with the following tools:

Installations on Windows (IIS): The command-line tool has several useful commands for querying and managing a Keyfactor ACME implementations on Windows (see Keyfactor ACME Command Line Tool).
Installations in Container (Kubernetes): The Keyfactor ACME API has several endpoints for managing Keyfactor ACME implementations in container (see Keyfactor ACME API).

Keyfactor ACME Metadata Custom Extension to Run PowerShell Scripts

Log messages from the PowerShell script will be recorded in the server logs with a level of Error, Warn, or Info, depending on the message type.

Error-level messages indicate issues that typically result in enrollment failure. Any errors printed or thrown by the PowerShell script will be logged as Error and cause the enrollment to fail.
Warning messages from the PowerShell script will be logged as Warn but may not cause enrollment failure.
Information messages from the PowerShell script will be logged as Info for general logging purposes.

Error Messages: "All authorizations were not finalized by the CA"

If you encounter this error, one possible solution is to deactivate the validator on the Keyfactor ACME server that does a domain check between the name of the machine running the CertBot tool and the domain the certificate is requested for. See Validators and the Identifiers Command for more information.

Was this page helpful? Provide Feedback

Version v25.2

On this page: