-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
python-certbot-nginx: certbot does not add "proxy_protocol" in "listen" line #8057
Comments
It looks like |
I'm wondering if issue #6118 was actually an issue? If I understand it correctly, the virtualhost is only copied to make a HTTPS server block, correct? So that would mean a *different "address:port pair" for the new server block. And those "blacklisted" listen options were blacklisted only for identical address:port pairs, right? So wasn't necessary to blacklist it in the first place.. Or am I missing something? |
That makes sense to me, but (speculation alert) I believe the scenario in #6118 is slightly more complicated. If you don't have an existing virtualhost for
Certbot then finds the existing default port 80 virtualhost and duplicates it (including the If there are any unique parameters in that |
This is still an issue in 1.11. I don't see it on the list of fixes for 1.12. My configuration starts with two entries:
Certbot adds the SSL entries to the first section (which I want) but doesn't add proxy_protocol. It then creates a new, third section with port 80 listening but that's ignored because of the existing section with port 80 (which is untouched). I'm open to suggestions to improve the configuration but it seems like Certbot needs to check for (and update) proxy_protocol correctly. |
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
|
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
I just (today) verified that the issue is not resolved. The test case still applies. I used Ubuntu 22.04 LTS and the snap package of certbot (version 2.6.0). In short, if the original nginx configuration file has the following configuration
then certbot does not include the Certbot produces
while the correct should be
|
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
My operating system is (include version):
Ubuntu 20.04 LTS
I installed Certbot with (certbot-auto, OS package manager, pip, etc):
"certbot 0.40.0-1", as provided from the focal/universe repository.
How to replicate
You are using nginx as a reverse proxy.
You have configured a few
http
websites.You are using the
proxy_protocol
directive in thelisten 80 proxy_protocol
line.You now run
sudo certbot --nginx
to convert them tohttp/https
.certbot
does not parse thelisten 80 ...
line to detect any directives likeproxy_protocol
in this case. Therefore, the new configuration line forlisten 443 ...
does not have theproxy_protocol
directive, and it has to be added manually.Configuration before running
certbot
Configuration after running
certbot
Note the missing
proxy_protocol
in the twolisten
lines.certbot
should copy any directives from thelisten 80
lines to thelisten 443
lines.Corrected configuration file
The text was updated successfully, but these errors were encountered: