Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement an auth_hint for the standalone plugin #8887

Closed
alexzorin opened this issue Jun 6, 2021 · 1 comment · Fixed by #8919
Closed

Implement an auth_hint for the standalone plugin #8887

alexzorin opened this issue Jun 6, 2021 · 1 comment · Fixed by #8919
Labels
area: standalone area: ui / ux priority: significant Issues with higher than average priority that do not need to be in the current milestone.

Comments

@alexzorin
Copy link
Collaborator

alexzorin commented Jun 6, 2021
edited

It looks like we forgot to do that, like we did for all the other built-in plugins. Right now it shows the default auth_hint, but we can do better.

I did a quick survey of standalone-related threads on the community forums and these are the problems that are cropping up:

Forum Thread What's the problem?
Thread Choice of plugin: Running inside a k8s pod, certbot --standalone probably not suitable.
Thread Choice of plugin: The server was an Alibaba Object Bucket, certbot --standalone was not suitable.
Thread DNS issue: Domain was pointing to a domain masking service, breaking HTTP DCV.
Thread DNS issue: Wrong DNS records.
Thread DNS issue: Wrong IPv6 address.
Thread DNS issue: Wrong IPv6 addresses.
Thread Port forwarding: traffic going to wrong server.
Thread Port forwarding: traffic going to wrong server.
Thread Proxy issue: haproxy was doing health checks and it wasn't seeing the Certbot standalone server come up quickly enough.
Thread Proxy issue: web host intercepting /.well-known/acme-challenge requests.
Thread Unclear. Either nginx is already running, or Certbot is running on the wrong machine.
Thread Unclear. Either wrong IP address or some exotic port forwarding.
Thread Unclear. Either wrong IP address or some exotic port forwarding.
Thread Unclear. Either wrong IP address or some exotic port forwarding.
Thread Unclear. Possibly proxy problem with AWS ELB, or locally running nginx server.
Thread Unclear. Tomcat was probably still running.

The main things seem to be:

  1. Form a useful mental model. Convey that Certbot is starting up a temporary web server, and that the Certificate Authority is trying to download some challenge files from it via the user's domain name.
  2. Get the user to confirm that the domain name is pointing to the machine where Certbot is actually running. That covers perhaps upto 75% of the issues listed above. I don't know how many of the others we should mention.
  3. Potentially, change the language of StandaloneBindError to be like, "yo, something is definitely already running on http01_port. You need to make sure it's stopped, see [...]".
@alexzorin alexzorin added area: ui / ux area: standalone priority: significant Issues with higher than average priority that do not need to be in the current milestone. labels Jun 6, 2021
@alexzorin
Copy link
Collaborator Author

Potentially, change the language of StandaloneBindError to be like, "yo, something is definitely already running on http01_port. You need to make sure it's stopped, see [...]".

Turns out the standalone plugin is literally meant to do this, but the functionality was lost during a refactor of acme.standalone.

@alexzorin alexzorin mentioned this issue Jun 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: standalone area: ui / ux priority: significant Issues with higher than average priority that do not need to be in the current milestone.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve standalone errors alexzorin/certbot
1 participant
@alexzorin