New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dvsni support for nginx #387
Conversation
@diracdeltas, try applying my patch from #388 for debugging. |
|
||
config = [] | ||
for idx, addrs in enumerate(ll_addrs): | ||
config.append(self._make_server_block(self.achalls[idx], addrs)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configs = [self._make_server_block(*pair) for pair in itertools.izip(achalls, ll_addrs)]
would be much more pythonic / readable
#387 (comment) FYI: #388 has been merged into master. |
We are assuming that if a server_name isn't specified, it matches the empty string. Prior to 0.8.48, it would match the machine's hostname.
a9a1132
to
cf48791
Compare
Thanks for the comments and more useful error logging; looks like this is failing due to a 502 at |
FWIW, I am seeing the exact same error on my server when I run the Apache configurator on master @ a0b410f. So maybe the issue is that my domain name is not recognized as valid by Boulder, c.f. letsencrypt/boulder#115.
|
Never mind, 502 was due to a temporary boulder error. |
Now this seems to be working up to the point where DVSNI challenges fail ("Waiting for verification...")
At this point, the nginx conf files are set up correctly for SSL (yay) and visiting https://foo.icann.wtf works with an invalid cert. However, cleanup never happens when the AuthorizationError is raised, so the DVSNI challenge virtual host is still around. |
https://foo.icann.wtf/ -> "Apache2 Ubuntu Default Page"... Maybe your plugin doesn't really activate nginx? |
@kuba, You're seeing that because my default folder is the Apache one. Check the server HTTP header - it should say "nginx/1.8" or something. |
I fixed the error above and DVSNI seems to be basically working now. The challenge hosts are set up correctly and the challenges pass. However, boulder is currently out-of-sync with the client (both Apache and Nginx) due to confusion about whether a cert chain is served; @schoen is working on this right now. In the ncurses console, I see:
"Could not parse mime.types" is a spurious error - it's not an nginx config file, so it shouldn't be parsed anyway. I should probably not log it as an error. |
Fresh
|
@kuba Good catch. From http://nginx.org/en/docs/http/server_names.html#miscellaneous_names, it says I wasn't sure should happen in this case - should nginx just pick any block? Maybe something like:
|
First of all, I would expect that it's possible to choose either a domain already found in configs or supply something completely new and proceed with the plugin. Is that what the current plugin architecture allows? @jdkasten? It seems to me that any block with |
That seems preferable |
According to http://nginx.org/en/docs/http/request_processing.html, if there are no matches then the request is handled by the default block which is either the first server block in the config or the first server block marked Disabling non-secured vhosts seems like a potential enhancement function. |
I got it working with #397 patch applied! :)
Is it possible to put new server blocks in separate files in Is the following error recoverable? Can we handle it somehow?
I also experience some other spurious heisen bugs, so I'd recommend more testing. |
|
Is that a sporadic or consistent error? Does the file actually exist? |
As you can see I did |
Oh, I see. Nginx hard-fails on start if the SSL cert files are missing, which seems correct on its part. I'll remove directives referencing missing files in /etc/letsencrypt in a prepare_to_restart method. |
Probably better to do so in a separate pull request. I can add a TODO note in this one if you'd prefer. |
Awesome work, @diracdeltas! Sorry I have been so slow to get around to this... @kuba Block selection (or VirtualHost selection) /domains is a major section I have been trying to tackle in my local Apache branch. It should probably be possible in the end to use names found within the server blocks or present a menu of choices if none match. (Optionally add names that were not found etc.) This still isn't implemented completely in Apache and I believe the current master branch relies extremely heavily on names present in the configs. (It is the only option) |
I think a separate pull request would be fine. I think this is fine to merge in now and hopefully get some more exposure. |
Also thanks @kuba for reviewing and for helping to test it out! |
This adds DVSNI support for Nginx.
This doesn't seem to quite work yet - when I run this on an ubuntu server at letsencrypt.icann.wtf, I get the following mysterious error: