fix(router): include deis.conf if no match with an SSL cert #3519
fix(router): include deis.conf if no match with an SSL cert #3519
Conversation
filed kelseyhightower/confd#270 for this request |
3b7d112
to
7d93d37
Compare
We should manually test that the catchall router-level certificate takes precedence and is applied for all domains unless a domain has an SSL certificate attached, in which case that certificate is served only for that domain. |
46dacb5
to
9bc0919
Compare
The idea behind not including deis.conf was so that custom domains which are different from the platform domain would not attach the platform SSL certificate when it was enabled. However, this has the side effect of not attaching domains which are subdomains of the platform domain, which is intentional.
9bc0919
to
6aaa411
Compare
fixed:
Output of nginx.conf in the routers (only showing the relevant parts): https://gist.github.com/bacongobbler/28f61e38e16474ab9127 Note that every domain except for |
Code LGTM. |
$ openssl s_client -connect foo.fishworks.io:443
CONNECTED(00000003)
depth=0 /C=CA/ST=British-Columbia/L=Vancouver/O=Fishworks Development and Consulting/CN=*.bacongobbler.com/emailAddress=matthewf@fishworks.io
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=CA/ST=British-Columbia/L=Vancouver/O=Fishworks Development and Consulting/CN=*.bacongobbler.com/emailAddress=matthewf@fishworks.io
verify return:1
---
Certificate chain
0 s:/C=CA/ST=British-Columbia/L=Vancouver/O=Fishworks Development and Consulting/CN=*.bacongobbler.com/emailAddress=matthewf@fishworks.io
i:/C=CA/ST=British-Columbia/L=Vancouver/O=Fishworks Development and Consulting/CN=*.bacongobbler.com/emailAddress=matthewf@fishworks.io
--- Looks to me like |
I see that too when using the openssl client...
but when I use Chrome: Same for Safari, which I never use: Is there something I'm doing wrong here? |
I dunno... are you running multiple routers, some of which may not have the fix? Maybe it's the luck of the draw for a request. |
Just did a fresh deploy. All three have the same config :S |
Now that I think about it, maybe |
This has failed twice in a row in the same place:
@bacongobbler I suspect something is wrong with this PR. Can you try running the integration tests locally and see if you see the same issue? |
The common problem on Jenkins passes for me locally on both Rackspace and EC2:
|
confd turns hyphens to dashes, so we need to account for that in domains. Since confd does not have native support for strings.Replace, I've had to fork our current branch and backport strings.Replace as a template function.
f933ba8
to
1619fb3
Compare
Gotta love heisenbugs 🐛 |
Reviewed this again, plus deis/confd@4c50136. Code LGTM. |
🚢 |
fix(router): include deis.conf if no match with an SSL cert
…match fix(router): include deis.conf if no match with an SSL cert
The idea behind not including deis.conf was so that custom domains which
are different from the platform domain would not attach the platform SSL
certificate when it was enabled. However, this has the side effect of
not attaching domains which are subdomains of the platform domain, which
is intentional.
A better fix would be to check if the domain is a subdomain of the platform domain but text/template or confd doesn't have
strings.Contains
included as a function.closes #3470