fix(router): include deis.conf if no match with an SSL cert #3519
Conversation
|
filed kelseyhightower/confd#270 for this request |
bacongobbler
force-pushed
the
3470-use-conf-when-no-match
branch
from
3b7d112
to
7d93d37
Compare
|
We should manually test that the catchall router-level certificate takes precedence and is applied for all domains unless a domain has an SSL certificate attached, in which case that certificate is served only for that domain. |
bacongobbler
force-pushed
the
3470-use-conf-when-no-match
branch
3 times, most recently
from
46dacb5
to
9bc0919
Compare
The idea behind not including deis.conf was so that custom domains which are different from the platform domain would not attach the platform SSL certificate when it was enabled. However, this has the side effect of not attaching domains which are subdomains of the platform domain, which is intentional.
bacongobbler
force-pushed
the
3470-use-conf-when-no-match
branch
from
9bc0919
to
6aaa411
Compare
|
fixed: Output of nginx.conf in the routers (only showing the relevant parts): https://gist.github.com/bacongobbler/28f61e38e16474ab9127 Note that every domain except for |
|
Code LGTM. |
$ openssl s_client -connect foo.fishworks.io:443
CONNECTED(00000003)
depth=0 /C=CA/ST=British-Columbia/L=Vancouver/O=Fishworks Development and Consulting/CN=*.bacongobbler.com/emailAddress=matthewf@fishworks.io
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=CA/ST=British-Columbia/L=Vancouver/O=Fishworks Development and Consulting/CN=*.bacongobbler.com/emailAddress=matthewf@fishworks.io
verify return:1
---
Certificate chain
0 s:/C=CA/ST=British-Columbia/L=Vancouver/O=Fishworks Development and Consulting/CN=*.bacongobbler.com/emailAddress=matthewf@fishworks.io
i:/C=CA/ST=British-Columbia/L=Vancouver/O=Fishworks Development and Consulting/CN=*.bacongobbler.com/emailAddress=matthewf@fishworks.io
---Looks to me like |
|
I see that too when using the openssl client... but when I use Chrome:
Same for Safari, which I never use:
Is there something I'm doing wrong here? |
|
I dunno... are you running multiple routers, some of which may not have the fix? Maybe it's the luck of the draw for a request. |
|
Just did a fresh deploy. All three have the same config :S |
|
Now that I think about it, maybe |
|
This has failed twice in a row in the same place: @bacongobbler I suspect something is wrong with this PR. Can you try running the integration tests locally and see if you see the same issue? |
|
The common problem on Jenkins passes for me locally on both Rackspace and EC2: |
confd turns hyphens to dashes, so we need to account for that in domains. Since confd does not have native support for strings.Replace, I've had to fork our current branch and backport strings.Replace as a template function.
bacongobbler
force-pushed
the
3470-use-conf-when-no-match
branch
from
f933ba8
to
1619fb3
Compare
|
Gotta love heisenbugs 🐛 |
|
Reviewed this again, plus deis/confd@4c50136. Code LGTM. |
|
🚢 |
fix(router): include deis.conf if no match with an SSL cert
…match fix(router): include deis.conf if no match with an SSL cert
The idea behind not including deis.conf was so that custom domains which
are different from the platform domain would not attach the platform SSL
certificate when it was enabled. However, this has the side effect of
not attaching domains which are subdomains of the platform domain, which
is intentional.
A better fix would be to check if the domain is a subdomain of the platform domain but text/template or confd doesn't have
strings.Containsincluded as a function.closes #3470