Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect IPv4 address in error message when IPv6 is not working #7347

Closed
osirisinferi opened this issue Mar 2, 2024 · 1 comment · Fixed by #7468
Closed

Incorrect IPv4 address in error message when IPv6 is not working #7347

osirisinferi opened this issue Mar 2, 2024 · 1 comment · Fixed by #7468
Assignees
@aarongable
Milestone
Sprint 2024-04-30

Comments

@osirisinferi
Copy link

osirisinferi commented Mar 2, 2024
edited

Summary:

On the Community, we've seen a few instances where users were showing a time out error with an IPv4 IP address in the returned error, even though the IPv4 address was working properly. (E.g. https://community.letsencrypt.org/t/letsencrypt-reissue-certificate/214220.) In reality, it was the IPv6 address timing out. This problem only occurs if there's a HTTP to HTTPS redirect in place.
For some reason Boulder only retries using IPv4 when there's an issue with IPv6 for the HTTP connection, but not for the HTTPS connection. (Not the scope of this issue.) But when the HTTPS over IPv6 attempt fails, Boulder uses the IPv4 address from the HTTP connection in the error message. Which is not correct.

Steps to reproduce:

  • Have a site with HTTP to HTTPS redirect enabled;
  • Have a functional IPv4 address;
  • Have a non-functional IPv6 address;
  • Attempt to get a certificate.

Expected result:

  • Time out error with the IPv6 address shown in the error message.

Actual result:

  • Time out error with the IPv4 address shown in the error message.

Additional details:

It's really confusing to see a perfectly functional IPv4 address in a time out error message when actually the IPv6 address is the problem.
@osirisinferi osirisinferi changed the title Incorrect IP address in error message when IPv6 is not working Incorrect IPv4 address in error message when IPv6 is not working Mar 2, 2024
@aarongable
Copy link
Contributor

aarongable commented Mar 5, 2024
edited

I believe the issue is this:

If HTTP-01 validation gets an unrecoverable error, it returns an error decorated with the IP address:

boulder/va/http.go

Lines 631 to 634 in 7ddb2be

} else if err != nil {
// if the error was not a fallbackErr then return immediately.
return nil, records, newIPError(target, err)
}

That decorator function always uses target.cur as the IP address to put in the error message:

boulder/va/http.go

Lines 438 to 440 in 7ddb2be

newIPError := func(target *httpValidationTarget, err error) error {
return ipError{ip: target.cur, err: err}
}

This means that, if we've been falling back between various IP addresses to try, we'll be including the right IP address. But, if connecting to that IP address resulted in an HTTP 3XX redirect, we will not be including the redirected-to IP address in the error message.

I think the correct fix here is for newIPError to extract the IP Address from the last item in records instead of from target. This way it will reflect any redirects that were followed.

This is probably a low-priority fix for us at the moment, so I'm putting my notes here for the future.

@aarongable aarongable mentioned this issue May 1, 2024
Merged
@aarongable aarongable self-assigned this May 1, 2024
@aarongable aarongable added this to the Sprint 2024-04-30 milestone May 1, 2024
aarongable added a commit that referenced this issue May 3, 2024
@aarongable
VA: put most recent, not original, IP in error messages (#7468)
f24a979 
When we present error messages containing IP addresses to end users,
sometimes we're presenting the IP at which we began a chain of
redirects, but not presenting the IP at which the final redirect was
located. This can make it difficult for client operators to identify
exactly which server in their infrastructure is misbehaving.

Change our IP error messages to reference the most-recently-tried
address from the set of all validation records, rather than the address
which started the current (potential) redirect chain.

Fixes #7347
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aarongable aarongable

Labels
None yet
Projects
None yet
Milestone
Sprint 2024-04-30
Development

Successfully merging a pull request may close this issue.

VA: put most recent, not original, IP in error messages letsencrypt/boulder
2 participants
@aarongable @osirisinferi