Undefined routes leaking random certs.

[vicary]

Current behavior

When visiting the proxy with an undefined domain, in my case the domain is directed with a wildcard A record, while having at least one valid upstream container with LETSENCRYPT_HOST defined, the current nginx conf generated will serve the first cert available in the conf file.

This is essentially leaking one of the upstream domains in an unpredictable way.

Expected behavior

It should fallback to http and shows 503, the same behavior as if nginx-proxy working without letsencrypt-nginx-proxy-companion.

[buchdag]

Please see #373

[buchdag]

I feel that the issue is more on the nginx-proxy side if the config generated by docker-gen requires a default.cert and default.key files and does not work as expected when they are not present.

Let me know your advice on this.

[Michiel-2]

Is letsencrypt-nginx-proxy-companion able to generate a self singed default certificate if it can't find one?

[buchdag]

Not at the moment but I'm considering it.

[vicary]

I'm not super fluent in nginx.conf syntax, can we make it fall back to return 404, return 503 or something similar when we don't have a valid certificate?

[buchdag]

Ok, judging by the number of people that reported this as an issue the past few weeks, I think automatic creation of this default certificate should be added to the container. I'm already working on it.

[buchdag]

Update : I'm still working on this, just not very fast 'cause summer holidays. I intend this to be fixed by the end of august at the very latest.

Meanwhile, you can manually create a default cert and key with this command, just replace your-companion-container with the actual name or id of your letsencrypt-nginx-proxy-companion container:

docker exec your-companion-container openssl req -x509 \
    -newkey rsa:4096 -sha256 -nodes -days 365 \
    -subj "/CN=default" \
    -keyout /etc/nginx/certs/default.key \
    -out /etc/nginx/certs/default.crt