[BUG] Let's Encrypt certs are Staging ones, so they're untrusted on browsers

[Xpl0itU]

Describe the bug
When generating a Let's Encrypt certificate, they're generated in the staging server

To Reproduce
Steps to reproduce the behavior:
Generate a Let's Encrypt cert using Zoraxy

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots

Host Environment (please complete the following information):

• Arch: x86_64
• Device: Dell Workstation
• OS: Debian
• Version: 12 Bookworm (on a proxmox container)

[tobychui]

@yeungalan Can you take a look at this real quick?

[tobychui]

Hi @Xpl0itU
Although I am not in charge of the acme module, but from what I see in the source code, it is not possible to use the staging directory unless it is generated via the test case

As you can see here, the link are hardcoded and embedded into the binary

zoraxy/src/mod/acme/ca.go

Line 40 in 83f574e

val, ok := caDef.Production[caName]

Which is referring to this link

zoraxy/src/mod/acme/ca.json

Line 3 in 83f574e

"Let's Encrypt": "https://acme-v02.api.letsencrypt.org/directory",

Might I know how you build this binary and what version of Zoraxy you are using?

[Xpl0itU]

I used the Zoraxy script from here to setup my container

[Xpl0itU]

Here's the output of zoraxy -info:

root@ct-zoraxy:/opt/zoraxy/src# ./zoraxy -info
{
 "Name": "Zoraxy",
 "Desc": "Dynamic Reverse Proxy Server",
 "Group": "Network",
 "IconPath": "zoraxy/img/small_icon.png",
 "Version": "2.6.6",
 "StartDir": "zoraxy/index.html",
 "SupportFW": true,
 "LaunchFWDir": "zoraxy/index.html",
 "SupportEmb": false,
 "LaunchEmb": "",
 "InitFWSize": [
  1080,
  580
 ],
 "InitEmbSize": null,
 "SupportedExt": null
}

[tobychui]

@Xpl0itU Can I see the public key of your cert? I am guessing you didn't setup your root domain TLS certificate correctly and zoraxy is loading its internal dummy cert.

[Xpl0itU]

Here's some interesting output from the logs:

root@ct-zoraxy:/opt/zoraxy# journalctl -xau zoraxy.service | grep encrypt
Sep 03 11:39:11 ct-zoraxy zoraxy[159]: 2023/09/03 11:39:11 [INFO] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 11:39:12 ct-zoraxy zoraxy[159]: 2023/09/03 11:39:12 [INFO] [*.REDACTED] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/260957064906
Sep 03 11:39:13 ct-zoraxy zoraxy[159]: 2023/09/03 11:39:13 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/260957064906
Sep 03 11:40:37 ct-zoraxy zoraxy[159]: 2023/09/03 11:40:37 [INFO] Using Default ACME https://acme-staging-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 11:40:38 ct-zoraxy zoraxy[159]: 2023/09/03 11:40:38 [INFO] [*.REDACTED] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078103754
Sep 03 11:40:39 ct-zoraxy zoraxy[159]: 2023/09/03 11:40:39 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078103754
Sep 03 11:54:37 ct-zoraxy zoraxy[159]: 2023/09/03 11:54:37 [INFO] Using Default ACME https://acme-staging-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 11:54:38 ct-zoraxy zoraxy[159]: 2023/09/03 11:54:38 [INFO] [REDACTED] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078278344
Sep 03 11:55:54 ct-zoraxy zoraxy[159]: 2023/09/03 11:55:54 [INFO] Using Default ACME https://acme-staging-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 11:55:55 ct-zoraxy zoraxy[159]: 2023/09/03 11:55:55 [INFO] [dashboard.REDACTED] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078292654
Sep 03 12:00:55 ct-zoraxy zoraxy[159]: 2023/09/03 12:00:55 [INFO] Using Default ACME https://acme-staging-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 12:00:56 ct-zoraxy zoraxy[159]: 2023/09/03 12:00:56 [INFO] [REDACTED] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078352314

And here's the public key:

Modulus (2048 bits):
  DC B2 A4 19 58 AE E0 AF 62 7C B7 E3 A8 61 71 0C
22 F8 0A F2 25 4B E6 D1 19 68 6F 0F 94 4F A0 D7
7F 88 E2 B6 47 5E E7 7F DD 56 7E F3 A9 31 A6 8A
84 A7 F2 4F 35 66 6E 44 48 85 A9 CC 7A CC CD EE
EA D2 9F 97 52 26 C3 61 3C 2C 1D 61 44 10 AE 0C
3C D4 89 CF D9 2C 79 AC 97 0C 9F 26 2B C8 F4 9D
87 4D 64 62 8A 37 86 80 6B 76 18 A1 9E 61 D1 3F
0C 21 D0 08 7A 32 87 1C C2 FD 46 0D 7C F2 FA 77
91 D8 E5 44 27 D5 B8 60 06 28 B7 3B 38 1E 4B 98
99 AF 4E CF 6C F0 A5 6B FA 43 EB AA 55 A1 4A 03
4E 9E 21 82 EF 12 AF 21 AD 23 0D 39 FC 1F 95 DB
70 BF B3 DB 3B 14 36 AD 86 CF 5A 94 46 9D FA 29
7B 98 5E EC 7B 32 E6 CF 1D 41 A3 DB 68 02 23 FD
E9 5F 34 C1 2B A5 F9 62 FC F0 7E 29 E1 58 5E FB
9C 37 55 85 9B E6 CA C3 21 60 58 01 A5 4F 6A 87
39 07 55 9A DB F1 AD F0 46 8B 63 69 22 23 4D 9F

  Public Exponent (17 bits):
  01 00 01

[tobychui]

@Xpl0itU Thanks for the input. I think this is a much deeper bug in the acme module. I will let @yeungalan take over from here.

[dexer12]

Any Update here? i'm complete new to this. I got everything up and running, but cant use it, because the certificates are not trusted.

[tobychui]

@dexer12 Sadly no. None of our collaborator can reproduce this issue without further info. Can you give me the link to your website so I can take a look at it real quick?

[dexer12]

Sure, you can use mydomain for example right now.
Firefox shows, that its not trusting that page because the certificate is not from a trusted ventor.

let me know if you need any further information

[tobychui]

@daluntw @yeungalan Can you guys help take a look at this? I think this might be issue caused by the acme section related to recent PRs.

[yeungalan]

Wilco, looks like is json problem

[tobychui]

Wilco, looks like is json problem

I have taken a look at the json files. It didn't have any recent change that might causes this issue.
The only way a production build can create a stating cert is it got critical error and fallback to the default ACME link (which is the staging directory for Let's Encrypt).

[tobychui]

@Xpl0itU @dexer12 I have updated the release for v2.6.6.
Can you try download the new release and overwrite the one you have and see if the problem is fixed?

[dexer12]

I redeployed the docker container let him pull the latest image and renewed the certificate for this domain. But it seems still the same problem. Or should i do it in some other way?

[tobychui]

@dexer12 Can you try run it natively in your host OS? I guess the docker routine is not updated as it is not a new release.
Alternatively, as I found this is a UI bug, in the CA section, you can pick "Custom ACME server" after the dropdown retracted, open it again to select "Let's Encrypt". It should do the job as well.

[dexer12]

Wow that solved it! I used your second advice, changing to "Custom ACME Server" and then selecting Lets Encrypt again, solved it.

[tobychui]

Wow that solved it! I used your second advice, changing to "Custom ACME Server" and then selecting Lets Encrypt again, solved it.

Cool! This is probably one of the most interesting bug fix method I ever discovered XD

[dexer12]

Thank you a lot for that fast help! I send you some Coffees :)
I'm really happy to finally use your proxy, coming from NPM.

[Xpl0itU]

Can confirm that the latest 2.6.6 fixes this issue, but now wildcard certificates aren't generated at all, just for the base domain

[tobychui]

Can confirm that the latest 2.6.6 fixes this issue, but now wildcard certificates aren't generated at all, just for the base domain

I think this is normal as DNS challenge is still in @yeungalan's to-do list. In my personal setup, I apply a cert that contains all of the sub-domains instead of using a wildcard one.

[Xpl0itU]

That's what I'm currently trying, but it seems to get stuck? No indication of any progress in the logs either

[tobychui]

That's what I'm currently trying, but it seems to get stuck? No indication of any progress in the logs either

Are there anything in the browser's JavaScript terminal? If no, then it is probably due to networking problems and it is really hard for me debug it remotely for you.

[Xpl0itU]

No indications in the JS terminal, and I'm next to the router in a gigabit connection, so it's probably not a connection issue

[tobychui]

No indications in the JS terminal, and I'm next to the router in a gigabit connection, so it's probably not a connection issue

Maybe it is an outbound connection issue or other complex networking issues. If there are no error log from both front / backend terminal, I guess you really need to figure it yourself...

[Xpl0itU]

Funny thing is, I can generate a single certificate just fine, I can't do multiple, is it done in parallel or sequentially the multi certificate generation?

[tobychui]

It generate one certificate that contains all of the subdomains instead of running the single generation thing in a loop. Can you show me your settings for multi-domain cert generation?

[Xpl0itU]

Domains (I also tried with no spaces in the commas):
REDACTED.duckdns.org, jellyfin.REDACTED.duckdns.org, guacamole.REDACTED.duckdns.org, synology.REDACTED.duckdns.org, dashboard.REDACTED.duckdns.org
Matching rule:
REDACTED.duckdns.org

[tobychui]

I guess you gonna need to wait for @yeungalan, the original author of the ACME module, to figure it out.

[Xpl0itU]

Had to generate a certificate for each domain separately as a workaround

[daluntw]

For the Let's Encrypt issue, is becuase UI will not send CA name when using placeholder default, and I also though the default acme server in backend will be production LE (but it actually is staging LE)

zoraxy/src/mod/acme/acme.go

Line 68 in 83f574e

DefaultAcmeServer: acmeServer,

we can fix it by changing frontend CA name to LE when not exist, or/and change backend default ACME server (it also related to #47), I can submit pr for frontend patch, and should can be merge into 2.6.7.

before then, #61 (comment) workaround can temporary be used (another workaround can be use custom ACME server with LE production url)

For the multidomain issue, is also UI issue, the logic seems not handle when input is multidomain, and it also not remove the button state when error

zoraxy/src/web/snippet/acme.html

Lines 329 to 340 in 83f574e

	if (filename.trim() == "" && !domains.includes(",")){
	//Zoraxy filename are the matching name for domains.
	//Use the same as domains
	filename = domains;
	}else if (filename != "" && !domains.includes(",")){
	//Invalid settings. Force the filename to be same as domain
	//if there are only 1 domain
	filename = domains;
	}else{
	parent.msgbox("Filename cannot be empty for certs containing multiple domains.")
	return;
	}

backend seems ok for multidomain

[daluntw]

since the pr merged, we should be ok the closed this one up ?

[tobychui]

since the pr merged, we should be ok the closed this one up ?

Will close this after the next release 👍🏻