Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificates for domains are not automatically issued. #63

Closed
saaremaa opened this issue May 4, 2021 · 3 comments
Closed

Certificates for domains are not automatically issued. #63

saaremaa opened this issue May 4, 2021 · 3 comments

Comments

@saaremaa
Copy link

saaremaa commented May 4, 2021

I have 3 domains that I use in reproxy:

  • a.domain.im
  • b.domain.im
  • c.domain.im

These domains are configured in reproxy.yml:

a.domain.im:
  - {route: "^/(.*)", dest: "http://127.0.0.1:3000/$1"}
b.domain.im:
  - {route: "^/(.*)", dest: "http://127.0.0.1:2079/$1"}
c.domain.im:
  - {route: "^/(.*)", dest: "http://127.0.0.1:2081/admin/$1"}

  1. Certificate wont be issued automatically for all discovered server names if I use the following arguments:
    -l 0.0.0.0:443 --file.enabled --logger.enabled --logger.file=/var/log/reproxy.log --file.name=/etc/reproxy.yml --ssl.type=auto --ssl.cert=/var/lib/reproxy --ssl.key=/var/lib/reproxy --ssl.acme-location=/var/lib/reproxy/acme --ssl.acme-email=email@domain.im --ssl.http-port=80

  2. Certificate won't be issued automatically if describe domains with --ssl.fqdn directive:
    -l 0.0.0.0:443 --file.enabled --logger.enabled --logger.file=/var/log/reproxy.log --file.name=/etc/reproxy.yml --ssl.type=auto --ssl.cert=/var/lib/reproxy --ssl.key=/var/lib/reproxy --ssl.acme-location=/var/lib/reproxy/acme --ssl.acme-email=email@domain.im --ssl.http-port=80 --ssl.fqdn=a.domain.im,b.domain.im,c.domain.im

  3. But if I describe one domain with --ssl.fqdn directive - all work correctly

-l 0.0.0.0:443 --file.enabled --logger.enabled --logger.file=/var/log/reproxy.log --file.name=/etc/reproxy.yml --ssl.type=auto --ssl.cert=/var/lib/reproxy --ssl.key=/var/lib/reproxy --ssl.acme-location=/var/lib/reproxy/acme --ssl.acme-email=email@domain.im --ssl.http-port=80 --ssl.fqdn=a.domain

-l 0.0.0.0:443 --file.enabled --logger.enabled --logger.file=/var/log/reproxy.log --file.name=/etc/reproxy.yml --ssl.type=auto --ssl.cert=/var/lib/reproxy --ssl.key=/var/lib/reproxy --ssl.acme-location=/var/lib/reproxy/acme --ssl.acme-email=email@domain.im --ssl.http-port=80 --ssl.fqdn=b.domain

-l 0.0.0.0:443 --file.enabled --logger.enabled --logger.file=/var/log/reproxy.log --file.name=/etc/reproxy.yml --ssl.type=auto --ssl.cert=/var/lib/reproxy --ssl.key=/var/lib/reproxy --ssl.acme-location=/var/lib/reproxy/acme --ssl.acme-email=email@domain.im --ssl.http-port=80 --ssl.fqdn=c.domain.im

P.S. Sorry for my english.
@umputun
Copy link
Owner

umputun commented May 4, 2021

Certificate won't be issued automatically if describe domains with --ssl.fqdn directive

this parameter is a list, i.e. repeated sequence of the param and not comma-separated single param. In other words instead of --ssl.fqdn=a.domain.im,b.domain.im,c.domain.im it should be --ssl.fqdn=a.domain.im --ssl.fqdn=b.domain.im --ssl.fqdn=c.domain.im. I will add explanation with examples to readme

Certificate wont be issued automatically for all discovered server names if I use the following arguments

This is odd. If you run with --dbg flag it should print all fqdns, i.e. smth like [DEBUG] FQDNs ..... Pls let me know what you see here.

umputun added a commit that referenced this issue May 4, 2021
@umputun
add docs about repeatable options #63
497dfdb
@saaremaa
Copy link
Author

saaremaa commented May 5, 2021

Q1: Thank you, I understood the mistake. I mistakenly interpreted the work of the env-delim:","
Q2: --dbg output

krb@krb-1:/etc/systemd# /usr/bin/reproxy -l 0.0.0.0:443 \
 --file.enabled --logger.enabled \
 --logger.file=/var/log/reproxy.log \
 --file.name=/etc/reproxy.yml \
 --ssl.type=auto \
 --ssl.cert=/var/lib/reproxy \
 --ssl.key=/var/lib/reproxy \
 --ssl.acme-location=/var/lib/reproxy/acme \
 --ssl.acme-email=email@domain.im \
 --ssl.http-port=80 \
 --dbg
reproxy v0.4.0-21-g497dfdb-master-20210505-08:06:07
2021/05/05 08:07:13.706 [DEBUG] {app/main.go:119 main.main} options: {Listen:0.0.0.0:443 MaxSize:64000 GzipEnabled:false ProxyHeaders:[] SSL:{Type:auto Cert:/var/lib/reproxy Key:/var/lib/reproxy ACMELocation:/var/lib/reproxy/acme ACMEEmail:email@domain.im RedirHTTPPort:80 FQDNs:[]} Assets:{Location: WebRoot:/ CacheControl:[]} Logger:{StdOut:false Enabled:true FileName:/var/log/reproxy.log MaxSize:100 MaxBackups:10} Docker:{Enabled:false Host:unix:///var/run/docker.sock Network: Excluded:[] AutoAPI:false APIPrefix:} File:{Enabled:true Name:/etc/reproxy.yml CheckInterval:3s Delay:500ms} Static:{Enabled:false Rules:[]} Timeouts:{ReadHeader:5s Write:30s Idle:30s Dial:30s KeepAlive:30s ResponseHeader:5s IdleConn:1m30s TLSHandshake:10s ExpectContinue:1s} Management:{Enabled:false Listen:0.0.0.0:8081} ErrorReport:{Enabled:false Template:} Signature:false Dbg:true}
2021/05/05 08:07:13.707 [INFO]  {app/main.go:321 main.makeAccessLogWriter} logger enabled for /var/log/reproxy.log
2021/05/05 08:07:13.709 [DEBUG] {app/main.go:198 main.run} listen address 0.0.0.0:443
2021/05/05 08:07:13.709 [INFO]  {proxy/proxy.go:139 proxy.(*Http).Run} activate https server in 'auto' mode on 0.0.0.0:443
2021/05/05 08:07:13.710 [DEBUG] {proxy/proxy.go:140 proxy.(*Http).Run} FQDNs []
2021/05/05 08:07:13.710 [DEBUG] {proxy/ssl.go:68 proxy.(*Http).makeAutocertManager} autocert manager for domains: [], location: /var/lib/reproxy/acme, email: "email@domain.im"
2021/05/05 08:07:13.711 [DEBUG] {proxy/ssl.go:52 proxy.(*Http).httpChallengeRouter} create http-challenge routes
2021/05/05 08:07:13.712 [INFO]  {proxy/proxy.go:150 proxy.(*Http).Run.func3} activate http challenge server on port 0.0.0.0:80
2021/05/05 08:07:16.708 [DEBUG] {provider/file.go:53 provider.(*File).Events.func2} file /etc/reproxy.yml changed, 0001-01-01T00:00:00Z -> 2021-04-30T10:51:52.144553775+02:00
2021/05/05 08:07:16.709 [DEBUG] {discovery/discovery.go:97 discovery.(*Service).Run} new update event received, file
2021/05/05 08:07:17.710 [DEBUG] {provider/file.go:87 provider.(*File).List} file provider []
2021/05/05 08:07:17.710 [INFO]  {discovery/discovery.go:107 discovery.(*Service).Run} proxy  file: a.domain.im ^/(.*) -> http://127.0.0.1:2081/admin/$1
2021/05/05 08:07:17.710 [INFO]  {discovery/discovery.go:107 discovery.(*Service).Run} proxy  file: b.domain.im ^/(.*) -> http://127.0.0.1:2079/$1
2021/05/05 08:07:17.710 [INFO]  {discovery/discovery.go:107 discovery.(*Service).Run} proxy  file: c.domain.im ^/(.*) -> http://127.0.0.1:3000/$1

umputun added a commit that referenced this issue May 5, 2021
@umputun
wait till fqdn avail for ssl auto #63
a73a16c
@umputun
Copy link
Owner

umputun commented May 5, 2021

thx for the log. I have committed a fix and the master should handle auto-discovered names properly. If you comfortable with building from the master pls give it a try.

btw, to build from master you may run "make dist" and it will generate a bunch of executables in dist/artifacts directory. The only dependency is running docker as the build happens in a container

@saaremaa saaremaa closed this as completed May 5, 2021
@umputun umputun mentioned this issue Feb 24, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@umputun @saaremaa