Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Acme server clashes with redirect server on port 80 #284

Closed
komuw opened this issue Jun 21, 2023 · 2 comments · Fixed by #287
Closed

Acme server clashes with redirect server on port 80 #284

komuw opened this issue Jun 21, 2023 · 2 comments · Fixed by #287

Comments

@komuw
Copy link
Owner

komuw commented Jun 21, 2023

I think it is because letsencrypt does not issue wildcards using http-01 challenge

ong/server/tls_conf.go

Lines 185 to 187 in a8fba42

// However, the certificate issued will NOT be wildcard certs; since letsencrypt only issues wildcard certs via DNS-01 challenge
// Instead, we'll get a certifiate per subdomain.
// see; https://letsencrypt.org/docs/faq/#does-let-s-encrypt-issue-wildcard-certificates

@komuw
Copy link
Owner Author

komuw commented Jun 21, 2023

Actually, this seems to work on acme staging, but for some reason fails on acme prod.

@komuw
Copy link
Owner Author

komuw commented Jun 21, 2023

Actually, this seems to work on acme staging, but for some reason fails on acme prod.

Actually, I think the issue is that we are starting two servers at port 80

  • ong/server/tls_conf.go

    Lines 94 to 107 in a8fba42

    autocertServer := &http.Server{
    // serve HTTP, which will redirect automatically to HTTPS
    Addr: ":80",
    Handler: autocertHandler,
    ReadHeaderTimeout: 20 * time.Second,
    ReadTimeout: 40 * time.Second,
    WriteTimeout: 40 * time.Second,
    IdleTimeout: 120 * time.Second,
    ErrorLog: slog.NewLogLogger(l.Handler(), slog.LevelDebug),
    BaseContext: func(net.Listener) context.Context { return ctx },
    }
    cfg := listenerConfig()
    lstr, err := cfg.Listen(ctx, "tcp", autocertServer.Addr)

  • ong/server/server.go

    Lines 362 to 377 in a8fba42

    // HTTP(non-tls) LISTERNER:
    redirectSrv := &http.Server{
    Addr: fmt.Sprintf("%s%s", o.host, o.httpPort),
    Handler: srv.Handler,
    ReadHeaderTimeout: o.readHeaderTimeout,
    ReadTimeout: o.readTimeout,
    WriteTimeout: o.writeTimeout,
    IdleTimeout: o.idleTimeout,
    ErrorLog: slog.NewLogLogger(logger.Handler(), slog.LevelDebug),
    BaseContext: func(net.Listener) context.Context { return ctx },
    }
    go func() {
    redirectSrvCfg := listenerConfig()
    redirectSrvListener, errL := redirectSrvCfg.Listen(ctx, "tcp", redirectSrv.Addr)
    if errL != nil {
    logger.Error("redirect server, unable to create listener", "error", errL)

So, the acme CA is only able to access the acme server once in a while. And the other time it gets access to the redirect server.

@komuw komuw changed the title tls certs do not work for both example.com & www.example.com Acme server crashes with redirect server on port 80 Jun 21, 2023
@komuw komuw changed the title Acme server crashes with redirect server on port 80 Acme server clashes with redirect server on port 80 Jun 22, 2023
@komuw komuw mentioned this issue Jun 22, 2023
Merged
komuw added a commit that referenced this issue Jun 22, 2023
@komuw
issues/284: Use one server for ACME and app (#287)
7f18d80 
- Use one server to handle ACME challenge requests and normal application requests.
  Prior to this, we had an app server and an ACME server that were both listening on the same port.
  This used to cause the two to clash since requests for one might end up been handled by http handlers for the other.

- Fixes: #284
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

issues/284: Use one server for ACME and app komuw/ong
1 participant
@komuw