Codeberg/pages-server
26
387
Fork
You've already forked pages-server
54

Fatal error on startup with wildcard certificates #235

Open
opened 2023年07月20日 16:06:59 +02:00 by tionis · 6 comments

I'm currently trying to deploy pages in a docker container built using the Dockerfile in the repo and using cloudflare for wildcard cert generation. On startup I'm getting the following error:

pages | 2:00PM ERR toCert conversion did discover mismatch error="domain key '*.tasadar.page' and cert domain 'tasadar.page' not equal"
pages | 2:00PM ERR Couldn't get cert for domain ".tasadar.page"

which seems to be related to following database interface code:

err:=fmt.Errorf("domain key '%s' and cert domain '%s' not equal",name,c.Domain)
I'm currently trying to deploy pages in a docker container built using the Dockerfile in the repo and using cloudflare for wildcard cert generation. On startup I'm getting the following error: ``` pages | 2:00PM ERR toCert conversion did discover mismatch error="domain key '*.tasadar.page' and cert domain 'tasadar.page' not equal" pages | 2:00PM ERR Couldn't get cert for domain ".tasadar.page" ``` which seems to be related to following database interface code: https://codeberg.org/Codeberg/pages-server/src/commit/d720d25e42eb5f1e63462a6665afdd0bebd364ae/server/database/interface.go#L63

Same problem for me :

[INFO] [pages.git.antoinethys.net] Server responded with a certificate.
ERR toCert conversion did discover mismatch error="domain key '*.pages.git.antoinethys.net' and cert domain 'pages.git.antoinethys.net' not equal"
ERR Couldn't get cert for domain ".pages.git.antoinethys.net"
http: TLS handshake error from 172.23.0.1:47138: won't request certificate for main domain, something really bad has happened
Same problem for me : ``` [INFO] [pages.git.antoinethys.net] Server responded with a certificate. ERR toCert conversion did discover mismatch error="domain key '*.pages.git.antoinethys.net' and cert domain 'pages.git.antoinethys.net' not equal" ERR Couldn't get cert for domain ".pages.git.antoinethys.net" http: TLS handshake error from 172.23.0.1:47138: won't request certificate for main domain, something really bad has happened ```
Contributor
Copy link

I also ran into this issue, and found checking out the commit from the most recent release (v4.6.3) resolved it for me. I'm a bit confused since that was released 3 weeks ago and the two comments above me are older than that, but it's possible this issue was fixed but then re-introduced.

I also ran into this issue, and found checking out the commit from the most recent release (v4.6.3) resolved it for me. I'm a bit confused since that was released 3 weeks ago and the two comments above me are older than that, but it's possible this issue was fixed but then re-introduced.

Is this fixed by using the latest version?

Is this fixed by using the latest version?

Unfortunately not

Unfortunately not
crapStone added this to the v6.0 milestone 2023年11月20日 19:31:04 +01:00
Contributor
Copy link

I ran into the same issue with OVH as my domain provider and the v5.1 release of pages-server

I ran into the same issue with OVH as my domain provider and the v5.1 release of pages-server
Contributor
Copy link

After some investigation, I believe the problem comes from

ifuseDnsProvider&&domains[0]!=""&&domains[0][0]=='*'{
domains=domains[1:]
}

:

When requesting the main certificate, wildcard domain is explicitly removed from the requested domains, leading to the request of a non-wildcard certificate:

$ sqlite3 certs.sqlite "SELECT certificate FROM cert WHERE domain = 'page.example.com' OR domain = '*.page.example.com" | openssl x509 -noout -ext subjectAltName -subject
X509v3 Subject Alternative Name:
 DNS:page.example.com
subject=CN = page.example.com

When removing the 3 lines from the code, the certificate requested now match the one used in prod by codeberg.page:

$ sqlite3 certs.sqlite "SELECT certificate FROM cert WHERE domain = 'page.example.com' OR domain = '*.page.example.com'" | openssl x509 -noout -ext subjectAltName -subject
X509v3 Subject Alternative Name:
 DNS:*.page.example.com, DNS:page.example.com
subject=CN = *.page.example.com
$ echo | openssl s_client -connect codeberg.page:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -ext subjectAltName -subject
Warning: Reading certificate from stdin since no -in or -new option is given
X509v3 Subject Alternative Name:
 DNS:*.codeberg.page, DNS:codeberg.page
subject=CN=*.codeberg.page

Because of

ifrenew!=nil&&renew.CertURL!=""{
ifc.acmeUseRateLimits{
c.acmeClientRequestLimit.Take()
}
log.Debug().Msgf("Renewing certificate for: %v",domains)
res,err=acmeClient.Certificate.Renew(*renew,true,false,"")

, an instance with an already valid cert will keep renewing the valid cert and not run into this issue, but a new instance is not able to generate a new certificate.

After some investigation, I believe the problem comes from https://codeberg.org/Codeberg/pages-server/src/commit/7e80ade24b8aac072804122b343a2a1a70667983/server/certificates/certificates.go#L202-L204: When requesting the main certificate, wildcard domain is explicitly removed from the requested domains, leading to the request of a non-wildcard certificate: ``` $ sqlite3 certs.sqlite "SELECT certificate FROM cert WHERE domain = 'page.example.com' OR domain = '*.page.example.com" | openssl x509 -noout -ext subjectAltName -subject X509v3 Subject Alternative Name: DNS:page.example.com subject=CN = page.example.com ``` When removing the 3 lines from the code, the certificate requested now match the one used in prod by codeberg.page: ``` $ sqlite3 certs.sqlite "SELECT certificate FROM cert WHERE domain = 'page.example.com' OR domain = '*.page.example.com'" | openssl x509 -noout -ext subjectAltName -subject X509v3 Subject Alternative Name: DNS:*.page.example.com, DNS:page.example.com subject=CN = *.page.example.com $ echo | openssl s_client -connect codeberg.page:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -ext subjectAltName -subject Warning: Reading certificate from stdin since no -in or -new option is given X509v3 Subject Alternative Name: DNS:*.codeberg.page, DNS:codeberg.page subject=CN=*.codeberg.page ``` Because of https://codeberg.org/Codeberg/pages-server/src/commit/7e80ade24b8aac072804122b343a2a1a70667983/server/certificates/certificates.go#L228-L233, an instance with an already valid cert will keep renewing the valid cert and not run into this issue, but a new instance is not able to generate a new certificate.
Sign in to join this conversation.
No Branch/Tag specified
main
no-not-allow-for-new-users
pages
pages-custom-domain-update
ci_user-local-acme-service
feat/redis-caching
fix/memory-problem
v6.4
v6.3
v6.2.1
v6.2
v6.1
v6.0
v5.1
v5.0
v4.6.3
v4.6.2
v4.6.1
v4.6
v4.5
v4.4
v4.3
v4.2
v4.1
v4.0
v3.2.1
v3.2
v0.3.1
v0.3.0
v0.2.2
v0.2.1
v3.1
v3.0a
v3.0
v2.5b
v2.5a
v2.5
v2.4
v2.3
v2.2
v2.1
v2.0
v1.0_php
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
6 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/pages-server#235
Reference in a new issue
Codeberg/pages-server
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?