Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does this work with initial certificate setup and sniproxy? #5

Open
ntninja opened this issue Jan 26, 2019 · 0 comments
Open

Does this work with initial certificate setup and sniproxy? #5

ntninja opened this issue Jan 26, 2019 · 0 comments

Comments

@ntninja
Copy link

ntninja commented Jan 26, 2019

Hi! I just spent some time trying set up this software behind an sniproxy-based reverse protocol with enabled “proxy_protocol” support, but I couldn't get it to work. When using the ALPN challenge I get:

test_caddy | Activating privacy features... 2019/01/26 20:44:19 [INFO] acme: Registering account for [email protected]
test_caddy | 2019/01/26 20:44:19 [INFO] [test.ninetailed.ninja] acme: Obtaining bundled SAN certificate
test_caddy | 2019/01/26 20:44:19 [INFO] [test.ninetailed.ninja] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/cFVMAoxTSk4JwTN2D0-MVhYXB0sVmOQdg6LSUNsgz78
test_caddy | 2019/01/26 20:44:19 [INFO] [test.ninetailed.ninja] acme: use tls-alpn-01 solver
test_caddy | 2019/01/26 20:44:19 [INFO] [test.ninetailed.ninja] acme: Trying to solve TLS-ALPN-01
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44350: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44354: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44358: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44362: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44364: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44366: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44368: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:21 http: TLS handshake error from 172.18.0.5:44370: tls: oversized record received with length 22617
test_caddy | 2019/01/26 20:44:26 [test.ninetailed.ninja] failed to obtain certificate: acme: Error -> One or more domains had a problem:
test_caddy | [test.ninetailed.ninja] acme: error: 400 :: urn:ietf:params:acme:error:tls :: remote error: tls: record overflow, url: 
test_caddy | exit status 1
test_caddy exited with code 1

When disabling TLS-ALPN-01 and using HTTP-01 instead, I get:

test_caddy | Activating privacy features... 2019/01/26 20:47:30 [INFO] [test.ninetailed.ninja] acme: Obtaining bundled SAN certificate
test_caddy | 2019/01/26 20:47:31 [INFO] [test.ninetailed.ninja] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/pSEq4OKVS8Rq_4Qvr_2DBRWW8izqUI0wkM1OXIkVhXU
test_caddy | 2019/01/26 20:47:31 [INFO] [test.ninetailed.ninja] acme: Could not find solver for: tls-alpn-01
test_caddy | 2019/01/26 20:47:31 [INFO] [test.ninetailed.ninja] acme: use http-01 solver
test_caddy | 2019/01/26 20:47:31 [INFO] [test.ninetailed.ninja] acme: Trying to solve HTTP-01
test_caddy | 2019/01/26 20:47:37 [test.ninetailed.ninja] failed to obtain certificate: acme: Error -> One or more domains had a problem:
test_caddy | [test.ninetailed.ninja] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://test.ninetailed.ninja/.well-known/acme-challenge/XyPxxbLYHFOe8R_FySSwLJ2daCY1sa6epb71Yvdf39w [2001:1608:39::a]: 400, url: 
test_caddy | exit status 1
test_caddy exited with code 1

Both of these work however, when disabling the PROXY protocol in both Caddy (this plugin) and sniproxy (the proxy_protocol flag). I can also attest that sniproxy's PROXY protocol implementation works without issues when used with nginx.

When getting a cert without using the PROXY protocol (ie: disable this plugin), I'm also not able to view HTTPS content when enabling it afterwards (but HTTP work although it will receive the PROXY headers as well):

test_caddy | Activating privacy features... 2019/01/26 20:53:35 [INFO][test.ninetailed.ninja] Obtain: Certificate already exists in storage
test_caddy | done.
test_caddy | https://test.ninetailed.ninja
test_caddy | http://test.ninetailed.ninja
test_caddy | 2019/01/26 20:53:35 https://test.ninetailed.ninja
test_caddy | 2019/01/26 20:53:35 http://test.ninetailed.ninja
test_caddy | 2019/01/26 20:53:35 [NOTICE] Sending telemetry: we were too early; waiting 1h1m45.482846269s before trying again
test_caddy | 2019/01/26 20:53:58 http: TLS handshake error from 172.18.0.5:39472: invalid source address
test_caddy | 2019/01/26 20:54:01 http: TLS handshake error from 172.18.0.5:39498: invalid source address

In each case the Caddyfile was just:

test.ninetailed.ninja
proxyprotocol

And the sniproxy config was:

listener [::]:80 {
    protocol http
}

listener [::]:443 {
    protocol tls
}

table {
    # some other rules

    test.ninetailed.ninja test_caddy proxy_protocol

    # some other rules
}

(where test_caddy is the name of the Caddy server container).

Do maybe have some insights into this by any chance?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ntninja