search

FiloSottile / litetlog

A collection of liteweight transparency logging tools, compatible with the Sigsum and Omniwitness ecosystems.
ISC License
8 stars 2 forks source link

litebastion: Help detect misconfigured port on errors #9

Open rgdd opened 2 weeks ago

rgdd commented 2 weeks ago

I'm running cmd/litebastion at v0.1.1.

My DNS setup is as follows:

I verified that these DNS records work using nc:

srv # nc -l 443
cli $ nc -zv bastion-02.testonly.rgdd.se 443
Connection to bastion-02.testonly.rgdd.se (155.4.244.58) 443 port [tcp/https] succeeded!
srv # nc -l 8443
cli $ $ nc -zv litebastion.testonly.rgdd.se 8443
Connection to litebastion.testonly.rgdd.se (155.4.244.58) 8443 port [tcp/*] succeeded!

The above also verifies that I should be able to listen on ports 443 and 8443.

The problem I have is that litebastion fails to acquire a certificate:

srv # litebastion -backends backends.conf -cache acme -email rasmus@rgdd.se -host litebastion.testonly.rgdd.se -listen 0.0.0.0:8443
2024/06/15 14:30:55 loaded 1 backends
2024/06/15 14:30:55 listening on 0.0.0.0:8443
2024/06/15 14:31:01 http: TLS handshake error from 155.4.244.58:59425: acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/364271576717" for domain "litebastion.testonly.rgdd.se": no viable challenge type found

I have the same issue if I do it without the CNAME:

srv # litebastion -backends backends.conf -cache acme -email rasmus@rgdd.se -host bastion-02.testonly.rgdd.se -listen 0.0.0.0:8443
...
2024/06/15 14:36:10 http: TLS handshake error from 155.4.244.58:8094: acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/364273029217" for domain "bastion-02.testonly.rgdd.se": no viable challenge type found

I tried running the litebastion software on two different servers now with the same issue. I also used fresh DNS records, just in case there's a caching problem.

Note: to trigger litebastion to acquire a certificate, you need to connect with a backend. Here's how I have my witness configured:

https://git.glasklar.is/sigsum/project/documentation/-/blob/main/archive/2023-10-05-setup-prototype-witness-go.md?ref_type=heads

Just replace -listen with -bastion.

Maybe helpful information: I tried checking out an older version of the bastion host software that I'm pretty sure worked before. Based on the date of my [old notes][], I would have expeted git-commit c26209d5db05712c56c52cfeac3ca8d89937fb25 to work. However, I get the exact same errors as above.

Can anyone reproduce my issues? Any ideas on where things go wrong?

FiloSottile commented 2 weeks ago

2024/06/15 14:30:55 listening on 0.0.0.0:8443

Is port 443 somehow getting redirected to port 8443? Let's Encrypt needs to find litebastion listening on port 443 to issue it a certificate.

rgdd commented 2 weeks ago

s/8443/443 solves this issue, thanks. Perhaps it would be better to not allow litebastion to run on any other port than 443?

rgdd commented 2 weeks ago

From IRC/Matrix: good to allow port forwarding though. But print a warning on error seems helpful.