search

SteveLTN / https-portal

A fully automated HTTPS server powered by Nginx, Let's Encrypt and Docker.
MIT License
4.45k stars 295 forks source link

Redirect is not working for me. #208

Open ironwren opened 5 years ago

ironwren commented 5 years ago

I have:

DOMAINS: 'www.howismy.com => https://howismy.com, howismy.com -> http://api:3000'

image image but going to www.howismy.com redirects to image

here is the redirect: image

SteveLTN commented 5 years ago

Hi,

I can't reproduce the problem. Could you see which version is your nginx-portal? Maybe try to upgrade to the latest?

ironwren commented 5 years ago

I just upgraded to the latest: 

/var/www/howismy# dc images
howismy_https-portal_1   steveltn/https-portal   1        25827a1239fd   284 MB

I also removed the redirect:

DOMAINS: 'howismy.com -> http://api:3000'

its still sending the 301 redirect to the wrong place:

/etc/nginx# cat conf.d/howismy.com.conf 
server {
    listen       80;
    server_name  howismy.com;

    location / {
      return    301 https://$server_name$request_uri;
    }
          location /.well-known/acme-challenge/ {
          allow all;
          alias /var/www/default/challenges/;
          try_files $uri =404;
      }
}

Is it possible that 301 could some how turn www.howismy.com to https://https://howismy.com?

SteveLTN commented 5 years ago

That doesn't look like the latest code to me. Before, you only needed to do example.com => another.com, but people constantly put https: there. So I made a modification that either with or without https prefix, it works in both cases.

Please make sure it says 1.7.3 when launching. You can specifically write 1.7.3 in docker-compose.yml and do a docker-compose pull https-portal.

ironwren commented 5 years ago 
  https-portal:
    image: steveltn/https-portal:1.7.3
    ports:
      - '80:80'
      - '443:443'
    links:
      - api
    restart: always
    environment:
      DOMAINS: 'www.howismy.com => howismy.com,howismy.com -> http://api:3000'
      STAGE: 'production'
3fe0eba7cd93        steveltn/https-portal:1.7.3   "/init"                  4 minutes ago       Up 4 minutes           0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   howismy_https-portal_1
root@3fe0eba7cd93:/etc/nginx# cat conf.d/howismy.com.conf 
server {
    listen       80;
    server_name  howismy.com;
    location / {
      return    301 https://$server_name$request_uri;
    }
    location /.well-known/acme-challenge/ {
          allow all;
          alias /var/www/default/challenges/;
          try_files $uri =404;
      }
}
root@3fe0eba7cd93:/etc/nginx# cat conf.d/www.howismy.com.conf 
server {
    listen       80;
    server_name  www.howismy.com;

    location / {
      return    301 https://howismy.com$request_uri;
    }
          location /.well-known/acme-challenge/ {
          allow all;
          alias /var/www/default/challenges/;
          try_files $uri =404;
      }
}

Still getting: image

ironwren commented 5 years ago

Its now working:

  https-portal:
    image: steveltn/https-portal:latest
    ports:
      - '80:80'
      - '443:443'
    links:
      - api
    restart: always
    environment:
      DOMAINS: 'www.howismy.com => howismy.com,howismy.com -> http://api:3000'
      STAGE: 'production'

It now works. Maybe update the docs to use latest and to remove the https from the redirect example. Thank you so much @SteveLTN. This image is amazing and has made my life soo much better!

SteveLTN commented 5 years ago

Latest is 1.7.3 . I don't know how, but you seems to be stuck with an old version.

ironwren commented 5 years ago

My sysop friend just got back to me: image Does the container handle this?

SteveLTN commented 5 years ago

HTTPS-PORTAl create two certs for each site you specify in the DOMAIN. In this case, you have

DOMAINS: 'www.howismy.com => howismy.com,howismy.com -> http://api:3000'

which will create two certs, one for www.howismy.com and another for howismy.com, served on the two domains respectively.

Now that you got howismy.com certs on www.howismy.com. That doesn't make any sense to me. I have no idea how it would behave like this. Apart from that, when I proceed with the invalid cert, the page doesn't perform its redirection as expected, but returns RemoteDisconnected. Seems like HTTPS-PORTAL is not functioning at all.

As a example, here is my full docker-compose.yml.

version: '3'

services:
  https-portal:
    image: steveltn/https-portal:latest
    ports:
      - '80:80'
      - '443:443'
    restart: always
    environment:
      DOMAINS: 'test2.steveltn.me => test.steveltn.me,test.steveltn.me'
      STAGE: 'production'

You can visit test2.steveltn.me to try it out.

SteveLTN commented 5 years ago

Could you cat /etc/nginx/conf.d/www.howismy.com.ssl.conf in your container?

ironwren commented 5 years ago

It doesn't exist

root@3fe0eba7cd93:~# ls -l /etc/nginx/conf.d/
total 12
-rw-r--r-- 1 root root  308 Sep 12 05:14 howismy.com.conf
-rw-r--r-- 1 root root 1088 Sep 12 05:14 howismy.com.ssl.conf
-rw-r--r-- 1 root root  311 Sep 12 05:14 www.howismy.com.conf
ironwren commented 5 years ago 
Traceback (most recent call last):
  File "/bin/acme_tiny", line 198, in <module>
    main(sys.argv[1:])
  File "/bin/acme_tiny", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/bin/acme_tiny", line 150, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for www.howismy.com: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/303003853/ZaaPsg', u'token': u'2OLbfoGOSybwjF5ypRYhMSrCOC4_7WHPcbZylgnK4Dw', u'type': u'http-01', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:dns', u'detail': u'DNS problem: NXDOMAIN looking up A for www.howismy.com'}}, {u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/303003853/g3dFbA', u'token': u'2OLbfoGOSybwjF5ypRYhMSrCOC4_7WHPcbZylgnK4Dw', u'type': u'dns-01'}, {u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/303003853/zotFxA', u'token': u'2OLbfoGOSybwjF5ypRYhMSrCOC4_7WHPcbZylgnK4Dw', u'type': u'tls-alpn-01'}], u'identifier': {u'type': u'dns', u'value': u'www.howismy.com'}, u'expires': u'2019-09-19T05:14:10Z'}
================================================================================
Failed to sign www.howismy.com, is DNS set up properly?
================================================================================
Failed to obtain certs for www.howismy.com
ironwren commented 5 years ago

image

SteveLTN commented 4 years ago

Sorry for the late reply. I sort of forgot about this after a vacation :-(

Did you have any luck? Try update to the latest version plz, if you are still on it.

MarcelWaldvogel commented 2 years ago

The 301 redirect was served from disk cache, where it can be stored indefinitely, as it is labelled as a permanent redirect. So you probably were using a => redirect earlier, which is still cached in the browser. Clearing the browser cache manually should fix that one (and #295 changes the default to temporary redirects).

BTW: I think your DNS configuration looks dangerous. I think with a CNAME to the apex @ (www and ftp lines), you are likely to run into trouble, as the CNAME mirrors everything, not only the A (address), but also NS (name servers) and an increasing number of other configuration records further down the line. (The opposite, having a CNAME from @, is definitely not possible.)

So, A www 206.189.73.129 and A ftp 206.189.73.129 would be safer (or A host 206.189.73.129, CNAME www host, and CNAME ftp host, if you wanted to limit the number of places where you have to change the IP address down to 2, which I believe is the minimum).