search

SteveLTN / https-portal

A fully automated HTTPS server powered by Nginx, Let's Encrypt and Docker.
MIT License
4.42k stars 296 forks source link

Invalid descriptor for valid domain name #290

Closed HTechHQ closed 2 years ago

HTechHQ commented 2 years ago

Hello,

I have a valid domain but the name contains a non ASCII character (ß from the German alphabet). In the setup step I get the following error on 1.19.2:

Error: Invalid descriptor 
/opt/certs_manager/models/domain.rb:77:in `name': undefined method `[]' for nil:NilClass (NoMethodError)

I'd like my domain name to be supported as well, is it possible to update the restrictions on this? Alternatively I would be interested in a way to supply my own regex overwrite.

Thank you for any help :-)

SteveLTN commented 2 years ago

Hi! I never thought about this problem... Will try to update the REGEX to handle it this weekend.

SteveLTN commented 2 years ago

I updated the REGEX. However I'm not sure if ACME-tiny or Let's Encrypt itself supports it or not, and I don't have a domain to test it. I released 1.20.0-beta1. Could you try it?

HTechHQ commented 2 years ago

Thank you for the fast update! I'll attach the error message I got:

 [cont-init.d] 20-setup: executing... 
 /opt/certs_manager/models/domain.rb:203:in `match': incompatible encoding regexp match (UTF-8 regexp with ASCII-8BIT string) (Encoding::CompatibilityError)
      from /opt/certs_manager/models/domain.rb:203:in `match'
      from /opt/certs_manager/models/domain.rb:203:in `parsed_descriptor'
      from /opt/certs_manager/models/domain.rb:77:in `name'
      from /opt/certs_manager/models/domain.rb:44:in `dir'
      from /opt/certs_manager/models/domain.rb:183:in `create_dir'
      from /opt/certs_manager/models/domain.rb:11:in `initialize'
      from /opt/certs_manager/lib/na_config.rb:70:in `new'
      from /opt/certs_manager/lib/na_config.rb:70:in `block in parse'
      from /opt/certs_manager/lib/na_config.rb:69:in `map'
      from /opt/certs_manager/lib/na_config.rb:69:in `parse'
      from /opt/certs_manager/lib/na_config.rb:36:in `env_domains'
      from /opt/certs_manager/lib/na_config.rb:7:in `domains'
      from /opt/certs_manager/certs_manager.rb:23:in `block in setup_config'
      from /opt/certs_manager/certs_manager.rb:133:in `block in with_lock'
      from /opt/certs_manager/certs_manager.rb:131:in `open'
      from /opt/certs_manager/certs_manager.rb:131:in `with_lock'
      from /opt/certs_manager/certs_manager.rb:19:in `setup_config'
      from /opt/certs_manager/certs_manager.rb:11:in `setup'
      from /bin/setup:4:in `<main>'
 [cont-init.d] 20-setup: exited 1.
SteveLTN commented 2 years ago

Hi, thanks for testing!

1.20.0-beta2 fixed the encoding issue.

HTechHQ commented 2 years ago

The first try is with the domain name (as is, including the special character) and I get the following error:

 Creating new order...
 Traceback (most recent call last):
   File "/bin/acme_tiny", line 198, in <module>
     main(sys.argv[1:])
   File "/bin/acme_tiny", line 194, in main
     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
   File "/bin/acme_tiny", line 121, in get_crt
     order, _, order_headers = _send_signed_request(directory['newOrder'], order_payload, "Error creating new order")
   File "/bin/acme_tiny", line 60, in _send_signed_request
     return _do_request(url, data=data.encode('utf8'), err_msg=err_msg, depth=depth)
   File "/bin/acme_tiny", line 46, in _do_request
     raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
 ValueError: Error creating new order:
 Url: https://acme-v02.api.letsencrypt.org/acme/new-order
 Data: {"protected": "xyz", "signature": "xyz"}
 Response Code: 400
 Response: {u'status': 400, u'type': u'urn:ietf:params:acme:error:rejectedIdentifier', u'detail': u'Error creating new order :: Cannot issue for "xyz": Domain name contains an invalid character'}

Next I converted the domain name into ACE and it works!

When working with an IDN, you need to convert the domain name into an ASCII-Compatible Encoding (ACE) form before entering it into the DNS server.

See: https://www.verisign.com/en_US/channel-resources/domain-registry-products/idn/idn-conversion-tool/index.xhtml

There seam to be two obvious solutions now:

  1. The https-portal does the conversion for all IDN domains automatically or
  2. The documentation highlights this step, so users can do the conversion to ACE for themselves

Not sure what to do, but this also raises the question if the regex needs to be updated at all? Probably not. I run the configuration with the ACE again on version 1.19.2 and it works (the signing was skipped though ;-) so not sure if this influences the process, but I don't expect it)

SteveLTN commented 2 years ago

Ah, ok. I didn't know that.

I will do (2). Because I found some other issues when it comes to putting non-ASCII characters into environment variable. Namely, putting custom config for each domain such as CUSTOM_NGINX_EXAMPLE_COM_CONFIG_BLOCK.

I will revert the REGEX changes and update the documentation.