Letsencrypt wildcard

[thelittlefireman]

hi,

is there a way for using or register a wildcard domain name in bunkerized-nginx ? I now how to generate a wildcard certificate on certbot command line but could it be possible to add this feature in bunkerized-nginx ?

wildcard certificate in certbot sudo certbot certonly --manual -d *.mydomaine.net --agree-tos --no-bootstrap

the config I test : - SERVER_NAME="*.mydomaine.me nextcloud.mydomaine.me syno.mydomaine.me"

[*] Starting bunkerized-nginx ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Unable to register an account with ACME server
[*] Updating clamav (in background) ...
time="2020-11-11T20:29:22+01:00" level=info msg="api load configuration: configuration loaded successfully (base:https://tmsov6x2n9.execute-api.eu-west-1.amazonaws.com/v1/)"
time="2020-11-11T20:29:25+01:00" level=info msg="api load configuration: configuration loaded successfully (base:https://tmsov6x2n9.execute-api.eu-west-1.amazonaws.com/v1/)"
time="2020-11-11T20:29:25+01:00" level=info msg="dependency issue crowdsecurity/nginx : missing parsers crowdsecurity/nginx-logs, tainted."
time="2020-11-11T20:29:27+01:00" level=info msg="api signin: signed in successfuly"
time="2020-11-11T20:29:30+01:00" level=warning msg="api pull returned 100 entries"
time="2020-11-11T20:29:41+01:00" level=info msg="Wrote 100 bans from api to database."
[*] Running nginx ...
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/"*.mydomaine.me/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/"*.mydomaine.me/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
==> /var/log/access.log <==

==> /var/log/error.log <==

==> /var/log/fail2ban.log <==
2020-11-11 20:29:41,811 fail2ban.filter         [13030]: INFO      findtime: 60
2020-11-11 20:29:41,811 fail2ban.actions        [13030]: INFO      banTime: 3600
2020-11-11 20:29:41,812 fail2ban.filter         [13030]: INFO    Added logfile: '/var/log/access.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
2020-11-11 20:29:41,813 fail2ban.jail           [13030]: INFO    Jail 'nginx-filter' started
2020-11-11 20:29:41,960 fail2ban.utils          [13030]: #39-Lev. 7fbd51475c30 -- exec: echo "" > /etc/nginx/fail2ban-ip.conf && /usr/sbin/nginx -s reload
2020-11-11 20:29:41,960 fail2ban.utils          [13030]: ERROR   7fbd51475c30 -- stderr: 'nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/"*.mydomaine.me/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/"*.mydomaine.me/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)'
2020-11-11 20:29:41,960 fail2ban.utils          [13030]: ERROR   7fbd51475c30 -- returned 1
2020-11-11 20:29:41,960 fail2ban.actions        [13030]: ERROR   Failed to start jail 'nginx-filter' action 'nginx-action': Error starting action Jail('nginx-filter')/nginx-action

Thanks :)

Thanks

[fl0ppy-d1sk]

Thanks for your suggestion. Let's add it to the TODO list.

Until it's implemented, you can still generate and renew wildcard certificate outside of bunkerized-nginx and use it as custom certificate. Please note that you need to remove the double quote (") when setting environment variables inside your docker-compose.yml.

[thelittlefireman]

Great :) Thanks for the advice

[ghost]

Hi guys,

Just made a quick test with gsan. It is a tool that can extract Subject Alternative Names found in SSL Certificates directly from https web sites which can provide you with DNS names (subdomains) or virtual servers.

Ref. https://franccesco.github.io/getaltname/

gsan crtsh bunkerity.com
[+] Getting subdomains for bunkerity.com
[+] Results:

BUNKERITY.COM
↳ play2.bunkerity.com
↳ play2bis.bunkerity.com
↳ infra.bunkerity.com
↳ bunkerity.com
↳ mail.bunkerity.com
↳ play1.bunkerity.com
↳ pwd.bunkerity.com
↳ demo-nginx.bunkerity.com
↳ demo-mariadb.bunkerity.com
↳ srv1.bunkerity.com

Supporting wildcard could be more secure and preventing sub-domain enumeration. Isnt'it ?

Cheers, Luc Michalski

[thelittlefireman]

@lucmichalski I think both point of view could be analyse 😃 In the other hand it could be a risk :

"In the event of a breach of one of the servers, the certificate will be compromised by adversaries. The confidentiality and integrity of traffic to each site where the certificate is used is jeopardized. An attacker who obtains the certificate would be able to decrypt, read or modify, and re-encrypt traffic. This is likely to result in the disclosure of sensitive information and further targeted attacks."

https://www.packetlabs.net/wildcard-certificates/

[ghost]

good point ^^

[fl0ppy-d1sk]

Regarding the SAN enumeration, the new v1.2.1 release now generates one certificate per server when MULTISITE is set to yes. Anyway, keeping this issue open until we have a way to support wildcard certificates.

[thelittlefireman]

À huuuge thanks you're so reactive ! Amazing work !

[thelittlefireman]

I don't know if it's possible to do it but it would be interesting if webserver/base server on 443 could use a wildcard certificate and other reverse_proxy/site use their own certificate. I don't know if nginx could be configured like this but it would prevent from brutforce on subdomain and guarantee that all subdomain have his own certificate.

[ptr1337]

Yeah, i just tested your image not out, cause im reverse proxying like 14 services. and only using cloudflare, so i need something like a lets encrypt dns.

Just watched up, youre using letsencrypt as i saw, so with a second dependeciy it should be working with a cloudflare dns-auth key.

But nice work, i following your repo since some time, and wow. Its one of the best Nginx ive probally saw, maybe lttle bit more complicated, but thats it.

Running it with your bunkerized PHP and mariadb, there you go.

I don't know if it's possible to do it but it would be interesting if webserver/base server on 443 could use a wildcard certificate and other reverse_proxy/site use their own certificate. I don't know if nginx could be configured like this but it would prevent from brutforce on subdomain and guarantee that all subdomain have his own certificate.

Ive running a service behind a own reverse proxy, which is howsted offshare and tried to provide a lets encrypt, no chance. I needed to figure it out with cloudflare dns. So then i was cloudflare --> reverse proxy (offshore) --> and then my host server.

Only got it working with Cloudflare Origin Certs (but i dont knew ho far thats gonna leak my ip, or dns.

Sorry for the long text.

[fl0ppy-d1sk]

Hello,

I've added an example using certbot/certbot image to get wildcard certificates from Let's Encrypt : here is the link. The only drawback is it's interactive and can't be auto-renewed. I will try to add an auto-renew example (e.g. : certbot/certbot-cloudflare) when I have time.

[farzadha2]

Hi, I was wondering what config would i need to add for the wildcard on my docker compose? I was checking the doc page but didnt seem to find it

Thank you