Open fpietrosanti opened 6 years ago
evilaliv3
commented
6 years ago @fpietrosanti: currently we just perform a formal validity of the hostname.
For the tests we made enforcing a reachability test we considered to leave it conditional as during tests we got more failures than benefits.
What we could do is to clone the formal validity check that Let'sEncrypt implement that probably can work also for us.
What do you think?
fpietrosanti
commented
6 years ago We probably need to make the hostname testing to be sure that's a "valid internet hostname" (for example "whistleblower.xxxxxx.local" is not a valid internet hostname, also "whistleblowingcomunexxxxxx" isn't and was triggering this letsencrypt error). We can see which kind of code LetsEncrypt use to validate hostname?
fpietrosanti
commented
6 years ago LetsEncrypt does not allow .local or any kind of private tld for non reachable hosts: https://community.letsencrypt.org/t/ssl-certificate-for-a-internal-only-domain-thats-not-on-the-internet/27062/6 https://community.letsencrypt.org/t/certificate-is-only-for-local-domain-home/40391/10
fpietrosanti
commented
6 years ago From the forum it's confirmed that it's not possible to have a SSL certificate for an internal domain: "If you don't control that name in the public DNS and it's an internal-only name, the CA/Browser Forum's rules now forbid any publicly-trusted CA to issue certificates for it."
Further ref https://www.digicert.com/internal-names.htm
Current behavior LetsEncrypt gives this error
Platform: whistleblower.xxxxxx.local (xxxxxxxxx.onion) Version: 2.72.23
acme.messages.Error ACME error.
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1126, in _inlineCallbacks result = result.throwExceptionIntoGenerator(g)
File "/usr/lib/python2.7/dist-packages/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator return g.throw(self.type, self.value, self.tb)
File "/usr/lib/python2.7/dist-packages/globaleaks/handlers/admin/https.py", line 546, in put yield deferToThread(acme_cert_issuance)
File "/usr/lib/python2.7/dist-packages/twisted/python/threadpool.py", line 246, in inContext result = inContext.theWork()
File "/usr/lib/python2.7/dist-packages/twisted/python/threadpool.py", line 262, in
inContext.theWork = lambda: context.call(ctx, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext return func(*args,**kw)
File "/usr/lib/python2.7/dist-packages/globaleaks/orm.py", line 75, in call return self.run(self._wrap, self.method, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/globaleaks/orm.py", line 120, in run return function(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/globaleaks/orm.py", line 97, in _wrap result = function(store, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/globaleaks/handlers/admin/https.py", line 524, in acme_cert_issuance return db_acme_cert_issuance(store)
File "/usr/lib/python2.7/dist-packages/globaleaks/handlers/admin/https.py", line 514, in db_acme_cert_issuance Settings.acme_directory_url)
File "/usr/lib/python2.7/dist-packages/globaleaks/utils/letsencrypt.py", line 42, in run_acme_reg_to_finish identifier=messages.Identifier(typ=messages.IDENTIFIER_FQDN, value=domain))
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 196, in request_challenges new_authz)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 671, in post return self._post_once(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 684, in _post_once return self._check_response(response, content_type=content_type)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 570, in _check_response raise messages.Error.from_json(jobj)
Error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: Name does not end in a public suffix