search

globaleaks / whistleblowing-software

GlobaLeaks is free, open-source whistleblowing software enabling anyone to easily set up and maintain a secure reporting platform.
https://www.globaleaks.org
Other
1.22k stars 268 forks source link

Let's Encrypt certificate is not renewed automatically #4132

Open mapreri opened 2 months ago

mapreri commented 2 months ago

What version of GlobaLeaks are you using?

4.15.6

What browser(s) are you seeing the problem on?

No response

What operating system(s) are you seeing the problem on?

Linux

Describe the issue

The certificate obtained via Let's Encrypt using the included LE client is never renewed, despite the "Auto-renewal: Enabled" flag.

Not sure what might be going on, this could be a configuration issue on my side.

Proposed solution

No response

evilaliv3 commented 2 months ago

Hello @mapreri

Would you please check that both port 80 and 443 are open publicly and that are both directly handled by GlobaLeaks without any intermediate proxy?

I suspect you may have either port 80 closed or implementing a redirect to port 443.

If you could pass to me the address of your server i could verify the exact issue.

mapreri commented 2 months ago

They are open and handled by the standard globaleaks iptables rules.

You can look at for example.

I must add that I don't think renewal ever worked, every 3 months I found myself disabling and re-enabling LE to obtain a new cert (last time this morning)

On Sat, 13 Jul 2024, 8:31 am Giovanni Pellerano, @.***> wrote:

Hello @mapreri https://github.com/mapreri

Would you please check that both port 80 and 443 are open publicly and that are both directly handled by GlobaLeaks without any intermediate proxy?

I suspect you may have either port 80 closed or implementing a redirect to port 443.

If you could pass to me the address of your server i could verify the exact issue.

— Reply to this email directly, view it on GitHub https://github.com/globaleaks/GlobaLeaks/issues/4132#issuecomment-2226794906, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAL7FE7BW6BE5JL32EYP3LTZMDCUBAVCNFSM6AAAAABKZ7TYJSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRWG44TIOJQGY . You are receiving this because you were mentioned.Message ID: @.***>

evilaliv3 commented 2 months ago

Thank you @mapreri , this is actually quite strange. If you could share to me the access log i will try to see which is the reason. Near to the expiration the application starts requesting renewal with a request every day; Do you have some firewalls rules that prevent outgoing connections?

P.s.: I acknowledge that you have removed the "Powered by GlobaLeaks" attribution clause; this is actually in violation of the software license: https://github.com/globaleaks/GlobaLeaks/blob/main/LICENSE It is not a problem as long that you restore it timely by before 30 days since this notification. Thank you for your understanding.

mapreri commented 2 months ago

Thank you @mapreri , this is actually quite strange. If you could share to me the access log i will try to see which is the reason. Near to the expiration the application starts requesting renewal with a request every day; Do you have some firewalls rules that prevent outgoing connections?

I don't have any firewall rules limiting outgoing connections.

What's the best way to share the access.log privately to you?

P.s.: I acknowledge that you have removed the "Powered by GlobaLeaks" attribution clause; this is actually in violation of the software license: https://github.com/globaleaks/GlobaLeaks/blob/main/LICENSE It is not a problem as long that you restore it timely by before 30 days since this notification. Thank you for your understanding.

AFAIK it's not a violation of the AGPL as long as the code running is completely unmodified from what I originally obtained by the licensor (which it is, in this case). Nevertheless, I reckon this customer is kinda ill-advised, so I'm going behind his back and reinstating the line :stuck_out_tongue_winking_eye: - I am a fairly active FOSS sustainer after all heh

mapreri commented 2 months ago

AFAIK it's not a violation of the AGPL as long as the code running is completely unmodified from what I originally obtained by the licensor (which it is, in this case). Nevertheless, I reckon this customer is kinda ill-advised, so I'm going behind his back and reinstating the line 😜 - I am a fairly active FOSS sustainer after all heh

I see now that it's actually an addendum to the AGPL that you did. That is fine, however I recommend you add a note in the README mentioning that you have additional terms to the AGPL, as I know that nobody reads the full LICENSE document after they see a standard FOSS license (I already read nearly all of them more than once, I can do without reading them all over once more…)

evilaliv3 commented 2 months ago

Thank you @mapreri for your feedback.

Actually we were listing such a notice in the README.md but we removed it considering the license was enough.

I just re-added them with commit: https://github.com/globaleaks/GlobaLeaks/commit/bdef24b2fc260bedb855e93c60c6f1e135c71ced

evilaliv3 commented 2 months ago

Did you manage to find what was causing your instance to not renew the certificate?

If now you can find me on our community slack at: community.globaleaks.org

mapreri commented 2 months ago

No, I haven't found anything relevant with a quick grep of the logs tbh. What should I be looking for?

Else, I'm fine sending them to you if you can provide a... email address and a gpg key to encrypt to I suppose?

evilaliv3 commented 2 months ago

Sure,

https://www.evilaliv3.org/0x67A0F187.asc