search

ipfs / kubo

An IPFS implementation in Go
https://docs.ipfs.tech/how-to/command-line-quick-start/
Other
16.15k stars 3.01k forks source link

AutoTLS: attempts to get cert when not publicly diallable #10570

Open lidel opened 1 day ago

lidel commented 1 day ago

Version

0.32.0-rc1

Config

{
"AutoTLS": {
    "Enabled": true
  },
"Addresses": {
    "API": "/ip4/127.0.0.1/tcp/5701",
    "Announce": [],
    "AppendAnnounce": [],
    "Gateway": "/ip4/127.0.0.1/tcp/8780",
    "NoAnnounce": [],
    "Swarm": [
      "/ip4/0.0.0.0/tcp/4071",
      "/ip6/::/tcp/4071",
      "/ip4/0.0.0.0/tcp/4072/tls/sni/*.libp2p.direct/ws",
      "/ip4/0.0.0.0/udp/4071/webrtc-direct",
      "/ip4/0.0.0.0/udp/4071/quic-v1",
      "/ip4/0.0.0.0/udp/4071/quic-v1/webtransport",
      "/ip6/::/udp/4071/webrtc-direct",
      "/ip6/::/udp/4071/quic-v1",
      "/ip6/::/udp/4071/quic-v1/webtransport"
    ]
  },
...

Description

Example 1, error due to solving challenges: presenting for challenge: no public address found:

2024-11-04T20:45:28.283+0100    INFO    autotls.acme_client v2@v2.0.3/client.go:404 trying to solve challenge   {"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024-11-04T20:45:36.324+0100    DEBUG   autotls.acme_client acme/http.go:275    http request    {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/425608111597", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2038430587"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["454"],"Content-Type":["application/json"],"Date":["Mon, 04 Nov 2024 19:45:36 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["yiS4Q9ue15rzi_h41L_gI6UhRmR95FOK2XBx4z7cpj9DQfwyXEE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2024-11-04T20:45:36.324+0100    ERROR   autotls.obtain  certmagic@v0.21.4/config.go:639 could not get certificate from issuer   {"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] solving challenges: presenting for challenge: no public address found (order=https://acme-v02.api.letsencrypt.org/acme/order/2038430587/320023393197) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2024-11-04T20:45:36.324+0100    ERROR   autotls.obtain  certmagic@v0.21.4/async.go:117  will retry  {"error": "[*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] Obtain: [*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] solving challenges: presenting for challenge: no public address found (order=https://acme-v02.api.letsencrypt.org/acme/order/2038430587/320023393197) (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 9.413219385, "max_duration": 2592000}
2024-11-04T20:46:36.326+0100    INFO    autotls.obtain  certmagic@v0.21.4/config.go:555 obtaining certificate   {"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct"}

Problem

when behind NAT, we do not delay the initial registration attempt until a publicly dialable address is present. We should avoid ERROR in logs when we know registration attempt would fail anyway, and delay until its safe.

Specific problems:

lidel commented 21 hours ago

Minimal check discussed in https://github.com/ipshipyard/p2p-forge/pull/4/commits/5157ed9b6bf68416338384c351b0eace0d80d95e / https://github.com/ipshipyard/p2p-forge/pull/4#discussion_r1828587549