search

jxskiss / simplessl

On the fly SSL certificate issue and renewal inside OpenResty with Let's Encrypt
MIT License
45 stars 13 forks source link

help needed #1

Closed wanghaisheng closed 4 years ago

wanghaisheng commented 4 years ago

I have 3 docker container running website and listen unix sock instead of 80 port.but after run nginx ,still could not access https url in the browser,522 error

./ssl-cert-server_0.2.0_linux_amd64 --listen=127.0.0.1:8999 \ --email=techempower@126.com \ --domain="bbs.antivte.com,ytb.antivte.com,cp.antivte.com,antivte.com" \ -force-rsa true

conf is like this

events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    lua_shared_dict ssl_certs_cache 1m;

    init_by_lua_block {
        -- Define a funcction to determine which SNI domains to automatically
        -- handle and register new certificates for. Defaults to not allowing
        -- any domain, so this must be configured.
        function allow_domain(domain)
            if  ngx.re.match(domain, "(antivte.com|bbs.antivte.com|ytb.antivte.com|cp.antivte.com)", "ijo") then 

                return true
            end
            return false
        end

        -- Initialize backend certificate server instance.
        cert_server = (require "resty.ssl-cert-server").new({
            backend = '127.0.0.1:8999',
            allow_domain = allow_domain
        })
    }

    # HTTPS Server
    server {
        listen 443 ssl;

        # Works also with non-default HTTPS port.
        listen 8443 ssl;

        server_name bbs.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
            cert_server:ssl_certificate()
        }

        # Fallback certificate required by nginx, self-signed is ok.
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/nginx/certs/fallback-self-signed.key \
        #   -out /etc/nginx/certs/fallback-self-signed.crt
        ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
        ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;

        location / {
                proxy_pass http://unix:/var/discourse/shared/bbs/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
    }

    # HTTP Server
    server {
        listen 80;
        server_name bbs.antivte.com;  # <-- change this
        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
            content_by_lua_block {
                cert_server:challenge_server()
            }
        }
    }

    # HTTPS Server
    server {
        listen 443 ssl;

        # Works also with non-default HTTPS port.
        listen 8443 ssl;

        server_name ytb.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
            cert_server:ssl_certificate()
        }

        # Fallback certificate required by nginx, self-signed is ok.
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/nginx/certs/fallback-self-signed.key \
        #   -out /etc/nginx/certs/fallback-self-signed.crt
        ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
        ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;

        location / {
                proxy_pass http://unix:/var/discourse/shared/ytb/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }        
    }

    # HTTP Server
    server {
        listen 80;
        server_name ytb.antivte.com;  # <-- change this
        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
            content_by_lua_block {
                cert_server:challenge_server()
            }
        }
    }

    # HTTPS Server
    server {
        listen 443 ssl;

        # Works also with non-default HTTPS port.
        listen 8443 ssl;

        server_name cp.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
            cert_server:ssl_certificate()
        }

        # Fallback certificate required by nginx, self-signed is ok.
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/nginx/certs/fallback-self-signed.key \
        #   -out /etc/nginx/certs/fallback-self-signed.crt
        ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
        ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;

        location / {
                proxy_pass http://unix:/var/discourse/shared/cp/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
    }

    # HTTP Server
    server {
        listen 80;
        server_name cp.antivte.com;  # <-- change this
        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
            content_by_lua_block {
                cert_server:challenge_server()
            }
        }
    }   
}
wanghaisheng commented 4 years ago

backend container sock is ok you can find here

root@docker-s-1vcpu-2gb-sgp1-01:/var/discourse# curl --unix-socket /var/discourse/shared/bbs/nginx.http.sock http:/images/json<!DOCTYPE html>
<html lang="en-US">
<head>
  <meta charset="utf-8">
  <title>Discourse</title>
  <meta name="description" content="">
  <meta name="generator" content="Discourse 2.4.0.beta9 - https://github.com/discourse/discourse version 86fb08d04a841b1967e2bb5ec879a07dc6210eee">
<link rel="icon" type="image/png" href="http://bbs.antivte.com/uploads/default/optimized/1X/_129430568242d1b7f853bb13ebea28b3f6af4e7_2_32x32.png">
<link rel="apple-touch-icon" type="image/png" href="http://bbs.antivte.com/uploads/default/optimized/1X/_129430568242d1b7f853bb13ebea28b3f6af4e7_2_180x180.png">
<meta name="theme-color" content="#ffffff">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, user-scalable=yes, viewport-fit=cover">

<script type="application/ld+json">{"@context":"http://schema.org","@type":"WebSite","url":"http://bbs.antivte.com","potentialAction":{"@type":"SearchAction","target":"http://bbs.antivte.com/search?q={search_term_string}","query-input":"required name=search_term_string"}}</script>
<link rel="search" type="application/opensearchdescription+xml" href="http://bbs.antivte.com/opensearch.xml" title="Discourse Search">

    <link href="/stylesheets/desktop_cf66a5b18273cc17f4c0a96847c93ecda0519dc8.css?__ws=bbs.antivte.com" media="all" rel="stylesheet" data-target="desktop" data-theme-id="2"/>

  <link href="/stylesheets/desktop_theme_2_1dbc8b6a9b9bc0ce8633dbac246d040d6b9e3f6d.css?__ws=bbs.antivte.com" media="all" rel="stylesheet" data-target="desktop_theme" data-theme-id="2"/>

  <link href="/stylesheets/discourse-details_cf66a5b18273cc17f4c0a96847c93ecda0519dc8.css?__ws=bbs.antivte.com" media="all" rel="stylesheet" data-target="discourse-details" data-theme-id="2"/>

  <link href="/stylesheets/discourse-local-dates_cf66a5b18273cc17f4c0a96847c93ecda0519dc8.css?__ws=bbs.antivte.com" media="all" rel="stylesheet" data-target="discourse-local-dates" data-theme-id="2"/>
  <link href="/stylesheets/discourse-presence_cf66a5b18273cc17f4c0a96847c93ecda0519dc8.css?__ws=bbs.antivte.com" media="all" rel="stylesheet" data-target="discourse-presence" data-theme-id="2"/>
  <link href="/stylesheets/lazy-yt_cf66a5b18273cc17f4c0a96847c93ecda0519dc8.css?__ws=bbs.antivte.com" media="all" rel="stylesheet" data-target="lazy-yt" data-theme-id="2"/>
  <link href="/stylesheets/poll_cf66a5b18273cc17f4c0a96847c93ecda0519dc8.css?__ws=bbs.antivte.com" media="all" rel="stylesheet" data-target="poll" data-theme-id="2"/>
  <link href="/stylesheets/poll_desktop_cf66a5b18273cc17f4c0a96847c93ecda0519dc8.css?__ws=bbs.antivte.com" media="all" rel="stylesheet" data-target="poll_desktop" data-theme-id="2"/>

</head>
<body >

  <section id='main'>

  <header class="d-header">
    <div class="wrap">
      <div class="contents">
        <div class="header-row">
          <div class="logo-wrapper">
            <a href="/">
                <img src="http://bbs.antivte.com/images/discourse-logo-sketch.png" alt="Discourse" id="site-logo">
            </a>
          </div>
            <div class='auth-buttons'>
                <a href="/signup" class='btn btn-primary btn-small signup-button'>Sign Up</a>
              <a href="/login" class='btn btn-primary btn-small login-button btn-icon-text'><svg class="fa d-icon svg-icon svg-node" aria-hidden="true"><svg id="user" viewBox="0 0 448 512">
    <path d="M224 256c70.7 0 128-57.3 128-128S294.7 0 224 0 96 57.3 96 128s57.3 128 128 128zm89.6 32h-16.7c-22.2 10.2-46.9 16-72.9 16s-50.6-5.8-72.9-16h-16.7C60.2 288 0 348.2 0 422.4V464c0 26.5 21.5 48 48 48h352c26.5 0 48-21.5 48-48v-41.6c0-74.2-60.2-134.4-134.4-134.4z"/>
  </svg></svg>
Log In</a>
            </div>
        </div>
      </div>
    </div>
  </header>

    <div id="main-outlet" class="wrap not-found-container">
      <div class="page-not-found">
  <h1 class="title">Oops! That page doesn’t exist or is private.</h1>

</div>

<div class="row page-not-found-topics">
  <div class="popular-topics">
    <h2 class="popular-topics-title">Popular</h2>
    <a href="/top" class="btn btn-default">More&hellip;</a>
  </div>
  <div class="recent-topics">
    <h2 class="recent-topics-title">Recent</h2>
      <div class='not-found-topic'>
        <a href="/t/welcome-to-discourse/7">Welcome to Discourse</a>
      </div>
    <a href="/latest" class="btn btn-default">More&hellip;</a>
  </div>
</div>

  <div class="row">
    <div class="page-not-found-search">
      <h2>Search this site</h2>
      <p>
        <form action='/search' id='discourse-search'>
          <input type="text" name="q" value="">
          <button class="btn btn-primary">Search</button>
        </form>
      </p>
    </div>
  </div>

  <link rel="preload" href="/assets/onpopstate-handler-09bc9d995084d732c7f6dfaadcd21404e817fc736165b7b893bc2dd040749aae.js" as="script">
<script src="/assets/onpopstate-handler-09bc9d995084d732c7f6dfaadcd21404e817fc736165b7b893bc2dd040749aae.js"></script>

    </div>
  </section>

</body>
</html>
root@dock
wanghaisheng commented 4 years ago 

[root@xxx ~]# netstat -lpan | grep :443
nothing shows

finally 

root@docker-s-1vcpu-2gb-sgp1-01:/var/discourse# lsof -iTCP -sTCP:LISTEN -P
COMMAND     PID            USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd        981            root    3u  IPv4    21114      0t0  TCP *:22 (LISTEN)
sshd        981            root    4u  IPv6    21125      0t0  TCP *:22 (LISTEN)
nginx     19460            root    6u  IPv4 27536672      0t0  TCP *:443 (LISTEN)
nginx     19460            root    7u  IPv6 27536673      0t0  TCP *:80 (LISTEN)
nginx     19460            root    8u  IPv4 27536674      0t0  TCP *:80 (LISTEN)
nginx     19461          nobody    6u  IPv4 27536672      0t0  TCP *:443 (LISTEN)
nginx     19461          nobody    7u  IPv6 27536673      0t0  TCP *:80 (LISTEN)
nginx     19461          nobody    8u  IPv4 27536674      0t0  TCP *:80 (LISTEN)
v2ray     29208            root    3u  IPv6  8935425      0t0  TCP *:46859 (LISTEN)
ssl-cert- 29777            root    3u  IPv4 27268894      0t0  TCP localhost:8999 (LISTEN)
systemd-r 32370 systemd-resolve   13u  IPv4  1523074      0t0  TCP localhost:53 (LISTEN)
root@docker-s-1vcpu-2gb-sgp1-01:/var/discourse# curl -vvv https://128.199.246.56

result 

root@docker-s-1vcpu-2gb-sgp1-01:/var/discourse# curl -vvv https://128.199.246.56
* Rebuilt URL to: https://128.199.246.56/
*   Trying 128.199.246.56...
* TCP_NODELAY set
* Connected to 128.199.246.56 (128.199.246.56) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
wanghaisheng commented 4 years ago

rerun 

root@docker-s-1vcpu-2gb-sgp1-01:/var/discourse#  ./ssl-cert-server_0.2.0_linux_amd64  --listen=127.0.0.1:8999 \ --email=techempower@126.com \ --domain="bbs.antivte.com,ytb.antivte.com,cp.antivte.com,antivte.com" \   -force-rsa true
2019/12/25 01:48:28 start server listening on http://127.0.0.1:8999
2019/12/25 01:49:25 failed get certificate: domain= bbs.antivte.com err= 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
[20191224 17:49:25 127.0.0.1:40312] 500 GET /cert/bbs.antivte.com 1.275953137s
2019/12/25 01:49:26 failed get certificate: domain= bbs.antivte.com err= acme/autocert: missing certificate
[20191224 17:49:26 127.0.0.1:40316] 500 GET /cert/bbs.antivte.com 227.582µs
2019/12/25 01:49:26 failed get certificate: domain= bbs.antivte.com err= acme/autocert: missing certificate
[20191224 17:49:26 127.0.0.1:40318] 500 GET /cert/bbs.antivte.com 49.983µs
2019/12/25 01:49:26 failed get certificate: domain= bbs.antivte.com err= acme/autocert: missing certificate
[20191224 17:49:26 127.0.0.1:40320] 500 GET /cert/bbs.antivte.com 233.692µs
2019/12/25 01:49:43 failed get certificate: domain= bbs.antivte.com err= acme/autocert: missing certificate
[20191224 17:49:43 127.0.0.1:40324] 500 GET /cert/bbs.antivte.com 272.612µs
2019/12/25 01:50:24 failed get certificate: domain= bbs.antivte.com err= acme/autocert: missing certificate
[20191224 17:50:24 127.0.0.1:40328] 500 GET /cert/bbs.antivte.com 51.386µs
2019/12/25 01:50:24 failed get certificate: domain= bbs.antivte.com err= acme/autocert: missing certificate
[20191224 17:50:24 127.0.0.1:40330] 500 GET /cert/bbs.antivte.com 49.028µs
2019/12/25 01:50:26 failed get certificate: domain= bbs.antivte.com err= 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
[20191224 17:50:26 127.0.0.1:40334] 500 GET /cert/bbs.antivte.com 234.875032ms
2019/12/25 01:50:27 failed get certificate: domain= bbs.antivte.com err= acme/autocert: missing certificate
[20191224 17:50:27 127.0.0.1:40336] 500 GET /cert/bbs.antivte.com 47.629µs
wanghaisheng commented 4 years ago

latest error.log

root@docker-s-1vcpu-2gb-sgp1-01:/var/discourse# cat logs/error.log 
2019/12/25 13:35:19 [error] 7978#7978: *2 [lua] ssl-cert-server.lua:426: ssl_certificate(): bbs.antivte.com: bad HTTP status 500, context: ssl_certificate_by_lua*, client: 172.69.134.49, server: 0.0.0.0:443
2019/12/25 13:35:19 [error] 7978#7978: *5 [lua] ssl-cert-server.lua:426: ssl_certificate(): bbs.antivte.com: bad HTTP status 500, context: ssl_certificate_by_lua*, client: 172.69.134.49, server: 0.0.0.0:443
2019/12/25 13:35:24 [error] 7978#7978: *8 [lua] ssl-cert-server.lua:426: ssl_certificate(): bbs.antivte.com: bad HTTP status 500, context: ssl_certificate_by_lua*, client: 162.158.166.83, server: 0.0.0.0:443
2019/12/25 13:35:24 [error] 7978#7978: *11 [lua] ssl-cert-server.lua:426: ssl_certificate(): bbs.antivte.com: bad HTTP status 500, context: ssl_certificate_by_lua*, client: 162.158.166.83, server: 0.0.0.0:443
root@docker-
root@docker-s-1vcpu-2gb-sgp1-01:/var/discourse# ./ssl-cert-server_0.2.0_linux_amd64 --listen=127.0.0.1:8999 \ --email=techempower@126.com \ --domain="bbs.antivte.com,ytb.antivte.com,cp.antivte.com,antivte.com" \ -force-rsa true
2019/12/25 13:34:29 start server listening on http://127.0.0.1:8999
2019/12/25 13:35:19 failed get certificate: domain= bbs.antivte.com err= 403 urn:acme:error:unauthorized: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
[20191225 05:35:19 127.0.0.1:34640] 500 GET /cert/bbs.antivte.com 1.17951156s
jxskiss commented 4 years ago

Sorry for the late reply, it looks like Let's Encrypt has disabled the v1 api, I will have a look of this some time later.

jxskiss commented 4 years ago

@wanghaisheng hello, I have updated the autocert dependency, which updates the client to support ACMEv2 protocol, the issue should be fixed. If you are still facing the problem, you may try the latest v0.3.0 release ~

wanghaisheng commented 4 years ago

thank you at last i give up using this great library