search

mandatoryprogrammer / xsshunter-express

An easy-to-setup version of XSS Hunter. Sets up in five minutes and requires no maintenance!
MIT License
1.64k stars 320 forks source link

Certificate issuing troubles #16

Closed RaduNico closed 2 years ago

RaduNico commented 2 years ago

On running sudo docker compose up xsshunterexpress I hit the following issue:

[...]
xsshunter-express-xsshunterexpress-1  | changing `configDir` from '/app/greenlock.d' to './greenlock.d'
xsshunter-express-xsshunterexpress-1  | Listening on 0.0.0.0:80 for ACME challenges, and redirecting to HTTPS
xsshunter-express-xsshunterexpress-1  | Listening on 0.0.0.0:443 for secure traffic
xsshunter-express-xsshunterexpress-1  | Ready to Serve:
xsshunter-express-xsshunterexpress-1  |          <domain_name>
xsshunter-express-xsshunterexpress-1  | ACME Directory URL: https://acme-v02.api.letsencrypt.org/directory
xsshunter-express-xsshunterexpress-1  | 
xsshunter-express-xsshunterexpress-1  | By using this software you (<private_email>) are agreeing to the following:
xsshunter-express-xsshunterexpress-1  | ACME Subscriber Agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
xsshunter-express-xsshunterexpress-1  | Greenlock/ACME.js Terms of Use: https://rootprojects.org/legal/#terms
xsshunter-express-xsshunterexpress-1  | 
xsshunter-express-xsshunterexpress-1  | set greenlockOptions.notify to override the default logger
xsshunter-express-xsshunterexpress-1  | Error cert_issue:
xsshunter-express-xsshunterexpress-1  | connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  | code: ETIMEDOUT
xsshunter-express-xsshunterexpress-1  | Error: connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  |     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)
xsshunter-express-xsshunterexpress-1  | Error cert_issue:
xsshunter-express-xsshunterexpress-1  | connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  | code: ETIMEDOUT
xsshunter-express-xsshunterexpress-1  | Error: connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  |     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)
xsshunter-express-xsshunterexpress-1  | Error cert_issue:
xsshunter-express-xsshunterexpress-1  | connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  | code: ETIMEDOUT
xsshunter-express-xsshunterexpress-1  | Error: connect ETIMEDOUT <public_ip>:80
xsshunter-express-xsshunterexpress-1  |     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1144:16)

It appears the server is created and is listening on ports 80 and 443, but the certificate issuing process fails. Is there a way to manually generate the lets encrypt certificate in order to bypass this issue.

RaduNico commented 2 years ago

I managed to solve the issue. In the process of generating a certificate greenlock has a sanity check which attempts to access http:// from the machine on which we are setting up xsshunter. Depending on the network setup, it is possible that the machine from the internal network cannot access itself via the public IP.

I solved this by adding an entry on /etc/hosts with '127.0.0.1 my.public.domain' and the certificate was issued with no further problems.