search

natemcmaster / LettuceEncrypt

Free, automatic HTTPS certificate generation for ASP.NET Core web apps
https://nuget.org/packages/LettuceEncrypt
Apache License 2.0
1.55k stars 152 forks source link

Wildcard certificates are not handled properly #285

Closed ante-maric closed 3 months ago

ante-maric commented 10 months ago

Describe the bug If DomainNames in options contain wildcard, subdomains are not handled and SSL/TLS handshake fails.

To Reproduce Steps to reproduce the behavior:

  1. Using 1.3 version of the library with YARP 2.0
  2. Add "some.domain.com" and "*.some.domain.com" to DomainNames of LettuceEncryptOptions
  3. After certificate is created correctly try to access any subdomain of some.domain.com
  4. SSL/TLS handshake will fail

Expected behavior If I have wildcard domain (*.some.domain.com) CertificateSelector.Select should select correct certificate for all subdomains (web.some.domain.com, home.some.domain.com...)

Additional context The only workaround I have is setting my certificate as FallbackCertificate, which I would argue is not really a proper solution.

natemcmaster commented 9 months ago

Did you implement DNS validation? https://github.com/natemcmaster/LettuceEncrypt#when-using-dns-01

ante-maric commented 9 months ago

Did you implement DNS validation? https://github.com/natemcmaster/LettuceEncrypt#when-using-dns-01

Yes, I did. Otherwise certificate would not have been created.

SSzretter commented 7 months ago

Is there a working example on how to implement the IDnsChallengeProvider and replace the NoOpDnsChallengeProvider ?

natemcmaster commented 6 months ago

The DNS challenge support was implemented by another contributor, so I didn't test myself, but I found this example on GitHub

https://github.com/IronWatch/IronNAC/blob/543b4ec803467e92921c1608d1c772b48052933e/src/CaptivePortal/Daemons/WebDaemon.cs#L87-L91

andywu188 commented 6 months ago

image image

The reason for this bug is here: LettuceEncrypt.Internal.CertificateSelector

1. https://github.com/natemcmaster/LettuceEncrypt/blob/ba32cda0372ed6327126e2d1520d9c4c96d357e2/src/LettuceEncrypt/Internal/CertificateSelector.cs#L105-L108

[TryGetValue] failed to obtain wildcard domain name.

The following is the improvement code: image

2. https://github.com/natemcmaster/LettuceEncrypt/blob/ba32cda0372ed6327126e2d1520d9c4c96d357e2/src/LettuceEncrypt/Internal/CertificateSelector.cs#L87 public bool HasCertForDomain(string domainName) => _certs.ContainsKey(domainName);

[ContainsKey] failed to obtain wildcard domain name.

The following is the improvement code: image

3. https://github.com/natemcmaster/LettuceEncrypt/blob/ba32cda0372ed6327126e2d1520d9c4c96d357e2/src/LettuceEncrypt/Internal/CertificateSelector.cs#L118-L121 [TryGet] failed to obtain wildcard domain name.

The following is the improvement code:

image

appsettings.json

"LettuceEncrypt": { "AcceptTermsOfService": true, "AllowedChallengeTypes": "Dns01", "EmailAddress": "xxxx@xxxx.com", "RenewDaysInAdvance": "7.00:00:00", "DomainNames": [ "*.mydomain.com" //this is wildcard domain ] }

andywu188 commented 5 months ago

I developed an Alibaba Cloud DNS verification project for this feature and it has been verified to be successful

https://github.com/andywu188/LettuceEncrypt.Dns.Ali

natemcmaster commented 3 months ago

Thanks @andywu188. I've merged your PR and uploaded https://www.nuget.org/packages/LettuceEncrypt/1.3.2-beta.292

Can you help me test and validate this fix works?

andywu188 commented 3 months ago

Thanks @andywu188. I've merged your PR and uploaded https://www.nuget.org/packages/LettuceEncrypt/1.3.2-beta.292

Can you help me test and validate this fix works?

OK, i will check it out as soon as possible

andywu188 commented 3 months ago

image image image

very good, no error.

natemcmaster commented 3 months ago

Thank you for the fix and testing!