search

sasa1977 / site_encrypt

Integrated certification via Let's encrypt for Elixir-powered sites
MIT License
462 stars 33 forks source link

error processing order #44

Closed sensiblearts closed 2 years ago

sensiblearts commented 2 years ago

I'm hoping that someone will recognize the problem right away. This is a chronology of what produces the error. Domain is treeteacher.org.

// mix release to remote vm, start phoenix daemon:

10:44:39.111 [info] Generating a temporary self-signed certificate. This certificate will be used until a proper certificate is issued by the CA server.
10:44:39.136 [warning] Description: 'Authenticity is not established by certificate path validation'
     Reason: 'Option {verify, verify_peer} and cacertfile/cacerts is missing'
...
10:44:39.336 [info] Running TreeteacherWeb.Endpoint with cowboy 2.9.0 at 0.0.0.0:4000 (http)
10:44:39.340 [info] Running TreeteacherWeb.Endpoint with cowboy 2.9.0 at 0.0.0.0:443 (https)
10:44:39.342 [info] Access TreeteacherWeb.Endpoint at https://treeteacher.org
10:44:39.934 [info] Ordering a new certificate for domain treeteacher.org (CA acme-v02.api.letsencrypt.org)

///////////////////////

Now, browse https://treeteacher.org/ ... not found, and phoenix logs NOT CHANGED

//////////////////

Now, browse http://IP:4000

Not finding, slowly redirects to treeteacher.org ssl, and logs:

0:47:54.003 [error] Task #PID<0.2766.0> started from #PID<0.2512.0> terminating
** (MatchError) no match of right hand side value: {:error, #SiteEncrypt.Acme.Client.API.Session<https://acme-v02.api.letsencrypt.org/directory>}
    (site_encrypt 0.4.2) lib/site_encrypt/acme/client.ex:74: SiteEncrypt.Acme.Client.process_new_order/3
    (site_encrypt 0.4.2) lib/site_encrypt/acme/client.ex:45: SiteEncrypt.Acme.Client.create_certificate/2
    (site_encrypt 0.4.2) lib/site_encrypt/certification/native.ex:52: SiteEncrypt.Certification.Native.create_certificate/2
    (site_encrypt 0.4.2) lib/site_encrypt/certification/job.ex:15: SiteEncrypt.Certification.Job.certify/1
    (site_encrypt 0.4.2) lib/site_encrypt/certification/job.ex:26: SiteEncrypt.Certification.Job.certify_and_apply/1
    (elixir 1.13.3) lib/task/supervised.ex:89: Task.Supervised.invoke_mfa/2
    (stdlib 3.17) proc_lib.erl:226: :proc_lib.init_p_do_apply/3
Function: #Function<0.109640683/0 in SiteEncrypt.Certification.Job.child_spec/1>
    Args: []
10:47:59.032 [info] Plug.SSL is redirecting GET / to https://treeteacher.org:443 with status 301

// and my endpoint config:

defmodule TreeteacherWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :treeteacher

  use SiteEncrypt.Phoenix

  plug SiteEncrypt.AcmeChallenge, __MODULE__

  plug Plug.SSL, exclude: [], host: "treeteacher.org:443"

  ...

  def certification do
    SiteEncrypt.configure(
      client: :native,

      domains: ["treeteacher.org", "www.treeteacher.org"],
      emails: ["sensiblearts@gmail.com"],

      db_folder:
        System.get_env("SITE_ENCRYPT_DB", Path.join("tmp", "site_encrypt_db")),

      directory_url:
        case System.get_env("CERT_MODE", "local") do
          "local" -> {:internal, port: 4002}
          "staging" -> "https://acme-staging-v02.api.letsencrypt.org/directory"
          "production" -> "https://acme-v02.api.letsencrypt.org/directory"
        end
    )
  end

  @impl Phoenix.Endpoint
  def init(_key, config) do
    # this will merge key, cert, and chain into `:https` configuration from config.exs
    {:ok,
      config
      |> SiteEncrypt.Phoenix.configure_https(port: 443)
      |> Keyword.merge(
        url: [scheme: "https", host: "treeteacher.org", port: 443],
        http: [port: 4000]
      )}

  end
 ...

Thanks for any tips.
sasa1977 commented 2 years ago

This looks suspiciously similar to #43. Try to update your system packages (it seems like ca-certificates could be enough), and also restart the system for good measure.

sensiblearts commented 2 years ago

Thanks, I stopped my release, ssh into the vm, apt-get install ca-certificates, and it says I already have the latest, and then send daemon command to restart my build; which is how I interpret the thread in #43. :-( No change.

Question 1: When I run this in localhost (WSL2 on Windows), it simulates a call and generates a dummy self-signed cert, so I should get a warning in the browser as I do, "Windows does not have enough information to verify this certificate" -- correct?

Also, I'm wondering if it could be a problem with WSL2. I see a few posts out there about trouble with cert chains in WSL2.

(I am doing mix release build on an AMD laptop on WSL2, Ubuntu 20, and pushing the files to a DigitalOcean AMD server, Ubuntu 20.)

I'm kind of in a hurry so I'll probably just deploy HAProxy in front and come back to this in May when I have time. I have a lot to learn about cert chains etc to debug this.

sensiblearts commented 2 years ago

Actually, per your instructions -- (RTFM, David), I just connected iex remotely and

 SiteEncrypt.force_certify(TreeteacherWeb.Endpoint)
:ok

And it is using the cert, no problem with the chain.

This will get me going and I can just force manual renewal while I debug it.

Thanks for this lib!

sasa1977 commented 2 years ago

This will get me going and I can just force manual renewal while I debug it.

If the manual certification work, then the automatic one should work too, because it's the same code. Looking at the reported stacktrace, something seems off. I'll analyze this some more later.

Question 1: When I run this in localhost (WSL2 on Windows), it simulates a call and generates a dummy self-signed cert, so I should get a warning in the browser as I do, "Windows does not have enough information to verify this certificate" -- correct?

Yes.

enkr1 commented 1 year ago

Any update?