search

sintaxi / surge

CLI for the surge.sh CDN
https://surge.sh
2.84k stars 135 forks source link

Invalid SSL certificate after site published #449

Closed enkiusz closed 3 years ago

enkiusz commented 3 years ago

Hi,

I'm using surge to publish a site with a custom domain https://pop.fsck.pl. Unfortunately after publishing the site has an invalid (wildcard) SSL certificate. See below:

$ surge ~/.cache/org-publish/magical-index --domain https://pop.fsck.pl

   Running as acct-surge.sh@fsck.pl (Student)

        project: /Users/maciej.grela/.cache/org-publish/magical-index
         domain: https://pop.fsck.pl
         upload: [====================] 100% eta: 0.0s (173 files, 91309421 bytes)
            CDN: [====================] 100%
             IP: 138.197.235.123

   Success! - Published to pop.fsck.pl

$ curl -v https://pop.fsck.pl
*   Trying 138.197.172.72...
* TCP_NODELAY set
* Connected to pop.fsck.pl (138.197.172.72) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.surge.sh
*  start date: Mar 28 00:00:00 2021 GMT
*  expire date: Apr 25 23:59:59 2022 GMT
*  subjectAltName does not match pop.fsck.pl
* SSL: no alternative certificate subject name matches target host name 'pop.fsck.pl'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'pop.fsck.pl'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

As you can see the SSL certificate returned is for a generic domain *.surge.us.

The DNS configuration for my custom domain is as follows:

$ host pop.fsck.pl
pop.fsck.pl is an alias for na-west1.surge.sh.
na-west1.surge.sh has address 138.197.172.72
$ host www.pop.fsck.pl
www.pop.fsck.pl is an alias for na-west1.surge.sh.
na-west1.surge.sh has address 138.197.172.72

I also have a CNAME file:

$ cat CNAME
https://pop.fsck.pl

But I specified the domain separatey during deployment as well.

How to troubleshoot this further?

sintaxi commented 3 years ago

The preview release of surge has a command for provisioning a cert for custom domains using Lets Encrypt...

1) Install by running surge install -g surge@edge

2) Run surge encrypt pop.fsck.pl

3) You can run surge certs pop.fsck.pl to test the certs for your domain.

This may prompt you to upgrade to the Professional plan.

enkiusz commented 3 years ago

I tried and it indeed prompted me to upgrade to Prof. Unfortunately the pricing is out of my budget for the plain HTML hosting that I require. A different approach will be attempted.