search

snsinfu / reverse-tunnel

Reverse tunnel TCP and UDP
MIT License
178 stars 38 forks source link

LetsEncrypt Error #26

Open Cossey opened 1 year ago

Cossey commented 1 year ago

I'm trying to secure communications with LetsEncrypt, but I get this when attempting to on my server:

echo: http: TLS handshake error from <redacted>:46727: Get "https://acme-v02.api.letsencrypt.org/directory": x509: certificate signed by unknown authority
echo: http: TLS handshake error from <redacted>:46725: acme/autocert: missing certificate

How would I go about resolving this issue?

Cossey commented 1 year ago

I figured out a workaround. It seems like the Go docker image that is built does not like the ISRG Root X1 certificate authority. In September 2021 the Lets Encrypt CA changed to this as mentioned in this article.

You will need to expose the ISRG Root X1 certificate to the docker container, then use the SSL_CERT_FILE environment variable (which go uses) to point to the certificate inside the container. This must be done on both the client and server.

In the example below, the certificate is stored on the hosts at /opt/certs/ISRGRootX1.pem. You can use Chrome or some other browser to export the root certificate to file.

Server Example:

services:
  rtun:
    image: snsinfu/rtun-server
    restart: always
    ports:
      - "443:443"
      - "1234:1234"
    volumes:
      - "/opt/certs:/certs:ro"
    environment:
      RTUN_PORT: 443
      RTUN_TLS: <domain here>
      RTUN_AGENT: 1234/tcp @ <key here>
      SSL_CERT_FILE: /certs/ISRGRootX1.pem

Client Example:

services:
  rtun:
    image: snsinfu/rtun
    network_mode: host
    restart: always
    volumes:
      - "/opt/certs:/certs:ro"
    environment:
      RTUN_GATEWAY: wss://<domain>
      RTUN_KEY: <key>
      RTUN_FORWARD: 1234/tcp:localhost:6969
      SSL_CERT_FILE: /certs/ISRGRootX1.pem

When I have some time, I will update my fork to include fix this without the workaround.

ttschnz commented 1 year ago

One thing I thought about was using nginx to proxy and "upgrade" the connection from ws to wss.

In docker-compose.yaml add the service:

   rtun-proxy:
        image: nginx:alpine
        restart: unless-stopped
        volumes:
            - ./rtun-proxy/nginx.conf:/etc/nginx/nginx.conf:ro

with the nginx.conf containing this:

events {}

http {
    server {
        listen       3000;
        server_name  localhost;

        location / {
            proxy_pass https://rtun.example.com
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
        }
    }
}

Then you can connect rtun to the proxy RTUN_GATEWAY: ws://rtun-proxy without encryption and then the proxy encrypts the outgoing traffic:

|-------Client-------|               |---Server-|
| rtun --ws--> proxy |   --wss-->    | -->rtun  |
Cossey commented 1 year ago

The more options the better. I'll keep this issue open so others facing this problem know what is going on; this project seems like it's no longer maintained; a shame as this works really well in my use cases.