search

syncloud / platform

Run popular services on your device with one click
https://syncloud.org
GNU General Public License v3.0
401 stars 40 forks source link

Let's encrypt certificate is not working when apps are installed #213

Closed cyberb closed 7 years ago

cyberb commented 7 years ago

App installation breaks Let's encrypt.

It was already fixed and will be released some time after v16.09.

Workaround:

  1. Uninstall all apps
  2. Disable HTTPS
  3. Change this file on device: /opt/app/platform/config/nginx/app.server
server {
    listen 80;
    server_name ${app}.*;

    #certbot auth dir
    location /.well-known {
        alias /opt/app/platform/www/public/_site/.well-known;
    }

    location / {
        proxy_set_header X-Forwarded-Proto $$scheme ;
        proxy_set_header X-Forwarded-Host $$http_host ;
        proxy_pass      http://localhost:${port} ;
        proxy_redirect  http://localhost:${port} $$scheme://$$http_host ;
    }
}

server {

    listen 443 ssl;
    server_name ${app}.*;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    #certbot auth dir
    location /.well-known {
        alias /opt/app/platform/www/public/_site/.well-known;
    }

    location / {
        proxy_set_header X-Forwarded-Proto $$scheme ;
        proxy_set_header X-Forwarded-Host $$http_host ;
        proxy_pass      http://localhost:${port} ;
        proxy_redirect  http://localhost:${port} $$scheme://$$http_host ;
    }
}
  1. Enable HTTPS
  2. Install needed apps
taschenlampe commented 7 years ago

Hi! The workaround seems not to be working here. Not sure where to find the correct logs for this. I suppose that the logs should be related to ngnix, all I see is "raspberrypi3 nginx[297]: nginx: [alert] could not open error log file: open() "/nonexistent/path/nginx/logs/error.log" failed ". Where should I look for more information? Cheers.

cyberb commented 7 years ago

All the logs are in /opt/data/platform/log

What exactly is not working?

taschenlampe commented 7 years ago

I guess this is the relevant log entry, in platform.log I found this: main.py: error: argument -m/--email: expected one argument 2016-12-17 12:09:18,137 - tls - WARNING - unable to generate real certificate: Command '/opt/app/platform/bin/certbot --logs-dir=/opt/data/platform/log --config-dir=/opt/data/platform/certbot --agree-tos --email certonly --webroot --webroot-path /opt/app/platform/www/public/_site -d blackflag.syncloud.it -d files.blackflag.syncloud.it -d mail.blackflag.syncloud.it -d diaspora.blackflag.syncloud.it -d nextcloud.blackflag.syncloud.it -d owncloud.blackflag.syncloud.it -d sam.blackflag.syncloud.it -d platform.blackflag.syncloud.it ' returned non-zero exit status

cyberb commented 7 years ago

Do you have user_email setting in your /opt/data/platform/user_platform.cfg ? Should be under [redirect] section.

taschenlampe commented 7 years ago

Yes indeed, the missing email address was the troublemaker. Now all is "green", nice! Is there already a better working solutions for end users in the pipeline? The email could be entered in that conf.file when the login into the UI is established. Would have saved me a little time. ;-)

cyberb commented 7 years ago

Actually device activation should set this automatically, I will make sure this is working in the next release. https://github.com/syncloud/platform/blob/master/src/syncloud_platform/device.py#L35