search

tobychui / zoraxy

A general purpose HTTP reverse proxy and forwarding tool. Now written in Go!
https://zoraxy.aroz.org
GNU Affero General Public License v3.0
2.98k stars 182 forks source link

[BUG] Renewal of wildcard cert #249

Closed chatainsim closed 3 months ago

chatainsim commented 3 months ago

Describe the bug Trying to renew a wildcard certificat.

To Reproduce Steps to reproduce the behavior:

  1. Go to TLS / SSL Certificates

  2. Click on arrow to renew a woldcard certificat image

  3. Error happen

    Acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Invalid identifiers requested :: Cannot issue for "_.xxxxxx.fr": Domain name contains an invalid character

    image

Expected behavior Renewal of wildcard certificat

Host Environment (please complete the following information):

Additional context I've created the wildcard using .xxxxx.fr and got change to _ Using DNS challenge with Infomaniak Same thing happen with DNS challenge with OVH

Is there some logs files for ACME cert error ?

tobychui commented 3 months ago

@chatainsim The certificate is indeed issued in *.xxxx.fr. But due to most file system do now allow storing filename containing , the contributor who designed and implemented the DNS challenge support decided to replace _ with when displaying on the UI.

https://github.com/tobychui/zoraxy/pull/144

I will see if I can reproduce this later.

tobychui commented 3 months ago

This seems like just a front-end problem. Can you try to replace the renewCertificate function using developer tool in cert.html?

function renewCertificate(domain, dns, btn=undefined){
        let defaultCA = $("#defaultCA").dropdown("get value");
        if (defaultCA.trim() == ""){
            defaultCA = "Let's Encrypt";
        }
        //Get a new cert using ACME
        msgbox("Requesting certificate via " + defaultCA  +"...");

        //Request ACME for certificate
        if (btn != undefined){
            $(btn).addClass('disabled');
            $(btn).html(`<i class="ui loading spinner icon"></i>`);
        }

        //New fixes for _ replacement
        if (domain.includes("_.")){
            domain = domain.replace("_.","*.");
        }

        obtainCertificate(domain, dns, defaultCA.trim(), function(succ){
            if (btn != undefined){
                $(btn).removeClass('disabled');
                if (succ){
                    $(btn).html(`<i class="ui green check icon"></i>`);
                }else{
                    $(btn).html(`<i class="ui red times icon"></i>`);
                }

                setTimeout(function(){
                    initManagedDomainCertificateList();
                }, 3000);
            }
        });
    }

This should replace the _. in the filename to *. before passing into the obtainCertificate function (which I just use it as a black box)

chatainsim commented 3 months ago

I haven't found this function but I've changed this: image to: image and it worked !

chatainsim commented 3 months ago

Tested with another wildcard for another domain and it worked too.

tobychui commented 3 months ago

So cool that you figured it out! That is why I love to use vanilla tech if possible when working with open source projects :D (If the UI is React or Vue compiled this probably cant be debugged by contributors)

Anyway, I have updated the code on the v3.1.0 branch, this should be patched in next release.

chatainsim commented 3 months ago

Thank you @tobychui And thanks for this great project :1st_place_medal: