Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could not look up a certificate for server name 'domain' #774

Open
newdev8 opened this issue Jul 13, 2022 · 11 comments
Open

Could not look up a certificate for server name 'domain' #774

newdev8 opened this issue Jul 13, 2022 · 11 comments
Assignees
@FlorentinDUBOIS
Labels
bug
Milestone
v0.16.0

Comments

@newdev8
Copy link

newdev8 commented Jul 13, 2022

I just installed sozu and setup my config as follows:

[[listeners]]
address = "0.0.0.0:443"
protocol = "https"
tls_versions = ["TLSv1.2", "TLSv1.3"]
cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

[applications]

[applications.AppName]
protocol = "http"
https_redirect = true

frontends = [
  { address = "127.0.0.1:1444", hostname = "domain", certificate = "/etc/domain/cert.pem", key = "/etc/domain/key.pem", certificate_chain = "/etc/cloudflare/chain.pem" }
]

backends  = [
  { address = "127.0.0.1:444" }
]

But when I access my domain from the browser I get the following error:

could not look up a certificate for server name 'domain'
Sending fatal alert AccessDenied
could not perform handshake: General("no server certificate chain resolved")
@FlorentinDUBOIS
Copy link
Collaborator

Hello,

We have made some improvements to the certificate part on the branch 0.14. Could you test using this version ?

I will try to reproduce your issue on the main branch as well.

@newdev8
Copy link
Author

newdev8 commented Jul 13, 2022

Hey, after trying branch 0.14 I am still getting the same error.
Maybe it's me doing something wrong.
I am running an actix server on port 444 with the same SSL certificate/key as the one used in my sozu configuration file.

@FlorentinDUBOIS
Copy link
Collaborator

Thank you! Sounds interesting, I will take a look at it.

@FlorentinDUBOIS FlorentinDUBOIS self-assigned this Jul 13, 2022
@FlorentinDUBOIS FlorentinDUBOIS added this to the v0.15.0 milestone Jul 13, 2022
@PlainBane
Copy link

Hello,
The issue is lib/src/router/trie.rs ~162
pub fn lookup(&self, partial_key: &[u8], accept_wildcard: bool)
The domain lookup by key fails sometimes. It doesn't seem to handle subdomains correctly. It depends on what it has on domains list and what key it is looking for. I can't test it with domain wildcards, so can't fix it. I made a quick and dirty work-around in my code an it works fine.

@5witchkr 5witchkr mentioned this issue Apr 16, 2023
Closed
@ToBinio
Copy link

ToBinio commented May 31, 2023

Hello,
just wanted to ask if there is any progress on this issue?

and btw thanks for the excellent work on this project

@FlorentinDUBOIS FlorentinDUBOIS modified the milestones: v0.15.0, v0.16.0 Jun 23, 2023
@justinkb
Copy link

still happening on 0.15.3 - makes the program unusable. no rhyme or reason to it either, seems to happen randomly to different clusters upon restarting the daemon

@justinkb
Copy link

so, the issue is in the CertificateResolver in tls.rs. If I have a wildcard certificate for *.domain.tld, and I have say, three defined clusters with an domain.tld subdomain frontend each, for example, a.domain.tld, b.domain.tld and c.domain.tld, add_certificate will not end up associating two of the three domain names with that certificate (randomly at startup, based on whichever thread ends up calling the function first) because the add_certificate function bails out once it finds the already present fingerprint of the wildcard certificate...

        // We do not need to update the entry, if the certificate is already registered
        if self.get_certificate(&fingerprint).is_some() {
            return Ok(fingerprint);
        }

This makes domain_lookup fail for those frontends. I have no clue how this design issue has gone unnoticed so far, seems like some test should have caught it

@justinkb
Copy link

removing that code snippet above fixes the issue and doesn't break any test. seems like it was just faulty logic that has been present since that bit of code was rewritten in a7952a1

@Keksoj Keksoj mentioned this issue Sep 11, 2023
Merged
@Keksoj
Copy link
Contributor

Keksoj commented Sep 11, 2023

Hello to you all and thanks for the precise reporting.
As of today's 0.15.3 version of Sōzu, removing this code doesn't seem to affect the tests. I pushed a branch and opened this pull request: #988

However, the best thing would be to add an e2e test. What do you think @Wonshtrum ?

@justinkb
Copy link

justinkb commented Sep 11, 2023 via email

@Keksoj
Copy link
Contributor

Keksoj commented Sep 13, 2023

We merged the #988 pull request that removes this code snippet. It would be great for you people to test that Sōzu's behaviour works for you with subdomain certificates.

About the CLI behaviour, it would be awesome if you created a new issue with the issued commands and related bugs. I am responsible for the CLI rework.

@polarathene polarathene mentioned this issue Nov 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FlorentinDUBOIS FlorentinDUBOIS

Labels
bug
Projects
None yet
Milestone
v0.16.0
Development

No branches or pull requests
6 participants
@justinkb @FlorentinDUBOIS @PlainBane @Keksoj @newdev8 @ToBinio