2 domains 2 yunohost 1 IP 1 redirect_

Support
,
1

Bonjour !!
Pour le français, voir plus bas …

:uk:/:us:

My YunoHost server

Hardware: Old computer
YunoHost version: 3.7.1.3
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen | …

Description of my issue

Hello all,

I think I have a redirection problem related to the use of the redirect app.

I have two domains and two computers with yunohost.

My domain1 is associated with the ip of my router, which sends everything (http/https/…) to server01 which is associated with domain1.
Everything works very well.

My domain2 is also associated with the IP of my router, which stupidly sends all the traffic to server01.

In my server01, I added domain2 with a self-signed certificate. I installed the redirect app and made a redirection “Invisible Proxy, Everybody” to the local IP of my server02.

On my pc, which is on the same LAN, I added in the /etc/hosts file, the IP of server02 and its DNS name.

From outside or locally, I can go to the Yunohost homepage of server02 from its FQDN.

But, if I want to go to the admin interface, I always fall on server01’s one, and the let’s encrypt certification doesn’t pass.
I’m getting an error message on the challenge.

Erreur : Challenge did not pass for domaine02: {u'status': u'invalid', u'challenges': 
[{u'status': u'invalid', u'validationRecord': 
 [{u'url': u'http://domaine02/.well-known/acme-challenge/piZD0F5BD0RrCUV8qM7jKDu7TKr9Vd7fj-L77KUxfu8', 
 u'hostname': u'domaine02', 
 u'addressUsed': u'MON_IP_EXTERNE', 
 u'port': u'80', 
 u'addressesResolved': [u'MON6IP6EXTERNE']}], 
 u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/4620174300/8E7ylA', 
 u'token': u'piZD0F5BD0RrCUV8qM7jKDu7TKr9Vd7fj-L77KUxfu8', 
 u'error': {
  u'status': 403, 
  u'type': u'urn:ietf:params:acme:error:unauthorized', 
  u'detail':  u'Invalid response from http://domaine02/.well-known/acme-challenge/piZD0F5BD0RrCUV8qM7jKDu7TKr9Vd7fj-L77KUxfu8 [MON_IP_EXTERNE]: "<html>\\r\\n<head><title>404 Not Found</title></head>\\r\\n<body bgcolor=\\"white\\">\\r\\n<center><h1>404 Not Found</h1></center>\\r\\n<hr><center>"'
  }, 
u'type': u'http-01'}], 
u'identifier': {u'type': u'dns', u'value': u'domaine02'}, 
u'expires': u'2020-05-23T13:36:40Z'}

When I look at the logs of my two servers, it is on server01 that the file http://domaine02/.well-known/acme-challenge/piZD0F5BD0RrCUV8qM7jKDu7TKr9Vd7fj-L77KUxfu8 is searched for.

Is there any more redirection to be made in Nginx?

Thank you for reading me !!

Cyril

Translated with www.DeepL.com/Translator (free version)

:fr:

Mon serveur YunoHost

Matériel: Vieil ordinateur
Version de YunoHost: 3.7.1.3
J’ai accès à mon serveur : En SSH | Par la webadmin | En direct avec un clavier/écran | …

Description du problème

Bonjour,
Je pense avoir un problème de redirection lié à l’utilisation de l’app redirecte.

J’ai deux domaines et deux ordis avec yunohost.

Mon domaine1 est associé à l’ip de mon routeur, qui envoi tout ce qui est Http/https vers le server01 qui est associé au domaine1.
Tout fonctionne très bien.

Mon domaine2 est également associé à l’IP de mon routeur qui bêtement envoi tout le traffic vers le server01.

Dans mon server01, j’ai ajouté le domaine2 avec un certificat autosigné. J’ai installé l’app redirect et fait une redirection “Proxy Invisible, Everybody” vers l’ip locale de mon server02.

Sur mon pc, qui est sur le même LAN, j’ai ajouté dans le fichier /etc/hosts, l’IP du server02 et son nom DNS.

De l’extérieur ou en local, je peux aller sur la page d’accueil de Yunohost du server02 à partir de son FQDN.

Mais, si je souhaite aller sur l’interface d’admin, je tombe toujours sur celle du server01, et la certification let’s encrypt ne passe pas.
J’ai un message d’erreur sur le “challenge”

Erreur : Challenge did not pass for domaine02: {u'status': u'invalid', u'challenges': 
[{u'status': u'invalid', u'validationRecord': 
 [{u'url': u'http://domaine02/.well-known/acme-challenge/piZD0F5BD0RrCUV8qM7jKDu7TKr9Vd7fj-L77KUxfu8', 
 u'hostname': u'domaine02', 
 u'addressUsed': u'MON_IP_EXTERNE', 
 u'port': u'80', 
 u'addressesResolved': [u'MON6IP6EXTERNE']}], 
 u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/4620174300/8E7ylA', 
 u'token': u'piZD0F5BD0RrCUV8qM7jKDu7TKr9Vd7fj-L77KUxfu8', 
 u'error': {
  u'status': 403, 
  u'type': u'urn:ietf:params:acme:error:unauthorized', 
  u'detail':  u'Invalid response from http://domaine02/.well-known/acme-challenge/piZD0F5BD0RrCUV8qM7jKDu7TKr9Vd7fj-L77KUxfu8 [MON_IP_EXTERNE]: "<html>\\r\\n<head><title>404 Not Found</title></head>\\r\\n<body bgcolor=\\"white\\">\\r\\n<center><h1>404 Not Found</h1></center>\\r\\n<hr><center>"'
  }, 
u'type': u'http-01'}], 
u'identifier': {u'type': u'dns', u'value': u'domaine02'}, 
u'expires': u'2020-05-23T13:36:40Z'}

Quand je regarde les logs de mes deux serveurs, c’est sur le server01 qu’est recherché le fichier http://domaine02/.well-known/acme-challenge/piZD0F5BD0RrCUV8qM7jKDu7TKr9Vd7fj-L77KUxfu8

Y-aurait-il une redirection de plus à faire dans Nginx ?

Merci de m’avoir lu !!

Cyril

2

Yes, certificate management for reverse proxies is a mess …

I didn’t look at all the details but typically :

  • The acme challenge (which is how let’s encrypt agrees to deliver a certificate) happens on HTTP (port 80)
  • In the general case Yunohost redirects all HTTP requests to HTTPS
  • … except for a few of them, like .well-known/acme-challenge

So what happens here is that it’s your server01 answering the request made to domain2/.well-known/acme-challenge

Also I’m not use why you didn’t encountered the 2nd typical issue about reverse proxy which is :

  • Reverse proxies are typically doing a proxy_pass to http (so the forward from server 1 to 2 happens on http) but your server 2 will then try to redirect to https … Which will also go through the reverse proxy and still be in http, so it’ll try to redirect to https … and so on. The ugly fix is to disable the automatic redirection to https in server 2 …

Anyway, back to the issue about certificate:

  • it’s not clear from your post if you’re trying to install the certificate from server 1 or server 2 … Naively I think it should work to let server 1 handle the certificate for domain 2 (since anyway the reverse proxy happens on HTTP)

The “real clean way” to configure such a “full-domain” reverse proxy is probably to use forwarding based on the SNI which should simplify a lot of things, but it should be tested and integrated in redirect_ynh

(Hopefully this answer is not too confusing…)

3

Hello Aleks,

I did indeed omit to specify that I was trying to certify my domain2 from the domain2.
I had tried to create a let’s encrypt certificate from domain1 but I had a strange result, it was my domain1 that certified domain2 and the fussy browsers didn’t like it.

I’ll try again from domaine1.

Seems I’m lucky I don’t encounter that typical https http redirection problem…

I’ve been trying to find out what forwarding based on the SNI is all about, but it’s a bit complicated!
The nginx doc is somewhat “airtight”, unless I’m looking in the wrong place.

Thanks for your reply,
Cyril

4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.