Bonjour,
Il m’arrive un truc incrompréhensible pour moi…J’ai yunohost dans un conteneur avec mon reverse proxy dans un autre conteneur. Les port 80 et 443 sont redirigé vers le reverse proxy.
Symptomes
En local et avec mon pc perso j’ai les symptomes suivants mais j’ai pas problème depuis d’autres pc :
- me connecter en ssh prend bcp plus de temps qu’avant (genre bien 30sec alors qu’avant c’était instantanné)
- si le reverse proxy est éteind : les requetes dns sont géré par yunohost (alors qu’il a pas access aux port 80 et 443 wtf ?! oO)
- si le reverse proxy et le conteneur yunohost sont allumé en meme temps les requêtes web vers tous mes noms de domain semblent etre géré par yunohost…
Je comprend pas dans quel monde c’est possible…les cookies ?
Une idée de comment debugger ca ?
Infos de debbug
- Quand je fais un curl depuis mon pc ou en local sur l’url redirigé sur le conteneur yunohost j’ai :
curl -X POST "https://gafamfree.party" -H "accept: application/json" -H "Content-Type: application/json" -d '{"fid":"$"{libraries_with_URL}""}'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Pourtant quand je test les certificat, j’ai bien let’s encryt comme CA :
echo | openssl s_client -connect gafamfree.party:443
CONNECTED(00000003)
depth=0 CN = gafamfree.party
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = gafamfree.party
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = gafamfree.party
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVTCCBD2gAwIBAgISBKAhrkfAvOSY1QmzrPjXNkpFMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMjUxOTMwMDBaFw0y
MTAxMjMxOTMwMDBaMBoxGDAWBgNVBAMTD2dhZmFtZnJlZS5wYXJ0eTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3dzPd2RdFIDDc8aKJaJ8HNpMpDVRUq
pXPQJEAooc2kX63iDeFRCqW3NLf92p/3YP4bw4YHCxhcbKD8f2oK1fgdLWq5FCL5
RFmw2fiz/LiThm5i/47tKGXT9SJSKmBI/AIUWiFaCQyhuaTHDqzPbeTN7D7ZgXYN
Gyygph00ol1mi/FaqyZcBr5ZwwIp6FIHKLKC5P4yo0BEcQKjJwzjGgJe04sR2LJD
adfSN9V3Slkvh7HA/6vuFUcha3/iTMOmkrUWyXfZBLAM2t4xykuEurro129tPdMJ
RB4CqnwD3VFBw6vwzx3noK5cUKf08YrGoUGfmGOlbc0fLo04ZMV5aJsCAwEAAaOC
AmMwggJfMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU5dnulYnKYkHN5+c1+1m61/R6
G0swHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAaBgNVHREEEzARgg9nYWZhbWZyZWUucGFydHkwTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgBc3EOS/uar
RUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXVhdBzKAAAEAwBHMEUCIQD3Yayg
tayZ1j5aAECSOMUGx6jYca+frqlpNJpOisdsnAIgDK33psKKknPrPuQHne6TpipV
QWTkZMWWWDNKYYSxsgcAdQD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk
4wAAAXVhdBy/AAAEAwBGMEQCIA5PzR+p6BvxCjpp3qHXlkj7R+kP2ufHJdiULkfh
eWAcAiBDby1i+EKAH5G5y63KIqRFJfePjuHS47nvY6kBIMMBDzANBgkqhkiG9w0B
AQsFAAOCAQEAYyiYTVM967QDQ3zceSnq/CnZ2BBap0ppg3nf5RPAyfMhuJyGg24E
MIRa2oTwUUP4UuxByyqh5s9Km/h3HTwASI8pB6uaYZqOv3SJPBrIkQ7xjw1eXEn7
uoZwP7KdN5E1g5F5lmmqA3q1NqXhwxKR8SNZfLMK6xZJapzLugECkr2+KnJy6a1l
JKlIpDSf37rln8QSPuLFY6bowVXP9CyDr580kGeAUiyS5kg7QU7kZ/c3lL5MQ9+B
5xomGE+D/KNA6G/OjtePJDm/oH2WXo/aDpYCMpOmaHer4xFMDNH758+BE9PcPTMO
ZvdzdQVWLTgXcsZN6qS+5G+6bxWdfD1XYg==
-----END CERTIFICATE-----
subject=CN = gafamfree.party
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1929 bytes and written 387 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
DONE
- Sur un des conteneurs qui n’est pas yunohost :
curl -X POST "https://blog.gafamfree.party" -H "accept: application/json" -H "Content-Type: application/json"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Et echo | openssl s_client -connect blog.gafamfree.party:443 :
CONNECTED(00000003)
depth=0 CN = yunohost.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = yunohost.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = yunohost.org
i:CN = yunohost.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgjCCAmqgAwIBAgIUAO4TZgtC1RSXCjntqk0kF/aRG+IwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAxMMeXVub2hvc3Qub3JnMB4XDTE5MDEwNzE3NDcyNFoXDTIx
MDEwNjE3NDcyNFowFzEVMBMGA1UEAxMMeXVub2hvc3Qub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvYcmJX4f1RJrpZcNZ0IwACSS4C4Z65FqVHIL
hKYm4aU9/zfwdSTCW/gglz3XwSVKvGxb4dRCelz0U6aKVW1+s3FaTMZBMPCOAzxd
3odhTpCeI1fbAWDn7fk8yY5BWPwPddJzBucsh6Efr0rtc1Zguk4fkI6sd3t1IZ35
edFCL5sgyKkO9/WMAwqJnER6rGjo9DcdP6FmO9CpvOqWzQ7A8P2bEpsKLXWzniiP
LZL5aZPd92WdkVZdTmrJYZmcjZvlLF27ZT/JMgI2XQ/CFGuyWr1i1LiJlGoTkard
W5ycTdEbkbwXExi1HoWKEj45lcRv/2M6939GAs0Qc3PRE0Ti1wIDAQABo4HFMIHC
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBSmCgpmMBjlF+P55rLwWF0BerUwBzAfBgNVHSME
GDAWgBSt0x+GpvObZvpzlWGxFU5D1/u6WjALBgNVHQ8EBAMCBeAwOgYDVR0RBDMw
MYIMeXVub2hvc3Qub3JnghB3d3cueXVub2hvc3Qub3Jngg9ucy55dW5vaG9zdC5v
cmcwDQYJKoZIhvcNAQELBQADggEBALNyH7K8Q8Xwkx71gbqhp87YEXEozS3tC0Nb
ZqJP/369sQA461ndTKhiyXpozRsplC/A5ytD5kyUb9NjQbv8wt8fztlwQiqzeOu3
ZxIgfo+vSLUapwXN83KxjO3e55DS3tQBMgKH4ki+dzccLbExiRxq1QtlDMofUO80
CrEsRsGmF023nG12JtIEF0J8haMQpQCtPEaypzjFcGj9txLI8gtvtQm4Ul+HxhAT
gvGkDpSVCDGObKE+6dfw6322fKuOPp4fgBW+mcCYJVqB1UIYzg/1MsxszhbQPvy4
7K3Ebw6hJELGcFIW0F8WdDPpxmavIaDwIaJLn+jwSKcFpWbCzYs=
-----END CERTIFICATE-----
subject=CN = yunohost.org
issuer=CN = yunohost.org
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1458 bytes and written 392 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
DONE
-> le certificats renvoyé est celui délivré par yunohost, alors que ca devrait êtr eceux de lets encrypt…
-
J’ai des cookies pour mes site hors yunohost avec comme nom
SSOwAuthUserSSOwAuthHashSSOwAuthExpire -
L’erreur semble provenir de l’ipv6 : quand je me connecte par ssh sur le conteneur l’ipv6 est bien celui de la machine, par contre qd je me connecte par ssh à l’hyperviseur, l’ipv6 est tjrs celui de yunohost…
Configuration
nginx conf yunohost :
server {
listen 443 ssl;
server_name gafamfree.party;
location /{
proxy_pass https://192.168.0.88:443/;
proxy_redirect off;
proxy_set_header Host $http_host:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Url-Scheme $scheme;
proxy_buffering off; #pour upload gros fichier dans nextcloud
}
location = /YJswQRil80YOd9yIo4pW1vFf {
stub_status;
}
error_log /var/log/nginx/gafamfree.party_error.log;
access_log /var/log/nginx/gafamfree.party_access.log;
ssl_certificate /etc/letsencrypt/live/gafamfree.party/certchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gafamfree.party/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
add_header Strict-Transport-Security "max-age=31536000;";
}
server {
listen 80;
server_name gafamfree.party;
location /{
rewrite ^/(.*)$ https://gafamfree.party/$1 permanent;
}
}
nginx conf blog.gafamfree.party (conteneur a part) :
server {
listen 443 ssl;
server_name blog.gafamfree.party;
error_log /var/log/nginx/blog_error.log;
access_log /var/log/nginx/blog_access.log;
location /{
proxy_pass http://192.168.0.32:443/;
proxy_redirect off;
proxy_set_header Host $http_host:443;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #used to forward client's real IP in case of source NAT. But not all application use them.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Url-Scheme $scheme;
}
ssl_certificate_key /etc/letsencrypt/live/blog.gafamfree.party/privkey.pem;
ssl_certificate /etc/letsencrypt/live/blog.gafamfree.party/certchain.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
add_header Strict-Transport-Security "max-age=31536000;";
}
server {
listen 80;
server_name blog.gafamfree.party;
location /{
rewrite ^/(.*)$ https://blog.gafamfree.party/$1 permanent;
}
}