Wierd SSL error while installing a cert

Tagada · November 29, 2020, 1:17pm

/ English

My YunoHost server

Hardware: LXD container on a Dedicated server
YunoHost version: 4.0.8.2
I have access to my server : SSH, webadmin, KVM
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : Yes
If yes, please explain: A reverse-proxy (nginx) in-between Internet and Yunohost.

Description of my issue

Hey there! I tried to get some help on IRC but I guess this issue will require a bit of investigation.

First, some context : there was a let’s encrypt cert on this domain before, and everything was fine but someday (and I can’t remember if this was before or after the buster migration) certificate renewal failed. I tried to fix the thing but was lazy, removed the let’s encrypt cert and back to self-signed.

This issue happens now when I try to install a Let’s Encrypt cert on a specific domain. Certbot can’t access the .well-know/... url and return an error.

https://paste.yunohost.org/raw/lajetipixo

2020-11-29 12:46:03,178: ERROR - Wrote file to /tmp/acme-challenge-public/bn44FxR8IpQl_11ioWLYTIn3x1xpezNCtuUR8ZfZPlM, but couldn't download http://maindomain.tld/.well-known/acme-challenge/bn44FxR8IpQl_11ioWLYTIn3x1xpezNCtuUR8ZfZPlM: Error:
Url: http://maindomain.tld/.well-known/acme-challenge/bn44FxR8IpQl_11ioWLYTIn3x1xpezNCtuUR8ZfZPlM
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)>

I double-checked my nginx config (from the reverse proxy in front of Yunohost) and it’s the same as the others domains.
Diagnostic is all green, HTTP access report “OK” for every domain.

I searched for similar issues, and found some similar errors but context make me think it’s not the same problem.

I tried to regen the nginx config from Yunohost with yunohost tools regen-conf nginx --force but that wasn’t useful.

And at this point I’m a bit lost… I can provide nginx configs and other stuff if needed.

Français

Mon serveur YunoHost

Matériel: Container LXD sur un serveur dédié
Version de YunoHost: 4.0.8.2
J’ai accès à mon serveur : SSH, Web admin, KVM
Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : Oui
Si oui, expliquer: Un reverse-proxy (nginx) se trouve devant Yunohost.

Description du problème

Salutations ~ J’ai exposé mon problème sur IRC mais j’ai l’impression qu’il va demander un peu plus de recherches.

D’abord, un peu de contexte : il y avait un certificat Let’s Encrypt fonctionnel sur ce domaine, mais un jour (je n’arrive pas à me souvenir si c’était avant ou après la migration vers buster) le renouvellement a cassé. J’ai essayé de réparer la chose vite fait et réinstallé un certificat auto-signé.

Le bug arrive quand j’essaye d’installer un certificat sur un domaine en particulier. Certbot n’arrive pas à accéder au fichier .well-known/... et retourne une erreur.

https://paste.yunohost.org/raw/lajetipixo

2020-11-29 12:46:03,178: ERROR - Wrote file to /tmp/acme-challenge-public/bn44FxR8IpQl_11ioWLYTIn3x1xpezNCtuUR8ZfZPlM, but couldn't download http://maindomain.tld/.well-known/acme-challenge/bn44FxR8IpQl_11ioWLYTIn3x1xpezNCtuUR8ZfZPlM: Error:
Url: http://maindomain.tld/.well-known/acme-challenge/bn44FxR8IpQl_11ioWLYTIn3x1xpezNCtuUR8ZfZPlM
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)>

J’ai bien vérifié la configuration de nginx (le reverse proxy qui est devant Yunohost), la configuration est exactement la même que pour un autre domaine avec lequel ça fonctionne sans soucis, donc à priori ça ve viendrait pas de là.
Le diagnostique est tout vert et les domaines sont bien accessible en HTTP depuis l’extérieur.

J’ai recherché sur le forum, j’ai trouvé des messages d’erreurs similaires mais avec un contexte totalement différent, ce qui me fait penser que ce n’est pas la même chose.

J’ai essayé de regénérer la config nginx de Yunohost avec yunohost tools regen-conf nginx --force comme lu ailleurs mais ça n’a pas aidé.

Là, je suis un peu perdu, je ne sais pas dans quelle direction chercher… Si besoin je peux fournir les configurations ou d’autres informations.

Aleks · November 29, 2020, 4:56pm

Eh it’s like the 4 or 5th time I see this issue showing up recently so there’s definitely something going on here that is not specific to your setup …

Unfortunately it’s hard to investigate without being able to reproduce the issue

Naively I think I would try to investigate by doing something like

echo "hello world!" >> /tmp/acme-challenge-public/hello
curl -v http://maindomain.tld/.well-known/acme-challenge/hello

and try to see if there are more details related to that “CERTIFICATE_VERIFY_FAILED” thing :s

Tagada · November 29, 2020, 5:07pm

I guess I found something odd.
First, when I do curl -v http://maindomain.tld/.well-known/acme-challenge/hello I get a 301 Moved Permanently to HTTPS.

I did the command again with -L to follow redirection and there’s the error after the redirection.

*   Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x563ccf5f2920)
* Connected to maindomain.tld (xx.xx.xx.xx) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 1
curl: (60) SSL certificate problem: unable to get local issuer certificate

So my guess is curl reject the self-signed certificate and certbot fail.

Aleks · November 29, 2020, 5:13pm

Ah so my best guess is that : it’s redirected to HTTPS - which should not happen in the first place, because the whole ACME challenge is supposed to happen on regular HTTP …

So my guess is that it’s the reverse proxy automatically redirecting HTTP traffic to HTTPS … Though if you did not change anything in the reverse proxy conf that’s puzzling…

Tagada · November 29, 2020, 5:37pm

I don’t get it… I removed all mention of redirection from my reverse proxy and still…

And even more strange, when I curl -v http://maindomain.tld/.well-known/acme-challenge/hello from my computer over the internet, it works and I get the hello world.
But from the Yunohost’s server it gets the redirection.

C’est à n’y rien comprendre.

Aleks · November 29, 2020, 7:33pm

Hmokay and if you run ping domain.tld from inside the server, what IP does it ping ? I believe it should ping the global IP

Tagada · November 29, 2020, 7:34pm

Yes it is.

system · December 14, 2020, 7:34pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.