lets-proxy2 icon indicating copy to clipboard operation
lets-proxy2 copied to clipboard
verified publisher icon rekby

Handling sites without DNS

Open ghost opened this issue 6 years ago • 8 comments

It would be good to change how lets proxy handles sites it cannot generate a cert for.

In my current use case, I have set it up on a server and am testing sites without valid DNS. In Firefox it currently returns a "SSL_ERROR_INTERNAL_ERROR_ALERT" error code.

If it instead returned a selfsigned cert or a cert for a different domain (the hostname perhaps) I would be able to accept this error as OK in my browser and continue.

ghost avatar Nov 27 '19 14:11 ghost

Hello.

lets-proxy have .lock certificates now. You can save any certificate as domain.com.rsa.cer (certificate chain) + domain.com.rsa.key (private key) file + domain.com.lock (flag file - check only exist, content may be any - empty or not empty).

In this case lets-proxy will handle requests to domain.com with domain.com.rsa.cer certificate without check it domain (cert may be for any domain), expire date and etc.

Is it usable for you?

rekby avatar Nov 28 '19 07:11 rekby

Sorry for the slow reply! Yes your work around does work, however, I felt one of the main points of this tool is that you could set it up without knowing what domains you are going to serve. Manually creating certificates for each domain gets in the way of this.

I agree that this is an enhancement, but it is one that I would like to see.

ghost avatar Dec 02 '19 10:12 ghost

It can be optional feature.

Can you describe your scenario - for better support it.

rekby avatar Dec 02 '19 12:12 rekby

I have an application where any user can sign up and create their own shop. The application is hosted on a single server and from a single set of site files. The shop is then chosen depending on the domain name (similar to WordPress multi-sites). Users are welcome to use their own existing domain and point it at the server. We have no way of knowing what the domain will be and so can't do any manual set up for it. As you can see, Lets-proxy is the perfect SSL solution.

However I am building a new replacement server with no live DNS records and found that I cannot test this set up because let-proxy doesn't proxy when it cannot generate an SSL cert.

ghost avatar Dec 02 '19 13:12 ghost

Lets proxy must proxy and handle domains with existed certificate (you can copy storage folder from prev server).

But it can't issue cert without good dns record by lets encrypt design (lets-proxy doesn't support dns verification).

rekby avatar Jul 03 '20 01:07 rekby

I completely agree that we can't issue valid SSL certs without DNS setup.

The issue is around how Lets Proxy handles sites it can't verify - for example in a staging/dev environment without any DNS set up. We would still want Lets Proxy installed so that the hosting stack was identical to production.

When I last tested this Lets Proxy doesn't return anything creating an impassable SSL error.
I suggest that we instead return a standard "snake oil" SSL cert. Then browsers will error (This SSL cert doesn't match) but this error gives you the option of continuing anyway ( for example https://wrong.host.badssl.com/ )

In other words a fallback SSL certificate to use when nothing else matches.

ghost avatar Jul 03 '20 08:07 ghost

Is it ok if for your test env you will self create some certificate, then forward all queries to the certificate (independent of domain name)?

rekby avatar Jul 03 '20 18:07 rekby

I'm happy providing a certificate (either self signed or valid for another domain) and for any domain to ends up there, assuming that 1. let's proxy can't generate a cert for them and 2. there isn't a .lock certificate for them.

ghost avatar Jul 06 '20 10:07 ghost