forward-domain icon indicating copy to clipboard operation
forward-domain copied to clipboard
verified publisher icon willnode

browsing to https gives error

Open eltyBelgium opened this issue 11 months ago • 10 comments

If you setup a forward (domainA.com) and you forward (domainB.com)

and you browse to https://domainA.com you will receive a Privacy error. Is there a way to fix this?

Image

eltyBelgium avatar Feb 05 '25 16:02 eltyBelgium

I notice sometimes this service ran out rate limit given by let's encrypt. Sometimes even let's encrypt totally refuse until I followed their notice link.

I have no alert set up to tell if SSL fails unless retroactively see logs. You can try to self host this service if it urgent.

willnode avatar Feb 07 '25 13:02 willnode

We are self-hosting it.

eltyBelgium avatar Feb 07 '25 13:02 eltyBelgium

  1. Do you use this service behind NGINX? If it yes, do not use http, use stream module.
  2. Try to visit HTTP part of the domain, usually incorrect config can be catched up.
  3. Try to dig some logs so I can know why.

willnode avatar Feb 07 '25 13:02 willnode

this service is just runnend on node server on linux in azure and is using pm2 for multi process management. I'll search for the logs

eltyBelgium avatar Feb 07 '25 13:02 eltyBelgium

Where can i find the logs?

eltyBelgium avatar Feb 07 '25 14:02 eltyBelgium

PM2 should save some stdout logs. I use systemd and I casually search logs there.

willnode avatar Feb 07 '25 14:02 willnode

hmm how did you run the project through systemd?

eltyBelgium avatar Feb 07 '25 14:02 eltyBelgium

I just wrote this file

> cat /usr/lib/systemd/system/r.service
[Unit]
Description=Forward Domain Daemon
Documentation=https://forwarddomain.net
After=network.target

[Service]
Type=simple
User=r
WorkingDirectory=/home/r/public_html
ExecStart=/home/r/.local/opt/node/bin/node --env-file=.env app.js
Restart=always

[Install]
WantedBy=multi-user.target

And setup it up on top of nginx config

https://gist.github.com/willnode/7e6f1779d28828954c9b25cf9a7c4161

willnode avatar Feb 07 '25 14:02 willnode

this is one of the errors:

app | at Client.pollAuthz (file:///forward-domain/forward-domain/src/certnode/lib/client.js:332:23) 0|app | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) 0|app | at async Client.generateCertificate (file:///forward-domain/forward-domain/src/certnode/lib/client.js:77:9) 0|app | at async file:///forward-domain/forward-domain/src/sni.js:76:35 0|app | Error: pollAuthz() authorization is invalid: { 0|app | "challenge": { 0|app | "type": "http-01", 0|app | "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/180089154/16014523314/XEimqw", 0|app | "status": "invalid", 0|app | "validated": "2025-02-10T12:45:19Z", 0|app | "error": { 0|app | "type": "urn:ietf:params:acme:error:caa", 0|app | "detail": "During secondary validation: While processing CAA for www.werkzaam.be: CAA record for werkzaam.be prevents issuance" 0|app | }, 0|app | "token": "LJNL-PvXVRHrfG5bfF03NsU8KUiKnv0FLiXl6K5CctM", 0|app | "validationRecord": [ 0|app | { 0|app | "url": "http://www.werkzaam.be/.well-known/acme-challenge/LJNL-PvXVRHrfG5bfF03NsU8KUiKnv0FLiXl6K5CctM", 0|app | "hostname": "www.werkzaam.be", 0|app | "port": "80", 0|app | "addressesResolved": [ 0|app | "" 0|app | ], 0|app | "addressUsed": "*" 0|app | } 0|app | ] 0|app | }, 0|app | "domain": "www.werkzaam.be", 0|app | "status": "invalid", 0|app | "expires": "2025-02-17T12:45:18Z" 0|app | } 0|app | at Client.pollAuthz (file:///forward-domain/forward-domain/src/certnode/lib/client.js:332:23) 0|app | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) 0|app | at async Client.generateCertificate (file:///forward-domain/forward-domain/src/certnode/lib/client.js:77:9) 0|app | at async file:///forward-domain/forward-domain/src/sni.js:76:35

eltyBelgium avatar Feb 10 '25 12:02 eltyBelgium

this is one of the errors:

app | at Client.pollAuthz (file:///forward-domain/forward-domain/src/certnode/lib/client.js:332:23) 0|app | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) 0|app | at async Client.generateCertificate (file:///forward-domain/forward-domain/src/certnode/lib/client.js:77:9) 0|app | at async file:///forward-domain/forward-domain/src/sni.js:76:35 0|app | Error: pollAuthz() authorization is invalid: { 0|app | "challenge": { 0|app | "type": "http-01", 0|app | "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/180089154/16014523314/XEimqw", 0|app | "status": "invalid", 0|app | "validated": "2025-02-10T12:45:19Z", 0|app | "error": { 0|app | "type": "urn:ietf:params:acme:error:caa", 0|app | "detail": "During secondary validation: While processing CAA for www.werkzaam.be: CAA record for werkzaam.be prevents issuance" 0|app | }, 0|app | "token": "LJNL-PvXVRHrfG5bfF03NsU8KUiKnv0FLiXl6K5CctM", 0|app | "validationRecord": [ 0|app | { 0|app | "url": "http://www.werkzaam.be/.well-known/acme-challenge/LJNL-PvXVRHrfG5bfF03NsU8KUiKnv0FLiXl6K5CctM", 0|app | "hostname": "www.werkzaam.be", 0|app | "port": "80", 0|app | "addressesResolved": [ 0|app | "172.211.161.18" 0|app | ], 0|app | "addressUsed": "172.211.161.18" 0|app | } 0|app | ] 0|app | }, 0|app | "domain": "www.werkzaam.be", 0|app | "status": "invalid", 0|app | "expires": "2025-02-17T12:45:18Z" 0|app | } 0|app | at Client.pollAuthz (file:///forward-domain/forward-domain/src/certnode/lib/client.js:332:23) 0|app | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) 0|app | at async Client.generateCertificate (file:///forward-domain/forward-domain/src/certnode/lib/client.js:77:9) 0|app | at async file:///forward-domain/forward-domain/src/sni.js:76:35

this was a CAA record problem. But if i surf to https://domainA.be I got a invalid cert problem.

eltyBelgium avatar Feb 10 '25 12:02 eltyBelgium