Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AutoTLS: attempts to get cert when not publicly diallable #10570

Open
Tracked by #10560
lidel opened this issue Nov 4, 2024 · 2 comments
Open
Tracked by #10560

AutoTLS: attempts to get cert when not publicly diallable #10570

lidel opened this issue Nov 4, 2024 · 2 comments
Labels
kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization

Comments

@lidel
Copy link
Member

lidel commented Nov 4, 2024

Version

0.32.0-rc1

Config

{
"AutoTLS": {
    "Enabled": true
  },
"Addresses": {
    "API": "/ip4/127.0.0.1/tcp/5701",
    "Announce": [],
    "AppendAnnounce": [],
    "Gateway": "/ip4/127.0.0.1/tcp/8780",
    "NoAnnounce": [],
    "Swarm": [
      "/ip4/0.0.0.0/tcp/4071",
      "/ip6/::/tcp/4071",
      "/ip4/0.0.0.0/tcp/4072/tls/sni/*.libp2p.direct/ws",
      "/ip4/0.0.0.0/udp/4071/webrtc-direct",
      "/ip4/0.0.0.0/udp/4071/quic-v1",
      "/ip4/0.0.0.0/udp/4071/quic-v1/webtransport",
      "/ip6/::/udp/4071/webrtc-direct",
      "/ip6/::/udp/4071/quic-v1",
      "/ip6/::/udp/4071/quic-v1/webtransport"
    ]
  },
...

Description

Example 1, error due to solving challenges: presenting for challenge: no public address found:

2024-11-04T20:45:28.283+0100	INFO	autotls.acme_client	[email protected]/client.go:404	trying to solve challenge	{"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024-11-04T20:45:36.324+0100	DEBUG	autotls.acme_client	acme/http.go:275	http request	{"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/425608111597", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2038430587"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["454"],"Content-Type":["application/json"],"Date":["Mon, 04 Nov 2024 19:45:36 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["yiS4Q9ue15rzi_h41L_gI6UhRmR95FOK2XBx4z7cpj9DQfwyXEE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2024-11-04T20:45:36.324+0100	ERROR	autotls.obtain	[email protected]/config.go:639	could not get certificate from issuer	{"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] solving challenges: presenting for challenge: no public address found (order=https://acme-v02.api.letsencrypt.org/acme/order/2038430587/320023393197) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2024-11-04T20:45:36.324+0100	ERROR	autotls.obtain	[email protected]/async.go:117	will retry	{"error": "[*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] Obtain: [*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] solving challenges: presenting for challenge: no public address found (order=https://acme-v02.api.letsencrypt.org/acme/order/2038430587/320023393197) (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 9.413219385, "max_duration": 2592000}
2024-11-04T20:46:36.326+0100	INFO	autotls.obtain	[email protected]/config.go:555	obtaining certificate	{"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct"}

Problem

when behind NAT, we do not delay the initial registration attempt until a publicly dialable address is present. We should avoid ERROR in logs when we know registration attempt would fail anyway, and delay until its safe.

Specific problems:

  • do not attempt getting cert if we depend on /p2p-circuit addrs
  • do not attempt getting cert if the only "public addr" is ipv6 blocked by firewall
@lidel lidel added kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization labels Nov 4, 2024
@lidel
Copy link
Member Author

lidel commented Nov 5, 2024

Minimal check discussed in ipshipyard/p2p-forge@5157ed9 / ipshipyard/p2p-forge#4 (comment)

@lidel
Copy link
Member Author

lidel commented Nov 7, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug A bug in existing code (including security flaws) need/triage Needs initial labeling and prioritization
Projects
None yet
Development

No branches or pull requests

1 participant