Interaction of dns and http approval and approveDomains function #2

Closed
opened 2019-07-24 21:46:12 +00:00 by Ghost · 5 comments

In light of the "canonical" root discussion, I decided to log this one here :)

Background

The way I'm using greenlock is by allowing my customers to create subdomains under my domain (say, mycompany.com). Since there's multiple subdomains under mycompany.com, I'm using the dns-01 challenge method for *.mycompany.com

At the same time, I allow the customers to have a custom domain (theircompany.com) that points our servers and we issue a cert using http-01 auth challenge.

Problem

It appears that whenever there's a new client using a subdomain under our main domain (sub.mycompany.com), the approve function gets called and the challenge is issued for the dns-01 challenge. This shouldn't be needed, so I'm wondering what I'm doing wrong.

approveDomains

Here's my approve domains function:

async function approveDomains2(opts) {
	const client = new Client({
		  user: env.DB_USERNAME,
		  host: env.DB_HOST,
		  port: env.DB_PORT || 5432,
		  database: env.DB_DATABASE,
		  password: env.DB_PASSWORD,
	})
	client.connect()
	let domains = [];

	try {
		let results = await client.query('SELECT "domain" from store where "domain" IS NOT NULL');
		domains = results.rows.map(row => row.domain);

		cleanOldCerts(domains); // tries to remove old certs

		if (domains.filter(d => d === opts.domain).length < 1 && opts.domain !== env.WILDCARD_DOMAIN &&
			opts.domain.split(".").slice(1).join(".") !== env.WILDCARD_DOMAIN // check subdomains ... env.WILDCARD_DOMAIN is 'mycompany.com'
		) { // domain not found
			console.log("Domain not valid for cert:", opts.domain);
			return;
		}

	}
	catch (e) {
		console.error('Error in fetching valid custom domains from db.');
		return;
	}
	finally {
		client.end();
	}

	opts.domains = domains;

	opts.email = "hgezim@mycompany.com";

	domains.push('*.' + env.WILDCARD_DOMAIN);

	opts.agreeTos = true;
	return Promise.resolve(opts);
  }

I guess it really shows that I'm not entirely sure what approveDomains should return. I always return all the valid domains including the wildcard one.

Any guidance would be much appreciated, AJ.

In light of the "canonical" root discussion, I decided to log this one here :) ## Background The way I'm using greenlock is by allowing my customers to create subdomains under my domain (say, mycompany.com). Since there's multiple subdomains under mycompany.com, I'm using the dns-01 challenge method for *.mycompany.com At the same time, I allow the customers to have a custom domain (theircompany.com) that points our servers and we issue a cert using http-01 auth challenge. ## Problem It appears that whenever there's a new client using a subdomain under our main domain (sub.mycompany.com), the approve function gets called and the challenge is issued for the dns-01 challenge. This shouldn't be needed, so I'm wondering what I'm doing wrong. ## `approveDomains` Here's my approve domains function: ```js async function approveDomains2(opts) { const client = new Client({ user: env.DB_USERNAME, host: env.DB_HOST, port: env.DB_PORT || 5432, database: env.DB_DATABASE, password: env.DB_PASSWORD, }) client.connect() let domains = []; try { let results = await client.query('SELECT "domain" from store where "domain" IS NOT NULL'); domains = results.rows.map(row => row.domain); cleanOldCerts(domains); // tries to remove old certs if (domains.filter(d => d === opts.domain).length < 1 && opts.domain !== env.WILDCARD_DOMAIN && opts.domain.split(".").slice(1).join(".") !== env.WILDCARD_DOMAIN // check subdomains ... env.WILDCARD_DOMAIN is 'mycompany.com' ) { // domain not found console.log("Domain not valid for cert:", opts.domain); return; } } catch (e) { console.error('Error in fetching valid custom domains from db.'); return; } finally { client.end(); } opts.domains = domains; opts.email = "hgezim@mycompany.com"; domains.push('*.' + env.WILDCARD_DOMAIN); opts.agreeTos = true; return Promise.resolve(opts); } ``` I guess it really shows that I'm not entirely sure what `approveDomains` should return. I always return all the valid domains including the wildcard one. Any guidance would be much appreciated, AJ.
Owner

If you include *.foo.com, you can include foo.com, but you cannot include bar.foo.com.

I'd recommend issuing each bare + wild domain separately as needed:

  • foo.com, *.foo.com
  • bar.co.uk, *.bar.co.uk
  • NOT foo.com, bar.com, *.foo, ...

I know I added a property wildname for the storage plugins. I think that comes through approveDomains as well, but I'm not certain.

I'd say query on opts.domain and opts.wildname and search your database based on that and return only those results.

Do you have some resources you could put towards consulting so that we could spend a few hours working through this together? I'm overcommitted this week, but this weekend or next week I could set aside up to 4 hours of my full attention to review and debug.

If you include `*.foo.com`, you can include `foo.com`, but you cannot include `bar.foo.com`. I'd recommend issuing each bare + wild domain separately as needed: * `foo.com`, `*.foo.com` * `bar.co.uk`, `*.bar.co.uk` * NOT `foo.com`, `bar.com`, `*.foo`, ... I know I added a property `wildname` for the storage plugins. I think that comes through `approveDomains` as well, but I'm not certain. I'd say query on `opts.domain` and `opts.wildname` and search your database based on that and return only those results. Do you have some resources you could put towards consulting so that we could spend a few hours working through this together? I'm overcommitted this week, but this weekend or next week I could set aside up to 4 hours of my full attention to review and debug.
Owner

And you are using greenlock-sequelize-store, correct?

And you are using `greenlock-sequelize-store`, correct?
Author

I'm not using greenlock-sequelize-store at all. I think this actually sheds light into #3 as well.

I wish I could get your professional services on this...but the project I'm working on is fully bootstrapped and the straps came off as getting tight on cash and had to let go of the frontend dev as well. Startups 🙄

What's the actual advantage of greenlock-sequelize-store over the fs one?

I'm not using `greenlock-sequelize-store` at all. I think this actually sheds light into https://git.rootprojects.org/root/greenlock-express.js/issues/3 as well. I wish I could get your professional services on this...but the project I'm working on is fully bootstrapped and the straps came off as getting tight on cash and had to let go of the frontend dev as well. Startups 🙄 What's the actual advantage of `greenlock-sequelize-store` over the fs one?
Owner

Hey Gezim, I'm sorry I dropped the ball on this.

Did you get things sorted out?

I'm just about to publish v3 in which there is no longer any approveDomains. Instead there is a management plugin that's a lot simpler to use.

Docs are forthcoming...

Hey Gezim, I'm sorry I dropped the ball on this. Did you get things sorted out? I'm just about to publish v3 in which there is no longer any `approveDomains`. Instead there is a management plugin that's a lot simpler to use. Docs are forthcoming...
Owner

Here's some related documentation for v3 (I'll need to add this to the new official readme as well):

Greenlock v3 prefers challenges in this order:

  • http-01
  • tls-alpn-01
  • dns-01

It will only use dns-01 for wildcard domains unless it is the only option.

If there is a group of domains that are completely private or local domains, the dns-01 plugin must be set for that group as the only option, like this:

greenlock.manager.set({
  subject: 'example.com', 
  challenges: {
    'dns-01': { module: 'acme-dns-01-whatever', someOption: 'foobar' }
  }
});

This new priority behavior seems to make the most sense with what is required and what can be used (and which is the fastest, most efficient).

Here's some related documentation for v3 (I'll need to add this to the new official readme as well): Greenlock v3 prefers challenges in this order: * http-01 * tls-alpn-01 * dns-01 It will only use dns-01 for **wildcard domains** unless it is the only option. If there is a group of domains that are completely private or local domains, the `dns-01` plugin must be set for that group as the **only** option, like this: ```js greenlock.manager.set({ subject: 'example.com', challenges: { 'dns-01': { module: 'acme-dns-01-whatever', someOption: 'foobar' } } }); ``` This new priority behavior seems to make the most sense with what is required and what can be used (and which is the fastest, most efficient).
Sign in to join this conversation.
No Label
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: root/greenlock-express.js#2
No description provided.