SNI cached incorrectly for wildcard domains (w/ fix) #74
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
When a request for e.g.
x.example.com
under a*.example.com
+example.com
certificate is made, greenlock-express will:['x.example.com'] = { secureContext: { _valid: false } }
['*.example.com'] = correctContext
['example.com'] = correctContext
It notably won't ever cache the correct context for
x.example.com
, so every following request tox.example.com
will fail.I wrote a quick fix here:
a05b702e66
(No PR because I can't find contributing guidelines and I don't know what branch to PR into. Feel free to take this code or write your own solution! I think there may be deeper potential issues here to address.)
It took took me hours to find this bug! Some search terms to help anyone else encountering this:
PR_END_OF_FILE_ERROR
. Chrome would showERR_CONNECTION_CLOSED
ClientHello
then the TCP connection suddenly closing on both sides.SNI cached incorrectly for wildcard domainsto SNI cached incorrectly for wildcard domains (w/ fix)@Corecii Thank you very much for this defect report. To add some additional details, I am seeing similar behavior. Using the stock greenlock code, I can get it working with the following:
I believe your solution is much more stable @Corecii.
Thanks for the report and the workaround.
Hmm... I thnk what should happen is that the domain should be queried by both it's proper and wildcard names:
['x.example.com', '*.example.com']
Perhaps the cache is getting in the way of that because it's having a valid, invalid cache hit on the incorrect name.
Yep I having the exacte same behavior of @timfulmer . but like you said for the renew time we get the error, plus since i'm using a docker the certificate reload on each new deployment so it's kind of impossible to handle it.
For for the solution of @Corecii work perfectly for me and the site config is just the wildcard with subject and altname.
I tried multiple way to make it work without the fix :
subject: .mydomain.com | alternames ['.mydomain.com', 'X.mydomain.com']
this return me the Error: [400] Error creating new order :: Domain name "x.mydomain.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
subject mydomain.com | alternames ['*.mydomain.com', 'mydomain.com']
this doesn't get an error but Chrome show ERR_CONNECTION_CLOSED.
I also try to add the alternames via my manager.js on the mergeOrCreateSite() but still get the Error: [400] Error creating new order :: Domain name "x.mydomain.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
So far only the @Corecii solution seems to work for me.
@coolaj86 maybe you have a solution for it by using the manager.js ? cause since i'm using a docker container I reload the sni.js file from the source.