SNI cached incorrectly for wildcard domains (w/ fix) #74
Etiketler
Etiket Yok
Kilometre Taşı Yok
Atanan Kişi Yok
2 Katılımcı
Bildirimler
Bitiş Tarihi
Bitiş tarihi atanmadı.
Bağımlılıklar
Bağımlılık yok.
Referans: root/greenlock-express.js#74
Yükleniyor…
Yeni konuda referans
Herhangi bir açıklama sağlanmadı.
"%!s(<nil>)" Dalını Sil
Bir dalı silmek kalıcıdır. Her ne kadar silinen dal tamamen kaldırılana kadar çok kısa bir süre yaşamını sürdürse de, çoğu durumda bu işlem GERİ ALINAMAZ. Devam edilsin mi?
When a request for e.g.
x.example.com
under a*.example.com
+example.com
certificate is made, greenlock-express will:['x.example.com'] = { secureContext: { _valid: false } }
['*.example.com'] = correctContext
['example.com'] = correctContext
It notably won't ever cache the correct context for
x.example.com
, so every following request tox.example.com
will fail.I wrote a quick fix here:
a05b702e66
(No PR because I can't find contributing guidelines and I don't know what branch to PR into. Feel free to take this code or write your own solution! I think there may be deeper potential issues here to address.)
It took took me hours to find this bug! Some search terms to help anyone else encountering this:
PR_END_OF_FILE_ERROR
. Chrome would showERR_CONNECTION_CLOSED
ClientHello
then the TCP connection suddenly closing on both sides.SNI cached incorrectly for wildcard domainsiken SNI cached incorrectly for wildcard domains (w/ fix) olarak@Corecii Thank you very much for this defect report. To add some additional details, I am seeing similar behavior. Using the stock greenlock code, I can get it working with the following:
I believe your solution is much more stable @Corecii.
Thanks for the report and the workaround.
Hmm... I thnk what should happen is that the domain should be queried by both it's proper and wildcard names:
['x.example.com', '*.example.com']
Perhaps the cache is getting in the way of that because it's having a valid, invalid cache hit on the incorrect name.
Yep I having the exacte same behavior of @timfulmer . but like you said for the renew time we get the error, plus since i'm using a docker the certificate reload on each new deployment so it's kind of impossible to handle it.
For for the solution of @Corecii work perfectly for me and the site config is just the wildcard with subject and altname.
I tried multiple way to make it work without the fix :
subject: .mydomain.com | alternames ['.mydomain.com', 'X.mydomain.com']
this return me the Error: [400] Error creating new order :: Domain name "x.mydomain.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
subject mydomain.com | alternames ['*.mydomain.com', 'mydomain.com']
this doesn't get an error but Chrome show ERR_CONNECTION_CLOSED.
I also try to add the alternames via my manager.js on the mergeOrCreateSite() but still get the Error: [400] Error creating new order :: Domain name "x.mydomain.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
So far only the @Corecii solution seems to work for me.
@coolaj86 maybe you have a solution for it by using the manager.js ? cause since i'm using a docker container I reload the sni.js file from the source.