Certificate Import about certmagic HOT 16 CLOSED

Thanks guys, it looks like you at least figured out what may be the issue. So in theory, with proxying off then I should be able to access login.redteaming.org via IP so therefore Certmagic should be able to then create the certs. Hopefully I understand it right.

I'll contact Cloudflare support and will close this for now. Thanks again

from certmagic.

Is 172.67.137.37 your server's IP address? You need to set your domain's A record to your server's IP, not something else.

from certmagic.

Whatever way it is calling my site I am finding that evilginx can't create certificates for my website.

This seems like the actual problem. What are the errors?

This function may be useful to you for now: https://pkg.go.dev/github.com/caddyserver/certmagic#Config.CacheUnmanagedCertificatePEMFile

from certmagic.

Thanks a lot for the reply Matt, so I have tried a bunch of things, some that make less sense than others but I will show you the config below:

1. I set an A record on Cloudflare to point to the subdomain I want to get a cert for which is login.redteaming.org but I set it to one of the Cloudflare nameservers
   

And I get this error:

2. I then update that same record in Cloudflare to the IP that my website is meant to have when you look it up which is: 172.67.137.37 and I get the below error. My hunch though in this case is that it does that as Cloudflare doesn't allow you to reference a domain via IP so maybe certmagic comes across the Cloudflare error page "Error 1003 Direct IP access not allowed" when you put that IP into a browser.

So the way I manually created them was to run this command which gave me the .pem files by adding a TXT code into Cloudflare.

sudo certbot certonly -d login.redteaming.org --register-unsafely-without-email --agree-tos --preferred-challenges dns --manual -v

These then imported fine into Kali but evilginx can't see them as they aren't in certmagic:

So that's where I am stuck. Happy to say I am no DNS expert so maybe I am missing something basic and I know some of what I tried may make no sense but I was clutching at straws.

Thanks

from certmagic.

$ curl -v http://login.redteaming.org I see Cloudflare handling the request here. Are you sure you disabled Cloudflare proxying?

from certmagic.

Yeah the proxying is off currently. Just left it as per below

from certmagic.

I also see Cloudflare when I access that domain. If orange cloud is truly off, then I should access the site directly.

I would maybe contact Cloudflare support (or their forums) and see why proxying doesn't appear to be disabled even with the orange cloud off. (I'm not very familiar with their services.)

from certmagic.

So looking it up Francis, I notice 2 are mentioned on some sites but I think the 172 one was the one I see referenced most often.

There were no A records pointing to either of them on Cloudflare until I added 1 to try to create certs. 4 other A records pointed to the Cloudflsre nameservers I believe.

IP results:

https://www.nslookup.io/domains/redteaming.org/webservers/

from certmagic.

Wait, why point A records to Cloudflare's nameservers? Was that intentional?

from certmagic.

I think that was a mistake now. I assumed that was the IP but looking back I should be hunting for the IP before I ever moved to Cloudflare! My site is hosted at github pages so it's https://Cyb3rC3lt.github.io so according to this site (https://www.site24x7.com/tools/find-ip-address-of-web-site.html) my IP is 185.199.110.153:

So maybe that is the one that is meant to go into the A record before! Weirdly putting only that IP into a browser doesn't take me to the site unlike using https://Cyb3rC3lt.github.io

from certmagic.

185.199.110.153 is Github's IP, not your server's.

What IP does your server have? Can't you SSH into your server? How do you access your server?

from certmagic.

All I do to publish my webpages is to push to that Github repository that holds my site. You can see the site contents here:

https://github.com/Cyb3rC3lt/Cyb3rC3lt.github.io

So I don't ssh into anything. What server my Github repository stores the data in or its IP is unknown to me unfortunately.

from certmagic.

I don't understand what you're trying to do here. You can't get a certificate using the ACME HTTP or TLS-ALPN challenge if your domain isn't pointing to the IP address of your server. You'd need to use the DNS challenge.

from certmagic.

So, I think you actually just want a custom domain for your GitHub pages site?

Have you followed these docs? https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site

from certmagic.

Thanks guys, so to answer your questions.

Yes I followed the custom domain route of Github. Most people use the domain provided which in my case is http://Cyb3rC3lt.github.io but I implemented a custom domain which allowed me to make that redteaming.org.

@francislavoie I think you are right. I hadn't really thought about the fact that I think my site doesn't have a single IP. I think it sits on a Github server with 1000s of other sites but some translation occurs to link to mine when requested.

I guess that's why I used the TXT record to get it working with LetsEncrypt. I think DNS is the way to go but even if certmagic can do that I'm not sure the evilginx implementation uses it but instead looks for an A record.

I guess that brings me back full circle to see if you guys have any simple Go import file to import pem files into certmagic using 'CacheUnmanagedCertificatePEMFile' which will do as a workaround? I'm not a Go dev but I could run something passing an existing key and cert path into it just to get them into cache.

Or actually, a simple little Go file to create the certs fresh via DNS would work also. Maybe like a test harness file you guys might have lying around.

Thanks again

from certmagic.

I don't fully understand though, if you are using a custom domain for your GitHub pages site, you don't need to run a server at all: https://docs.github.com/en/pages/getting-started-with-github-pages/securing-your-github-pages-site-with-https

GitHub will get the cert for you...

from certmagic.