dylanpiercey / auto-sni Goto Github PK

Hey Dylan,

my certificates are not getting updated. Am I right that since the big update, there is no well-known endpoint anymore?

There is no documentation about where are the certificates and key stored.

I have some issues getting auto-sni to work with Restify. I've followed your example, but was only able to make it work by changing your index.js Line 103 from

// Let request through to provided https-server.
httpsServer.emit('request', req, res)

to

// Let request through to provided https-server.
httpsServer.server.emit('request', req, res)

After this I can get Restify to work using forceSSL = false. As soon as I change it to true though, all my requests get dropped in nirvana and the server responds with an unexpectedly closed connection. No amount of debugging could get me the exact point at where my connections are dropped. I can't even reach the SNICallback or handleChallenge. I can see you're passing SNICallback to createServer, but I can't seem to figure out how Restify (or node's https for that matter) is using it.

It'd be really great if you could help me out!

Hi,

I'm trying to use auto-sni inside of a docker container node app.
Problem is, any time I restart the container, new certificates are requested. After a few restarts, I soon hit the LE rate limits.

Looking at the source, I think the certificates and other files are stored in the module's 'static' directory. Is that correct? If so, would it be possible to pass in an option to specify another directory? That way I can run the container with a volume mounted so that the files in static are persisted across container restarts.

Any info appreciated.

Thanks

This is the error I get:

D:\SOMEPROJECT\node_modules\auto-sni\lib\index.js:54
    .once('close', httpServer.close.bind(httpServer))
                             ^
TypeError: Cannot read property 'close' of undefined

That's what my server.js looks like:

var express = require('express');
var createServer = require("auto-sni");


var app = express();

app.get('/', function (req, res) {
       //SOME ACTION
});

createServer({ 
    email: "EMAIL", 
    agreeTos: true,
    debug: true,
    ports: {
        http: 8000, 
        https: 8443
    }
}, app);

What am I doing wrong here?

it looks like we using cert.pem as cert
but we have to use fullchain.pem to fix the "invalid CA issue"

Auto-sni uses ursa (https://github.com/quartzjer/ursa).

When Installing on windows I got this error message:

C:\Users\alex\ae_api\node_modules\ursa>if not defined npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\bin\node-gyp-bin\\..\..\node_modules\node-gyp\bin\node-gyp.js" rebuild )
 else (node "" rebuild )
Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.
  ursaNative.cc
..\src\ursaNative.cc(157): warning C4244: 'argument' : conversion from 'ssize_t' to 'int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
..\src\ursaNative.cc(172): warning C4244: 'argument' : conversion from 'ssize_t' to 'int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
..\src\ursaNative.cc(378): warning C4267: 'initializing' : conversion from 'size_t' to 'int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
..\src\ursaNative.cc(379): warning C4267: 'initializing' : conversion from 'size_t' to 'int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
..\src\ursaNative.cc(686): warning C4267: 'argument' : conversion from 'size_t' to 'int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
..\src\ursaNative.cc(734): warning C4267: 'argument' : conversion from 'size_t' to 'int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
..\src\ursaNative.cc(779): warning C4267: 'argument' : conversion from 'size_t' to 'int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
..\src\ursaNative.cc(826): warning C4267: 'argument' : conversion from 'size_t' to 'int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
..\src\ursaNative.cc(945): warning C4267: 'argument' : conversion from 'size_t' to 'unsigned int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
..\src\ursaNative.cc(1003): warning C4267: 'argument' : conversion from 'size_t' to 'unsigned int', possible loss of data [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
  win_delay_load_hook.c
LINK : fatal error LNK1181: cannot open input file 'C:\OpenSSL-Win64\lib\libeay32.lib' [C:\Users\alex\ae_api\node_modules\ursa\build\ursaNative.vcxproj]
gyp ERR! build error
gyp ERR! stack Error: `C:\Program Files (x86)\MSBuild\12.0\bin\msbuild.exe` failed with exit code: 1
gyp ERR! stack     at ChildProcess.onExit (C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\build.js:276:23)
gyp ERR! stack     at emitTwo (events.js:106:13)
gyp ERR! stack     at ChildProcess.emit (events.js:191:7)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:204:12)
gyp ERR! System Windows_NT 10.0.10586
gyp ERR! command "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\\nodejs\\node_modules\\npm\\node_modules\\node-gyp\\bin\\node-gyp.js" "rebuild"
gyp ERR! cwd C:\Users\alex\ae_api\node_modules\ursa
gyp ERR! node -v v6.2.1
gyp ERR! node-gyp -v v3.3.1
gyp ERR! not ok
npm WARN install:[email protected] [email protected] install: `node-gyp rebuild`
npm WARN install:[email protected] Exit status 1
[email protected] C:\Users\alex\ae_api
`-- [email protected]  extraneous

When checking ursa I found this information in their readme: https://github.com/quartzjer/ursa#windows-install.

So on Windows, you need to install some dependencies first.

It would be helpful for the next windows users to find this information in auto-sni's readme before trying to install auto-sni.

Here is the error produced when trying to run my node server:

html/live_nodejs/node_modules/auto-sni/node_modules/mz/node_modules/any-promise/register.js:61
    throw new Error('Cannot find any-promise implementation nor'+
          ^
Error: Cannot find any-promise implementation nor global.Promise. You must install polypill or call require("any-promise/register") with your preferred implementation, e.g. require("any-promise/register")("bluebird") on application load prior to any require("any-promise").
    at register (/var/www/html/live_nodejs/node_modules/auto-sni/node_modules/mz/node_modules/any-promise/register.js:61:11)
    at Object.<anonymous> (/var/www/html/live_nodejs/node_modules/auto-sni/node_modules/mz/node_modules/any-promise/index.js:1:101)
    at Module._compile (module.js:456:26)
    at Object.Module._extensions..js (module.js:474:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:312:12)
    at Module.require (module.js:364:17)
    at require (module.js:380:17)
    at Object.<anonymous> (/var/www/html/live_nodejs/node_modules/auto-sni/node_modules/mz/fs.js:2:15)
    at Module._compile (module.js:456:26)

And here is index.js:

var createServer = require("auto-sin");

var server = createServer({
    email: "[email protected]", // Emailed when certificates expire.
    agreeTos: true, // Required for lets encrypt
    debug: true, // Add console messages and uses staging LetsEncrypt server. (Disable in production)
    domains: ["www.test.com", "test.com"], // Optional list of allowed domains (uses pathtoregexp)
    forceSSL: true, // Make this false to disable auto http->https redirects (default true).
    ports: {
        https: 9000 // // Optionally override the default https port.
    }
});

server.listen(9000);
// Server is a "https.createServer" instance.
server.once("listening", function() {
    console.log("We are ready to go.");
});

```.

See this article: https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188

Hey Dylan, I just wanted to make you aware that I published a new version of letsencrypt (v1.0.8). It fixes a bug where the registerAsync would return before registration was complete and a bug in the pyconf parser/stringifier.

I don't think anything should have broken, but please let me know if you have any issues with it.

Just a heads up:

I just published a new version of letsencrypt - v1.5.0

(also a new version of letiny-core v2.0.0 and a new dependency rsa-compat - all to fix various bugs)

There shouldn't be any breaking changes to the API, but it does require a shim for the new Buffer methods that aren't implemented in older version of node.

Let me know if you have any problems or if I can answer any questions.

i believe this is a great repo if it is really working.
Can you please take a look with the error that i got??

Thank you.

Error: ENOENT: no such file or directory, open '/root/letsencrypt/etc/live/www.ABC.com/privkey.pem'

at Error (native)

[LE] register
[NLE]: begin registration
[le/core.js] try email
[le/core.js] create account
[le/core.js] created account
[le/core.js] privkeyPath /root/letsencrypt/etc/live/www.ABC.com/privkey.pem
[le/core.js] domainKeyPath: undefined
AutoSNI LetsEncrypt Error: TypeError: Path must be a string. Received undefined
at assertPath (path.js:7:11)
at Object.dirname (path.js:1326:5)
at /root/my-debian/Node_server/node_modules/letsencrypt/lib/core.js:274:31
at tryCatcher (/root/my-debian/Node_server/node_modules/bluebird/js/release/util.js:16:23)
at Promise._settlePromiseFromHandler (/root/my-debian/Node_server/node_modules/bluebird/js/release/promise.js:504:31)
at Promise._settlePromise (/root/my-debian/Node_server/node_modules/bluebird/js/release/promise.js:561:18)
at Promise._settlePromiseCtx (/root/my-debian/Node_server/node_modules/bluebird/js/release/promise.js:598:10)
at Async._drainQueue (/root/my-debian/Node_server/node_modules/bluebird/js/release/async.js:143:12)
at Async._drainQueues (/root/my-debian/Node_server/node_modules/bluebird/js/release/async.js:148:10)
at Immediate.Async.drainQueues (/root/my-debian/Node_server/node_modules/bluebird/js/release/async.js:17:14)
at runCallback (timers.js:574:20)
at tryOnImmediate (timers.js:554:5)
at processImmediate as _immediateCallback
Will fall back to self signed certificate.

//server.js

var httpPort = 80;
var httpsPort = 443;

createServer({
email: '[email protected]', // Emailed when certificates expire.
agreeTos: true, // Required for letsencrypt.
debug: true, // Add console messages and uses staging LetsEncrypt server. (Disable in production)
domains: ["ABC.com", "test.ABC.com", "www.ABC.com"], // List of accepted domain names. (You can use nested arrays to register bundles with LE).
forceSSL: true, // Make this false to disable auto http->https redirects (default true).
redirectCode: 301, // If forceSSL is true, decide if redirect should be 301 (permanent) or 302 (temporary). Defaults to 302
ports: {
http: httpPort, // Optionally override the default http port.
https: httpsPort // // Optionally override the default https port.
}
} ,app);

I have a domain called example.com. I'd like to have a certificate for both www.example.com and example.com.

I'm trying to set the domains property in the options of auto-sni like this:
domains: ["example.com", "www.example.com"], but it doesn't work and i have no error messages.

What am i doing wrong?

I am getting this strange messages with auto-sni and express.

with debug=true

This Let's Encrypt / ACME server has been updated with urls that this client doesn't understand
{ 'key-change': 'https://acme-staging.api.letsencrypt.org/acme/key-change',
  'new-authz': 'https://acme-staging.api.letsencrypt.org/acme/new-authz',
  'new-cert': 'https://acme-staging.api.letsencrypt.org/acme/new-cert',
  'new-reg': 'https://acme-staging.api.letsencrypt.org/acme/new-reg',
  'revoke-cert': 'https://acme-staging.api.letsencrypt.org/acme/revoke-cert' }

with debug=false:

This Let's Encrypt / ACME server has been updated with urls that this client doesn't understand
{ 'key-change': 'https://acme-v01.api.letsencrypt.org/acme/key-change',
  'new-authz': 'https://acme-v01.api.letsencrypt.org/acme/new-authz',
  'new-cert': 'https://acme-v01.api.letsencrypt.org/acme/new-cert',
  'new-reg': 'https://acme-v01.api.letsencrypt.org/acme/new-reg',
  'revoke-cert': 'https://acme-v01.api.letsencrypt.org/acme/revoke-cert' }

The debug=false certificates do work!! So it is not an error, but rather a warning message.
Perhaps a redirect message? I think this log entries are confusing, and should not appear when everything is working.

version 2.1.1 throws error as:
le.challenges[tls-sni-01].loopback should be defined as function (opts, domain, token, cb) { ... } and should prove (by external means) that the ACME server challenge 'tls-sni-01' will succeed

However, version 1.5.1 working fine.

using: nodejs, npm, express as:

let server = createServer({
  email: '[email protected]',
  agreeTos: true,
  debug: false,
  domains: [ ['abc.com', 'www.abc.com'] ], // i use nested array
  ports: {
    http: 8080, 
    https:8443 
  }
}, app);

Even with the following settings I seem to keep getting the self-signed certificate from "Fake LE Intermediate X1"

createServer({
email: "[email protected]",
agreeTos: true,
debug: false,
domains: ["enkarma.co.uk"],
forceSSL: true,
ports: {
http: 80,
https: 443
}
}, app);

Is setting debug: false not sufficient? Thanks in advance for your help.

Is this possible?

Hi,

I've received emails saying that my cert is going to expire, I thought this was supposed to auto-renew? I searched for 'renewal' on this Git site but didn't get any results. Can you give me some guidance on looking into this further, unsure of what to do...

Thank you!

Mark

Hello again Dylan,

Just wanted to let you know that greenlock has been updated for Let's Encrypt v2: v2.2

There's a new option version that's required since the ACME api doesn't have built-in versioning.

I've tried to clean the docs up quite a bit, so hopefully it's very clear:

https://git.coolaj86.com/coolaj86/greenlock-express.js

Is it possible to use auto-sni to dynamically generate SSL certificates? For example, I want to have a proxy server that receives incoming requests from clients and creates an SSL cert for them before redirecting them to my backend servers. Can auto-sni do this?

Probably a stupid question.

Any idea or steps to make this work under AWS elastic beanstalk environment?

how would this work if you use nginx as a reverse proxy ?

what would the nginx configuration look like?

Hi,

I'm running auto-sni on my node.js server in ubuntu on a digital ocean vps with the code below. It works fine for http, but when going to https I get a certificate error shown here:

Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

I'm not sure what's wrong...

Thank you,

Mark

`var createServer = require("auto-sni");
var express = require("express");
var app = express();

app.get("/test", function (req, res) {
res.end('Hello, World!123');
});

createServer({
email: "[email protected]",
server: 'https://acme-v01.api.letsencrypt.org/directory',
agreeTos: true,
debug: true, // Add console messages and uses staging LetsEncrypt server. (Disable in production)
domains: ["traqify.com"], // List of accepted domain names. (You can use nested arrays to register bundles with LE).
forceSSL: false, // Make this false to disable auto http->https redirects (default true).
redirectCode: 301, // If forceSSL is true, decide if redirect should be 301 (permanent) or 302 (temporary). Defaults to 302
ports: {
http: 80, // Optionally override the default http port.
https: 443 // Optionally override the default https port.
} }, app);
`

In the readme you say to run the following command to give Node access to ports 80 and 443:

sudo setcap cap_net_bind_service=+ep $(which node)

I am a linux noob so node does not mean anything go me.

Here come the questions:

• What is a node?
• how do I know which node I have to refer to?
• do the $() characters have to be written or is this a placeholder for the node name?

When I install the module, I get the following warning: �[email protected]: letsencrypt has been renamed to greenlock. Please find it at npm greenlock

Any plans to update this?

Like your idea but I have my own http server instance, could I use your module to only manage certificates? And preferably only a subset of them, the ones obtained through let's encrypt.

Everything was working dandy and I was optimizing how to config our app. Something when wrong and I no longer get error messages.

This is what curl returns

    curl -kv https://localhost:8443
    * Rebuilt URL to: https://localhost:8443/
    *   Trying ::1...
    * Connected to localhost (::1) port 8443 (#0)
    * SSL peer handshake failed, the server most likely requires a client certificate to connect
    * Closing connection 0
    curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect

my current config:

    secureServer = createServer({
      email: config.LETSENCRYPT_ISSUES_EMAIL, // Emailed when certificates expire.
      agreeTos: true, // Required for letsencrypt.
      debug: true, // Add console messages and uses staging LetsEncrypt server. (Disable in production)
      domains: [["localhost","www.localhost"]], // List of accepted domain names. (You can use nested arrays to register bundles with LE).
      forceSSL: true, // Make this false to disable auto http->https redirects (default true).
      redirectCode: 301, // If forceSSL is true, decide if redirect should be 301 (permanent) or 302 (temporary). Defaults to 302
      ports: {
        http: 8080, // Optionally override the default http port.
        https: 8443 // Optionally override the default https port.
      }
    }, app);

No errors on the console. How do I see what the error is?

Hi guys, when i start my server, print this error.

Ubuntu 16 on AWS, i install certbot, and execute server with sudo node ...

I am using ports 8080 http and 8443 https.

[DEBUG le/lib/core.js] registeryAsync err
Error: The CA was unable to validate the file you provisioned.

• https://acme-v01.api.letsencrypt.org/acme/challenge/41VhzyM9Exs9wOZwCtk4KdXis544vHkRvXBSkuSXIx8/342072617 [pending]
• https://acme-v01.api.letsencrypt.org/acme/challenge/41VhzyM9Exs9wOZwCtk4KdXis544vHkRvXBSkuSXIx8/342072618 [pending]
• https://acme-v01.api.letsencrypt.org/acme/challenge/41VhzyM9Exs9wOZwCtk4KdXis544vHkRvXBSkuSXIx8/342072619 [invalid]
  Could not connect to api.nfebot.com.br
  at handleErr (/home/ubuntu/nf-ebot-api/node_modules/letiny-core/lib/get-certificate.js:345:17)
  at ensureValidation (/home/ubuntu/nf-ebot-api/node_modules/letiny-core/lib/get-certificate.js:220:16)
  at Request._callback (/home/ubuntu/nf-ebot-api/node_modules/letiny-core/lib/get-certificate.js:202:13)
  at Request.self.callback (/home/ubuntu/nf-ebot-api/node_modules/request/request.js:186:22)
  at emitTwo (events.js:106:13)
  at Request.emit (events.js:191:7)
  at Request. (/home/ubuntu/nf-ebot-api/node_modules/request/request.js:1081:10)
  at emitOne (events.js:96:13)
  at Request.emit (events.js:188:7)
  at IncomingMessage. (/home/ubuntu/nf-ebot-api/node_modules/request/request.js:1001:12)
  at IncomingMessage.g (events.js:292:16)
  at emitNone (events.js:91:20)
  at IncomingMessage.emit (events.js:185:7)
  at endReadableNT (_stream_readable.js:974:12)
  at _combinedTickCallback (internal/process/next_tick.js:74:11)
  at process._tickDomainCallback (internal/process/next_tick.js:122:9)
  AutoSNI LetsEncrypt Error: { Error: The CA was unable to validate the file you provisioned.
• https://acme-v01.api.letsencrypt.org/acme/challenge/41VhzyM9Exs9wOZwCtk4KdXis544vHkRvXBSkuSXIx8/342072617 [pending]
• https://acme-v01.api.letsencrypt.org/acme/challenge/41VhzyM9Exs9wOZwCtk4KdXis544vHkRvXBSkuSXIx8/342072618 [pending]
• https://acme-v01.api.letsencrypt.org/acme/challenge/41VhzyM9Exs9wOZwCtk4KdXis544vHkRvXBSkuSXIx8/342072619 [invalid]
  Could not connect to api.nfebot.com.br
  at handleErr (/home/ubuntu/nf-ebot-api/node_modules/letiny-core/lib/get-certificate.js:345:17)
  at ensureValidation (/home/ubuntu/nf-ebot-api/node_modules/letiny-core/lib/get-certificate.js:220:16)
  at Request._callback (/home/ubuntu/nf-ebot-api/node_modules/letiny-core/lib/get-certificate.js:202:13)
  at Request.self.callback (/home/ubuntu/nf-ebot-api/node_modules/request/request.js:186:22)
  at emitTwo (events.js:106:13)
  at Request.emit (events.js:191:7)
  at Request. (/home/ubuntu/nf-ebot-api/node_modules/request/request.js:1081:10)
  at emitOne (events.js:96:13)
  at Request.emit (events.js:188:7)
  at IncomingMessage. (/home/ubuntu/nf-ebot-api/node_modules/request/request.js:1001:12)
  at IncomingMessage.g (events.js:292:16)
  at emitNone (events.js:91:20)
  at IncomingMessage.emit (events.js:185:7)
  at endReadableNT (_stream_readable.js:974:12)
  at _combinedTickCallback (internal/process/next_tick.js:74:11)
  at process._tickDomainCallback (internal/process/next_tick.js:122:9)
  cause:
  Error: The CA was unable to validate the file you provisioned.
  • https://acme-v01.api.letsencrypt.org/acme/challenge/41VhzyM9Exs9wOZwCtk4KdXis544vHkRvXBSkuSXIx8/342072617 [pending]
  • https://acme-v01.api.letsencrypt.org/acme/challenge/41VhzyM9Exs9wOZwCtk4KdXis544vHkRvXBSkuSXIx8/342072618 [pending]
  • https://acme-v01.api.letsencrypt.org/acme/challenge/41VhzyM9Exs9wOZwCtk4KdXis544vHkRvXBSkuSXIx8/342072619 [invalid]
    Could not connect to api.nfebot.com.br
    at handleErr (/home/ubuntu/nf-ebot-api/node_modules/letiny-core/lib/get-certificate.js:345:17)
    at ensureValidation (/home/ubuntu/nf-ebot-api/node_modules/letiny-core/lib/get-certificate.js:220:16)
    at Request._callback (/home/ubuntu/nf-ebot-api/node_modules/letiny-core/lib/get-certificate.js:202:13)
    at Request.self.callback (/home/ubuntu/nf-ebot-api/node_modules/request/request.js:186:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:191:7)
    at Request. (/home/ubuntu/nf-ebot-api/node_modules/request/request.js:1081:10)
    at emitOne (events.js:96:13)
    at Request.emit (events.js:188:7)
    at IncomingMessage. (/home/ubuntu/nf-ebot-api/node_modules/request/request.js:1001:12)
    at IncomingMessage.g (events.js:292:16)
    at emitNone (events.js:91:20)
    at IncomingMessage.emit (events.js:185:7)
    at endReadableNT (_stream_readable.js:974:12)
    at _combinedTickCallback (internal/process/next_tick.js:74:11)
    at process._tickDomainCallback (internal/process/next_tick.js:122:9),
    isOperational: true }
    Will fall back to self signed certificate.

I'm getting an error when I attempt to create the server with Express.
fs.js:651
return binding.mkdir(pathModule._makeLong(path),
^
Error: EEXIST, file already exists '../node_modules/auto-sni/static'
at Object.fs.mkdirSync (fs.js:651:18)

This is probably a n00b question (sorry 😅), but could your clarify if the user needs to perform any prior steps with Let’s Encrypt itself, or does this package work out of the box (i.e. without the user having to interact with Let’s Encrypt at all)?