[BUG] Let's Encrypt certs are Staging ones, so they're untrusted on browsers about zoraxy HOT 33 CLOSED

For the Let's Encrypt issue, is becuase UI will not send CA name when using placeholder default, and I also though the default acme server in backend will be production LE (but it actually is staging LE)

we can fix it by changing frontend CA name to LE when not exist, or/and change backend default ACME server (it also related to #47), I can submit pr for frontend patch, and should can be merge into 2.6.7.

before then, #61 (comment) workaround can temporary be used (another workaround can be use custom ACME server with LE production url)

For the multidomain issue, is also UI issue, the logic seems not handle when input is multidomain, and it also not remove the button state when error

backend seems ok for multidomain

from zoraxy.

Wow that solved it! I used your second advice, changing to "Custom ACME Server" and then selecting Lets Encrypt again, solved it.

from zoraxy.

Thank you a lot for that fast help! I send you some Coffees :)
I'm really happy to finally use your proxy, coming from NPM.

from zoraxy.

Domains (I also tried with no spaces in the commas):
REDACTED.duckdns.org, jellyfin.REDACTED.duckdns.org, guacamole.REDACTED.duckdns.org, synology.REDACTED.duckdns.org, dashboard.REDACTED.duckdns.org
Matching rule:
REDACTED.duckdns.org

from zoraxy.

@yeungalan Can you take a look at this real quick?

from zoraxy.

Hi @Xpl0itU
Although I am not in charge of the acme module, but from what I see in the source code, it is not possible to use the staging directory unless it is generated via the test case

As you can see here, the link are hardcoded and embedded into the binary

Which is referring to this link

Might I know how you build this binary and what version of Zoraxy you are using?

from zoraxy.

I used the Zoraxy script from here to setup my container

from zoraxy.

Here's the output of zoraxy -info:

root@ct-zoraxy:/opt/zoraxy/src# ./zoraxy -info
{
 "Name": "Zoraxy",
 "Desc": "Dynamic Reverse Proxy Server",
 "Group": "Network",
 "IconPath": "zoraxy/img/small_icon.png",
 "Version": "2.6.6",
 "StartDir": "zoraxy/index.html",
 "SupportFW": true,
 "LaunchFWDir": "zoraxy/index.html",
 "SupportEmb": false,
 "LaunchEmb": "",
 "InitFWSize": [
  1080,
  580
 ],
 "InitEmbSize": null,
 "SupportedExt": null
}

from zoraxy.

@Xpl0itU Can I see the public key of your cert? I am guessing you didn't setup your root domain TLS certificate correctly and zoraxy is loading its internal dummy cert.

from zoraxy.

Here's some interesting output from the logs:

root@ct-zoraxy:/opt/zoraxy# journalctl -xau zoraxy.service | grep encrypt
Sep 03 11:39:11 ct-zoraxy zoraxy[159]: 2023/09/03 11:39:11 [INFO] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 11:39:12 ct-zoraxy zoraxy[159]: 2023/09/03 11:39:12 [INFO] [*.REDACTED] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/260957064906
Sep 03 11:39:13 ct-zoraxy zoraxy[159]: 2023/09/03 11:39:13 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/260957064906
Sep 03 11:40:37 ct-zoraxy zoraxy[159]: 2023/09/03 11:40:37 [INFO] Using Default ACME https://acme-staging-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 11:40:38 ct-zoraxy zoraxy[159]: 2023/09/03 11:40:38 [INFO] [*.REDACTED] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078103754
Sep 03 11:40:39 ct-zoraxy zoraxy[159]: 2023/09/03 11:40:39 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078103754
Sep 03 11:54:37 ct-zoraxy zoraxy[159]: 2023/09/03 11:54:37 [INFO] Using Default ACME https://acme-staging-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 11:54:38 ct-zoraxy zoraxy[159]: 2023/09/03 11:54:38 [INFO] [REDACTED] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078278344
Sep 03 11:55:54 ct-zoraxy zoraxy[159]: 2023/09/03 11:55:54 [INFO] Using Default ACME https://acme-staging-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 11:55:55 ct-zoraxy zoraxy[159]: 2023/09/03 11:55:55 [INFO] [dashboard.REDACTED] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078292654
Sep 03 12:00:55 ct-zoraxy zoraxy[159]: 2023/09/03 12:00:55 [INFO] Using Default ACME https://acme-staging-v02.api.letsencrypt.org/directory for CA Directory URL
Sep 03 12:00:56 ct-zoraxy zoraxy[159]: 2023/09/03 12:00:56 [INFO] [REDACTED] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8078352314

And here's the public key:

Modulus (2048 bits):
  DC B2 A4 19 58 AE E0 AF 62 7C B7 E3 A8 61 71 0C
22 F8 0A F2 25 4B E6 D1 19 68 6F 0F 94 4F A0 D7
7F 88 E2 B6 47 5E E7 7F DD 56 7E F3 A9 31 A6 8A
84 A7 F2 4F 35 66 6E 44 48 85 A9 CC 7A CC CD EE
EA D2 9F 97 52 26 C3 61 3C 2C 1D 61 44 10 AE 0C
3C D4 89 CF D9 2C 79 AC 97 0C 9F 26 2B C8 F4 9D
87 4D 64 62 8A 37 86 80 6B 76 18 A1 9E 61 D1 3F
0C 21 D0 08 7A 32 87 1C C2 FD 46 0D 7C F2 FA 77
91 D8 E5 44 27 D5 B8 60 06 28 B7 3B 38 1E 4B 98
99 AF 4E CF 6C F0 A5 6B FA 43 EB AA 55 A1 4A 03
4E 9E 21 82 EF 12 AF 21 AD 23 0D 39 FC 1F 95 DB
70 BF B3 DB 3B 14 36 AD 86 CF 5A 94 46 9D FA 29
7B 98 5E EC 7B 32 E6 CF 1D 41 A3 DB 68 02 23 FD
E9 5F 34 C1 2B A5 F9 62 FC F0 7E 29 E1 58 5E FB
9C 37 55 85 9B E6 CA C3 21 60 58 01 A5 4F 6A 87
39 07 55 9A DB F1 AD F0 46 8B 63 69 22 23 4D 9F

  Public Exponent (17 bits):
  01 00 01

from zoraxy.

@Xpl0itU Thanks for the input. I think this is a much deeper bug in the acme module. I will let @yeungalan take over from here.

from zoraxy.

Any Update here? i'm complete new to this. I got everything up and running, but cant use it, because the certificates are not trusted.

from zoraxy.

@dexer12 Sadly no. None of our collaborator can reproduce this issue without further info. Can you give me the link to your website so I can take a look at it real quick?

from zoraxy.

Sure, you can use mydomain for example right now.
Firefox shows, that its not trusting that page because the certificate is not from a trusted ventor.

let me know if you need any further information

from zoraxy.

@daluntw @yeungalan Can you guys help take a look at this? I think this might be issue caused by the acme section related to recent PRs.

from zoraxy.

Wilco, looks like is json problem

from zoraxy.

Wilco, looks like is json problem

I have taken a look at the json files. It didn't have any recent change that might causes this issue.
The only way a production build can create a stating cert is it got critical error and fallback to the default ACME link (which is the staging directory for Let's Encrypt).

from zoraxy.

@Xpl0itU @dexer12 I have updated the release for v2.6.6.
Can you try download the new release and overwrite the one you have and see if the problem is fixed?

from zoraxy.

I redeployed the docker container let him pull the latest image and renewed the certificate for this domain. But it seems still the same problem. Or should i do it in some other way?

from zoraxy.

@dexer12 Can you try run it natively in your host OS? I guess the docker routine is not updated as it is not a new release.
Alternatively, as I found this is a UI bug, in the CA section, you can pick "Custom ACME server" after the dropdown retracted, open it again to select "Let's Encrypt". It should do the job as well.

from zoraxy.

Wow that solved it! I used your second advice, changing to "Custom ACME Server" and then selecting Lets Encrypt again, solved it.

Cool! This is probably one of the most interesting bug fix method I ever discovered XD

from zoraxy.

Can confirm that the latest 2.6.6 fixes this issue, but now wildcard certificates aren't generated at all, just for the base domain

from zoraxy.

Can confirm that the latest 2.6.6 fixes this issue, but now wildcard certificates aren't generated at all, just for the base domain

I think this is normal as DNS challenge is still in @yeungalan's to-do list. In my personal setup, I apply a cert that contains all of the sub-domains instead of using a wildcard one.

from zoraxy.

That's what I'm currently trying, but it seems to get stuck? No indication of any progress in the logs either

from zoraxy.

That's what I'm currently trying, but it seems to get stuck? No indication of any progress in the logs either

Are there anything in the browser's JavaScript terminal? If no, then it is probably due to networking problems and it is really hard for me debug it remotely for you.

from zoraxy.

No indications in the JS terminal, and I'm next to the router in a gigabit connection, so it's probably not a connection issue

from zoraxy.

No indications in the JS terminal, and I'm next to the router in a gigabit connection, so it's probably not a connection issue

Maybe it is an outbound connection issue or other complex networking issues. If there are no error log from both front / backend terminal, I guess you really need to figure it yourself...

from zoraxy.

Funny thing is, I can generate a single certificate just fine, I can't do multiple, is it done in parallel or sequentially the multi certificate generation?

from zoraxy.

It generate one certificate that contains all of the subdomains instead of running the single generation thing in a loop. Can you show me your settings for multi-domain cert generation?

from zoraxy.

I guess you gonna need to wait for @yeungalan, the original author of the ACME module, to figure it out.

from zoraxy.

Had to generate a certificate for each domain separately as a workaround

from zoraxy.

since the pr merged, we should be ok the closed this one up ?

from zoraxy.

since the pr merged, we should be ok the closed this one up ?

Will close this after the next release 👍🏻

from zoraxy.