Skip to content

StartAutoTLS can't work as expectation #1231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
3 tasks done
wangxianzhuo opened this issue Nov 28, 2018 · 4 comments
Closed
3 tasks done

StartAutoTLS can't work as expectation #1231

wangxianzhuo opened this issue Nov 28, 2018 · 4 comments

Comments

@wangxianzhuo
Copy link

wangxianzhuo commented Nov 28, 2018
edited
Loading

Issue Description

I use AutoSTL like this docs https://echo.labstack.com/cookbook/auto-tls, but it doesn't work as my expectation. If I change the func startTLS() to below ,it works.

func (e *Echo) startTLS(address string) error {
	s := e.TLSServer
	s.Addr = address
	if !e.DisableHTTP2 {
		s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, "h2")
	}
	s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, acme.ALPNProto)
	return e.StartServer(e.TLSServer)
}

Checklist

  • Dependencies installed
  • No typos
  • Searched existing issues and docs

Expected behaviour

Print in browser:

Welcome to Echo!
TLS certificates automatically installed from Let's Encrypt :)

Actual behaviour

When I use my code like docs https://echo.labstack.com/cookbook/auto-tls, it logs below:

echo: http: TLS handshake error from 27.224.146.107:20889: acme/autocert: unable to authorize "mydomain.cn"; challenge "tls-alpn-01" failed with error: acme: authorization error for mydomain.cn: 403 urn:acme:error:unauthorized: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge

But if I change the func startTLS(), I can visit mydomain.cn and it print what I set.

Steps to reproduce

$ dep ensure
$ CGO_ENABLED=0 go build -a -installsuffix cgo -o build/https-test main.go
$ docker-compose up -d --build

Working code to debug

  • Code

mydomain.cn maps on public IP

package main

func main() {
	e := echo.New()
	e.Pre(middleware.HTTPSRedirect())
	e.AutoTLSManager.HostPolicy = autocert.HostWhitelist("mydomain.cn")
	// Cache certificates
	// e.AutoTLSManager.Cache = autocert.DirCache("/var/www/.cache")
	e.Use(middleware.Recover())
	e.Use(middleware.Logger())
	e.GET("/", func(c echo.Context) error {
		return c.HTML(http.StatusOK, `
			<h1>Welcome to Echo!</h1>
			<h3>TLS certificates automatically installed from Let's Encrypt :)</h3>
		`)
	})
	e.Logger.Fatal(e.StartAutoTLS(":443"))
}
  • Dockerfile
FROM alpine:latest

RUN mkdir -p /usr/app
WORKDIR /usr/app
RUN apk --update add ca-certificates
COPY build/https-test app
RUN mkdir -p /var/www/.cache

ENTRYPOINT [ "./app" ]
  • docker-compose.yml
version: '3'
services:
  app:
    build: .
    container_name: https-test
    ports:
      - "443:443"
  • Build command CGO_ENABLED=0 go build -a -installsuffix cgo -o build/https-test main.go

Version/commit

  • go version

    go version go1.10.1 linux/amd64

  • dep status

    PROJECT                            CONSTRAINT     VERSION        REVISION  LATEST   PKGS USED
github.com/dgrijalva/jwt-go        v3.2.0         v3.2.0         06ea103   v3.2.0   1  
github.com/labstack/echo           ^3.3.8         v3.3.8         c7eb8da   v3.3.8   2  
github.com/labstack/gommon         v0.2.8         v0.2.8         7fd9f68   v0.2.8   4  
github.com/mattn/go-colorable      v0.0.9         v0.0.9         167de6b   v0.0.9   1  
github.com/mattn/go-isatty         v0.0.4         v0.0.4         6ca4dbf   v0.0.4   1  
github.com/valyala/bytebufferpool  v1.0.0         v1.0.0         e746df9   v1.0.0   1  
github.com/valyala/fasttemplate    branch master  branch master  dcecefd   dcecefd  1  
golang.org/x/crypto                branch master  branch master  3d3f9f4   eb0de9b  2  
golang.org/x/sys                   branch master  branch master  62eef0e   4ed8d59  1
@jessejohnston
Copy link

The fix proposed by @wangxianzhuo worked for me also.

@godofdream
Copy link

godofdream commented Jan 11, 2019
edited
Loading

the proposed fix activates acme also for standard TLS. the correct way is:

// StartAutoTLS starts an HTTPS server using certificates automatically installed from https://letsencrypt.org.
func (e *Echo) StartAutoTLS(address string) error {
	s := e.TLSServer
	s.TLSConfig = new(tls.Config)
	s.TLSConfig.GetCertificate = e.AutoTLSManager.GetCertificate
	s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, acme.ALPNProto)
	return e.startTLS(address)
}

@stale
Copy link

stale bot commented Mar 12, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Mar 12, 2019
@awbraunstein
Copy link
Contributor

I'm running into this issue as well. Can I just submit a PR for this?

@stale stale bot removed the wontfix label Mar 12, 2019
@awbraunstein awbraunstein mentioned this issue Mar 12, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@awbraunstein @jessejohnston @wangxianzhuo @godofdream