I'm trying to make a traefik's POC. With http works perfect but not with https.
Let's encrypt certificates generated by traefik isn't ok and I don't know why.
I hope you can help me, thanks so much in advance.
I hope too it will help the community to have a complete simple example that works
root#ubuntu:~/traefik# ls -lt | more
total 8
-rw------- 1 root root 0 Nov 23 06:08 acme.json
-rw-r--r-- 1 root root 698 Nov 23 05:57 traefik.toml
-rw-r--r-- 1 root root 399 Nov 23 05:56 docker-compose.yml
The traefik.toml configuration file..
root#ubuntu:~/traefik# cat traefik.toml
logLevel = "DEBUG"
[traefikLog]
filePath = "./traefik.log"
format = "json"
[accessLog]
filePath = "./access.log"
format = "json"
[web]
# Port for the status page
address = ":8080"
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[acme]
email = "xpoveda#gmail.com"
storage = "acme.json"
onHostRule = true
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
entryPoint = "https"
[[acme.domains]]
main = "escalamas.com"
sans = ["test.escalamas.com"]
[docker]
endpoint = "unix:///var/run/docker.sock"
watch = true
exposedbydefault = false
And docker-compose for create a traefik service...
root#ubuntu:~/traefik# cat docker-compose.yml
version: '2'
services:
traefik:
image: traefik
command: --docker
ports:
- "80:80"
- "443:443"
- "8080:8080"
restart: always
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./traefik.toml:/traefik.toml"
- "./acme.json:/acme.json"
- "./traefik.log:/traefik.log"
- "./access.log:/access.log"
networks:
- default
On other hand I have an simply dockerized application "hello world" in python ,Dockerfile and Docker compose.
root#ubuntu:~/apps# more start.py
from flask import Flask, request
app = Flask(__name__)
#app.route("/")
def hello():
return "Hello " + request.host
if __name__ == "__main__":
app.run(debug=False,host='0.0.0.0')
root#ubuntu:~/apps# more Dockerfile
FROM python:2.7
WORKDIR /app
COPY . /app
RUN pip install flask
ENTRYPOINT ["python"]
CMD ["start.py"]
root#ubuntu:~/apps# more docker-compose.yml
version: '2'
services:
test:
build: .
labels:
- "traefik.enabled=true"
- "traefik.backend=test"
- "traefik.frontend.rule=Host:test.escalamas.com"
- "traefik.port=5000"
networks:
- "traefik_default"
restart: always
networks:
traefik_default:
external:
name: traefik_default
When I run everything...
cat /dev/null > /root/traefik/acme.json
cd /root/traefik
docker-compose up -d
Creating traefik_traefik_1 ...
Creating traefik_traefik_1 ... done
cd /root/apps
docker-compose up -d
Creating apps_test_1 ...
Creating apps_test_1 ... done
And when I execute with http all ok
root#ubuntu:~/traefik# curl --resolve test.escalamas.com:80:127.0.0.1 http://test.escalamas.com/
Hello test.escalamas.com
But https error in certificate: common name: TRAEFIK DEFAULT CERT (does not match 'test.escalamas.com') and 404 error in page
root#ubuntu:~/traefik# curl -v --resolve test.escalamas.com:443:127.0.0.1 https://test.escalamas.com/ --insecure
* Added test.escalamas.com:443:127.0.0.1 to DNS cache
* Hostname test.escalamas.com was found in DNS cache
* Trying 127.0.0.1...
* Connected to test.escalamas.com (127.0.0.1) port 443 (#0)
* found 149 certificates in /etc/ssl/certs/ca-certificates.crt
* found 593 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: TRAEFIK DEFAULT CERT (does not match 'test.escalamas.com')
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=TRAEFIK DEFAULT CERT
* start date: Fri, 23 Nov 2018 14:16:22 GMT
* expire date: Sat, 23 Nov 2019 14:16:22 GMT
* issuer: CN=TRAEFIK DEFAULT CERT
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: test.escalamas.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Fri, 23 Nov 2018 14:19:03 GMT
< Content-Length: 19
<
404 page not found
* Connection #0 to host test.escalamas.com left intact
The acme.json is not empty but the certificate is not valid
root#ubuntu:~/traefik# cat acme.json
{
"Account": {
"Email": "xpoveda#gmail.com",
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:xpoveda#gmail.com"
]
},
"uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/7415315"
},
"PrivateKey": "MIIJKQIBAAKCAgEA9uZaB5VJtoFj++cu3Z90GSKMI4NiLGBFLkYUQKYpQe57XxagF+e84t/rIXqmnYGc4RlnVWaApcKBgBB7j52rrAgrjD17lZa7Kh2N153WBeDw/RaDb2inB3BnOC7PU5BfzCoOicbD8rMuIH2zug/xAdQDwbAIWZSB7ljHlgLPP7uEKjih2fjjXi6p1Ld1sCvhHY3myw4frlY4L01AYdCiBvyn+izpQszJsISjQtN/JKFy7CZqFjUtCg9TA2j6RmM/hs6YOwkEcFU2P66jU+e4MYaTT2mtiK0mVq0mV3S1sFmOygAPEQGNUp0IgN0CaDbOlvTJ0GjibcfGBkJfaN/TWaauuXI0Y3GVWy5yIQu37rzXabHOQCBQXn8wISzoUO2VeljilMzM+3lH6Zk+QSjrEn3EFw+5kjUemqjbN1qI/CdMVFcWUGUP6Dus51pYY1nuBIj+9Zft5+AGCDRl4nxbC6WIlZK2ydIM5/DnGMWCcicGrhjm5Zzv9YGiMTqzXArARJJlOMYiQuYsmCbdoEJW/nFoBuLXhDKfrWV0CKAmfsE62dWgzKcK72QglwzLQS/RiwbI0NapjtuWvtrFi0q9NhzrKdOddineoikzG3Uc+b+fFksv5+N7tRN21kEDshDXoYH+jJWfJ+3JNqPgGCU4RFKnQjghrpEF9fw3N24rtVMCAwEAAQKCAgBb0j1HNrEMS8CYbVjTmTp/IocFqhX3tPHljLB5fpI3b+635V0ypr9rjKUQdWHDj/F9EYqJiy5q9xRcQUUCmzu+Jee0JyVv83e16PnYZ12yH/7f0OCerUf5D0eD8Hywci/+aOGxQZecCiEsejM+DjGuYV/oR4RDdGSB9Mh9NJxI8n7riNZAjzxXyXjloDkHhLoa2Kwtdho4Jt6MUOmRtxqbCJmcA9nYOvsDR8DD2I4fXF+2DW9ExQ/z/tD7oq35QW3dv7WDtw3MjRQ4yMT7LmElIgxk60NbYjGw6IIq4j+zzwq4ex8fTvl08Ou5qPf9M+zO3Ui01lznQPWXXFXJVfxuTvhbZEyVwP1bqju3Qd2hT26qRq8M+KHNhaMNlUZAxRx5hmpif7utTO05uYeSoqaWgTs+Zn8FWHvucmo3pNNXHV6noSqt2dCoaRlHarR9Hq2yPFkmI+ovstERUIUNIadTGDoKIklmql7PvZ+bDIm1EkVS3BuUz6PxAo+baPbR7Y9nnGe5r2Gvxbv8SNOINep5YgKl3uqatyKU+hjOS2lqmJhGc6w0ja3YWW3uRGFGyNNszVibCLqHRWIALmGclhdpghrKFKjwNf3l6bpReruouTG8XFOXlnhyntQo4S6pNdKYlR0TH4LtSJpNhBweFbkJJTWG/5IRnE6V/O6DH9jDaQKCAQEA/qX1i21DDOUUdU+ySRNVyPBEgF9rzwyT/R0fmJUgSAPEQZAftMbcUBwfAAqktJwVzrNPGNKdfP/uUjsxHaPTZOyIOFg6UgpJlX5ugecNufhkiWTQia3GkEKon3ENBKCrksBBdfoC2YmA106Dj3A8+BEBGC6YkMYu5TcW0hTEa5aa07xHt0r8rYQ5PbbqKEqkYFv7W84Lf4y4wuCTi0uxx2yqlGVtfPuVuf3Yyt2H8FajL1wevZkofiQTb1AjzrPWeZNq5vC6QKhXl8a6uBDNpx0s7Chks5ssaUm99vRVgTiGfMRa2yR2lFKXLCFTFnSYDkQbCiqs7GLM2tX8VufMDwKCAQEA+DXc91ztA9iHbbdFhIxCWfGm2q6D6BNLjG9hqUqhF7UUhJ8ngPjodpC2RDG6s6xhwp11Faw7og9JUaZmOm1Q1ThDMFUgFDFn+IrKsDcwePOhV6inxSdbSls7A2VkaXL3E0kIpEdMAnHMPk/3MjgLkbAOxlD1Z5O88UzyuIGSi2mt/Xo2AFef4ngYyAZ8hxvPSk0H7exu8c7Rlqgqfo2/Wk0+eY4NZXaRLs0yK4pD1D+YwMvCGgOTP0IbOYcKMjqjjDtqhlb0MxePK3w0UaYIOmL+g5I+GvbiWcD0ZT9pHjfSNAYQMgH6owXw4B8gSseXkqQqxUwqki5Gg3dO9afOfQKCAQEA3L0r7qLWHpVteIuPNn1GPZrZJpaQs7hpiF34h6Gti/+H3nV6ppBDZkYaMUUIpW8wEC+q/w+DaVnJUwrwdosOsku/gWgplfhI9QfV71FEutKxA9CaXN6AY4kE9sFe0YYddGan2AbS9ZOWVg0/SdW3ZCoJUtcBdW32NMfeRlmuMr0olSZ+3EpqYldd7ztiG28oskbJyzj/CqAHgRZ/j54cC40NCPorQM4taj678I68SgAwENu/4gaj7USEfFdx0rpdzqGVZ3+BVI8Y7v5b2TbnrldCG6ygLnjytIox26LNg+hl3D2xrIkdKVG2rZBtn+eN77/l2JhJsderUH9x8DuazQKCAQEAtUTxCR4uYl6iGTh9Zp3gXzuiNZa58qUUyY0Wb8J2/49ZWrm46fHeI6jv08HVrh44jx7bQWa1bldnnl+9zPHE1NLwDr48XULvwY3rFOJZXhvfOtuLGurxOs6BvKsxt+kkFEuEKiV/l1FwbhmMWHqhyFYhlCfP8ULt+/PMV38ZfQNC9BlqkrlrpMM8pehGzY07x/GV1uaS57m5SyOpVR9EHjjHZZKeqfj7coidGTsy6jE/551nNgRiZxJqO4spoSE+C83gsBeU5DNSddmRhAeTfsCJS6FkBeFD0XSfh8nVhSITO7cp4LudRa2zCprwxGwbgBawvcIwXO26xYw+eB2DKQKCAQAvBGGo8Dk7U9pIEZ0MWWQ7OKpZyLXcL6AzHOaJef1JTdLwBXXWS0fgxAphBUE/fBeIaXhOC3IPL9xL/83eOHIkK/aCljSrj12c8f9oDchgzBZEFQFsB38RtvCU0kcvwHdE8o1/+VSae6Wz4pm9i46aVtnHktcTuctEBR4zuoMtnmzquEWsXeWkUB350QPT5cz+YD0anXefB2N0Uaz30M8x9WD7CL9S1COc2yzcDRqcMRcHoYyc0E0wg0dfX6bPFOI3CEs5HqTGLBuAS7x/qQpmf24+wNFld/xRbQ7pX8OUnx0e8DQklti7xZqCOW7/8dbWda88N58nNZAhcwYrjxBR",
"KeyType": "4096"
},
"Certificates": null,
"HTTPChallenges": null,
"TLSChallenges": null
In addition, the log files are created as folders, not as files and I don't know how view the traefik.log beacause the classic docker run -it ssh not work with this image.
root#ubuntu:~/traefik# ls -lt | more
total 20
-rw------- 1 root root 3534 Nov 23 06:16 acme.json
drwxr-xr-x 2 root root 4096 Nov 23 06:16 access.log
drwxr-xr-x 2 root root 4096 Nov 23 06:16 traefik.log
-rw-r--r-- 1 root root 698 Nov 23 05:57 traefik.toml
-rw-r--r-- 1 root root 399 Nov 23 05:56 docker-compose.yml
thanks so much!!
Xavier.
Most likely it's because this line in your traefik.toml file.
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
You are using the staging servers to get your certificate. If you delete this line, you will negotiate a production-ready certificate with Let's Encrypt.
More information: https://letsencrypt.org/docs/staging-environment/
Related
I am running a mock service using the karate standalone jar version 1.3.0.
Mocking is working fine.
However, when I make a GET request to the /__admin/stop endpoint, the process registers that the endpoint has been called, closes the listen port, but does not stop.
Execution output and scripts...
on startup:
java -jar /opt/karate/karate.jar -m src/test/java/mocks/fs/john.feature -p 80
16:17:16.671 [main] INFO com.intuit.karate - Karate version: 1.3.0
16:17:17.315 [main] INFO com.intuit.karate - mock server initialized: src/test/java/mocks/fs/john.feature
16:17:17.425 [main] DEBUG com.intuit.karate.http.HttpServer - server started: aad-9mpcfg3:65080
netstat on listen socket:
netstat -na | grep 65080
tcp6 0 0 :::65080 :::* LISTEN
submission of curl commands:
curl -v http://localhost:65080/john/transactionservice/ping
* Trying 127.0.0.1:65080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 65080 (#0)
> GET /john/transactionservice/ping HTTP/1.1
> Host: localhost:65080
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-type: application/json
< content-length: 49
< server: Armeria/1.18.0
< date: Mon, 28 Nov 2022 16:19:37 GMT
<
* Connection #0 to host localhost left intact
{"message":"this is the JOHN TransactionService"}
curl -v http://localhost:65080/__admin/stop
* Trying 127.0.0.1:65080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 65080 (#0)
> GET /__admin/stop HTTP/1.1
> Host: localhost:65080
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 202 Accepted
< content-type: text/plain; charset=utf-8
< content-length: 12
< server: Armeria/1.18.0
< date: Mon, 28 Nov 2022 16:19:54 GMT
<
* Connection #0 to host localhost left intact
output after curl commands:
java -jar /opt/karate/karate.jar -m src/test/java/mocks/fs/john.feature -p 80
16:17:16.671 [main] INFO com.intuit.karate - Karate version: 1.3.0
16:17:17.315 [main] INFO com.intuit.karate - mock server initialized: src/test/java/mocks/fs/john.feature
16:17:17.425 [main] DEBUG com.intuit.karate.http.HttpServer - server started: aad-9mpcfg3:65080
16:19:37.312 [armeria-common-worker-epoll-2-1] DEBUG com.intuit.karate - scenario matched at line 3: pathMatches('john/transactionservice/ping') && methodIs('get')
16:19:54.603 [armeria-common-worker-epoll-2-2] DEBUG com.intuit.karate.http.HttpServer - received command to stop server: /__admin/stop
At this point, netstat on listen port shows socket is closed, but the process continues to run:
ps -ef | grep karate
matt 15070 15069 1 16:17 pts/3 00:00:03 java -jar karate-1.3.0.jar -m src/test/java/mocks/fs/john.feature -p 65080
This is the test mock that I am using (src/test/java/mocks/fs/john.feature):
Feature: JOHN TransactionService mock
Scenario: pathMatches('john/transactionservice/ping') && methodIs('get')
* def response = {}
* set response.message = 'this is the JOHN TransactionService'
* def responseStatus = 200
Question:
Is there something else I should be doing to make the mock process stop? I think I'm following the guidance at https://github.com/karatelabs/karate/tree/master/karate-netty#stopping
Thank you in anticipation of responses.
At step 3 I got the IP address as follow. And I customized my DNS according to this article
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.51.240.1 <none> 443/TCP 10d
quickstart-nginx-ingress-controller LoadBalancer 10.51.251.156 35.247.160.2 80:30686/TCP,443:32595/TCP 87s
quickstart-nginx-ingress-default-backend ClusterIP 10.51.253.66 <none> 80/TCP 86s
The external IP that is allocated to the ingress-controller is the IP to which all incoming traffic should be routed. To enable this, add it to a DNS zone you control, for example as example.your-domain.com.
This quickstart assumes you know how to assign a DNS entry to an IP address and will do so.
DNS zone
domains.google.com
I can $ curl -kivL -H 'Host: singh.hbot.dev' 'http://singh.hbot.dev'
Here is the output of kuard
* Rebuilt URL to: http://singh.hbot.dev/
* Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 80 (#0)
> GET / HTTP/1.1
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
HTTP/1.1 308 Permanent Redirect
< Server: nginx/1.15.8
Server: nginx/1.15.8
< Date: Thu, 14 Mar 2019 08:59:24 GMT
Date: Thu, 14 Mar 2019 08:59:24 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 171
Content-Length: 171
< Connection: keep-alive
Connection: keep-alive
< Location: https://singh.hbot.dev/
Location: https://singh.hbot.dev/
<
* Ignoring the response-body
* Connection #0 to host singh.hbot.dev left intact
* Issue another request to this URL: 'https://singh.hbot.dev/'
* Trying 35.247.160.2...
* TCP_NODELAY set
* Connected to singh.hbot.dev (35.247.160.2) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* start date: Mar 14 08:22:58 2019 GMT
* expire date: Mar 13 08:22:58 2020 GMT
* issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdf3000e200)
> GET / HTTP/2
> Host: singh.hbot.dev
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< server: nginx/1.15.8
server: nginx/1.15.8
< date: Thu, 14 Mar 2019 08:59:24 GMT
date: Thu, 14 Mar 2019 08:59:24 GMT
< content-type: text/html
content-type: text/html
< content-length: 1689
content-length: 1689
< vary: Accept-Encoding
vary: Accept-Encoding
< strict-transport-security: max-age=15724800; includeSubDomains
strict-transport-security: max-age=15724800; includeSubDomains
<
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>KUAR Demo</title>
<link rel="stylesheet" href="/static/css/bootstrap.min.css">
<link rel="stylesheet" href="/static/css/styles.css">
<script>
var pageContext = {"hostname":"kuard-79b5d46779-5slz8","addrs":["10.48.2.20"],"version":"v0.8.1-1","versionColor":"hsl(18,100%,50%)","requestDump":"GET / HTTP/1.1\r\nHost: singh.hbot.dev\r\nAccept: */*\r\nUser-Agent: curl/7.54.0\r\nX-Forwarded-For: 10.148.0.49\r\nX-Forwarded-Host: singh.hbot.dev\r\nX-Forwarded-Port: 443\r\nX-Forwarded-Proto: https\r\nX-Original-Uri: /\r\nX-Real-Ip: 10.148.0.49\r\nX-Request-Id: ba73c8e44498c36480ea0d4164279561\r\nX-Scheme: https","requestProto":"HTTP/1.1","requestAddr":"10.48.2.18:41748"}
</script>
</head>
<svg style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
<symbol id="icon-power" viewBox="0 0 32 32">
<title>power</title>
<path class="path1" d="M12 0l-12 16h12l-8 16 28-20h-16l12-12z"></path>
</symbol>
<symbol id="icon-notification" viewBox="0 0 32 32">
<title>notification</title>
<path class="path1" d="M16 3c-3.472 0-6.737 1.352-9.192 3.808s-3.808 5.72-3.808 9.192c0 3.472 1.352 6.737 3.808 9.192s5.72 3.808 9.192 3.808c3.472 0 6.737-1.352 9.192-3.808s3.808-5.72 3.808-9.192c0-3.472-1.352-6.737-3.808-9.192s-5.72-3.808-9.192-3.808zM16 0v0c8.837 0 16 7.163 16 16s-7.163 16-16 16c-8.837 0-16-7.163-16-16s7.163-16 16-16zM14 22h4v4h-4zM14 6h4v12h-4z"></path>
</symbol>
</defs>
</svg>
<body>
<div id="root"></div>
<script src="/built/bundle.js" type="text/javascript"></script>
</body>
</html>
* Connection #1 to host singh.hbot.dev left intact
Proceed on next steps
$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io created
$
$ kubectl apply \
> -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io configured
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io configured
$
$ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation="true"
namespace/cert-manager labeled
$
$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
install cert-manager
$ helm install --name cert-manager --namespace cert-manager jetstack/cert-manager
NAME: cert-manager
LAST DEPLOYED: Thu Mar 14 16:06:48 2019
NAMESPACE: cert-manager
STATUS: DEPLOYED
RESOURCES:
==> v1/ClusterRole
NAME AGE
cert-manager-edit 3s
cert-manager-view 3s
cert-manager-webhook:webhook-requester 3s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
cert-manager-6f68b58796-w44tn 0/1 ContainerCreating 0 3s
cert-manager-cainjector-67b4696847-l2lhb 0/1 ContainerCreating 0 3s
cert-manager-webhook-6f58884b96-gh52r 0/1 ContainerCreating 0 3s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
cert-manager-webhook ClusterIP 10.51.250.12 <none> 443/TCP 3s
==> v1/ServiceAccount
NAME SECRETS AGE
cert-manager 1 3s
cert-manager-cainjector 1 3s
cert-manager-webhook 1 3s
==> v1alpha1/Certificate
NAME AGE
cert-manager-webhook-ca 3s
cert-manager-webhook-webhook-tls 3s
==> v1alpha1/Issuer
NAME AGE
cert-manager-webhook-ca 2s
cert-manager-webhook-selfsign 3s
==> v1beta1/APIService
NAME AGE
v1beta1.admission.certmanager.k8s.io 3s
==> v1beta1/ClusterRole
NAME AGE
cert-manager 3s
cert-manager-cainjector 3s
==> v1beta1/ClusterRoleBinding
NAME AGE
cert-manager 3s
cert-manager-cainjector 3s
cert-manager-webhook:auth-delegator 3s
==> v1beta1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
cert-manager 0/1 1 0 3s
cert-manager-cainjector 0/1 1 0 3s
cert-manager-webhook 0/1 1 0 3s
==> v1beta1/RoleBinding
NAME AGE
cert-manager-webhook:webhook-authentication-reader 3s
==> v1beta1/ValidatingWebhookConfiguration
NAME AGE
cert-manager-webhook 2s
NOTES:
cert-manager has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://docs.cert-manager.io/en/latest/reference/issuers.html
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://docs.cert-manager.io/en/latest/reference/ingress-shim.html
Apply modified staging-issuer.yaml and production-issuer.yaml.
$ kubectl apply -f staging-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-staging created
$ kubectl apply -f production-issuer.yaml
issuer.certmanager.k8s.io/letsencrypt-prod created
Edit my ingress.yaml and apply it with
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-staging"
certmanager.k8s.io/acme-challenge-type: http01
I found the certificate, but when I describe it Events is none!
$ kubectl get certificate
NAME
quickstart-example-tls
$ kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-14T09:17:11Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: f30e819b-4639-11e9-a2d5-42010a9400fd
Resource Version: 2243137
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: f311c99d-4639-11e9-a2d5-42010a9400fd
Spec:
Acme:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-14T09:17:11Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-06-12T08:16:05Z
Events: <none>
Then I check secret. The docs says
Once complete, cert-manager will have created a secret with the details of the certificate based on the secret used in the ingress resource. You can use the describe command as well to see some details:
Although I don't have ca.crt. I decided to moved on.
$ kubectl get secret
NAME TYPE DATA AGE
default-token-vnngd kubernetes.io/service-account-token 3 10d
letsencrypt-prod Opaque 1 3d1h
letsencrypt-staging Opaque 1 3d1h
quickstart-example-tls kubernetes.io/tls 3 3d1h
quickstart-nginx-ingress-token-c4tjk kubernetes.io/service-account-token 3 58m
singh-dev-staging-tls kubernetes.io/tls 3 21h
singh-secret kubernetes.io/tls 3 22h
$ kubectl describe secret quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: certmanager.k8s.io/certificate-name=quickstart-example-tls
Annotations: certmanager.k8s.io/alt-names: singh.hbot.dev
certmanager.k8s.io/common-name: singh.hbot.dev
certmanager.k8s.io/ip-sans:
certmanager.k8s.io/issuer-kind: Issuer
certmanager.k8s.io/issuer-name: letsencrypt-staging
Type: kubernetes.io/tls
Data
====
tls.key: 1675 bytes
ca.crt: 0 bytes
tls.crt: 3545 bytes
Change ingress.yaml to be production and apply.
sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard created
Remove secret
sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted
sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe certificate quickstart-example-tls
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-14T09:32:45Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: 1fab9656-463c-11e9-a2d5-42010a9400fd
Resource Version: 2246373
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: 1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
Acme:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-14T09:34:06Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2019-06-12T08:34:04Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Generated 33s cert-manager Generated new private key
Normal GenerateSelfSigned 33s cert-manager Generated temporary self signed certificate
Normal OrderCreated 33s cert-manager Created Order resource "quickstart-example-tls-1671619353"
Normal OrderComplete 6s cert-manager Order "quickstart-example-tls-1671619353" completed successfully
Normal CertIssued 6s cert-manager Certificate issued successfully
Check order
$ kubectl describe order quickstart-example-tls-1671619353
Name: quickstart-example-tls-1671619353
Namespace: default
Labels: acme.cert-manager.io/certificate-name=quickstart-example-tls
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Order
Metadata:
Creation Timestamp: 2019-03-14T09:33:39Z
Generation: 1
Owner References:
API Version: certmanager.k8s.io/v1alpha1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: quickstart-example-tls
UID: 1facf771-463c-11e9-a2d5-42010a9400fd
Resource Version: 2246369
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/orders/quickstart-example-tls-1671619353
UID: 3fd25e87-463c-11e9-a2d5-42010a9400fd
Spec:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Csr: MIIC...RQ8=
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Status:
Certificate: LS0t...LQo=
Challenges:
Authz URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk
Config:
Http 01:
Ingress Class: nginx
Dns Name: singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-staging
Key: tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs.-kMH8oyhdhqKbua2D8gLPi8FxbeW7rYKBB6w1gMRw2w
Token: tRxDXBXr_CYcEX1KzU9puQKg1pVZdmEXi7jGWyPAvTs
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/CkYZY5sWsaEq0uI2l1D2yyQwAjA1kl0_1uFsVY7UDqk/270336074
Wildcard: false
Finalize URL: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/8521062/26692657
State: valid
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/8521062/26692657
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 4m27s cert-manager Created Challenge resource "quickstart-example-tls-1671619353-0" for domain "singh.hbot.dev"
Normal OrderValid 4m cert-manager Order completed successfully
Solution:
Thanks to Harsh Manvar
Confirm my issuer url from the running issuer
$ kubectl get issuer letsencrypt-prod -o yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-prod","namespace":"default"},"spec":{"acme":{"email":"contact#hbot.io","http01":{},"privateKeySecretRef":{"name":"letsencrypt-prod"},"server":"https://acme-v02.api.letsencrypt.org/directory"}}}
creationTimestamp: "2019-03-14T09:12:11Z"
generation: 1
name: letsencrypt-prod
namespace: default
resourceVersion: "2242148"
selfLink: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/issuers/letsencrypt-prod
uid: 405fa7af-4639-11e9-a2d5-42010a9400fd
spec:
acme:
email: contact#hbot.io
http01: {}
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
status:
acme:
uri: https://acme-v02.api.letsencrypt.org/acme/acct/53068205
conditions:
- lastTransitionTime: "2019-03-14T09:12:12Z"
message: The ACME account was registered with the ACME server
reason: ACMEAccountRegistered
status: "True"
type: Ready
Check my ingress
$ kubectl get ingress --all-namespaces
NAMESPACE NAME HOSTS ADDRESS PORTS AGE
default kuard singh.hbot.dev 35.198.217.71 80, 443 43m
$ kubectl describe ingress
Name: kuard
Namespace: default
Address: 35.198.217.71
Default backend: default-http-backend:80 (10.48.0.7:8080)
TLS:
quickstart-example-tls terminates singh.hbot.dev
Rules:
Host Path Backends
---- ---- --------
singh.hbot.dev
/ kuard:80 (<none>)
Annotations:
certmanager.k8s.io/acme-challenge-type: http01
certmanager.k8s.io/issuer: letsencrypt-prod
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"certmanager.k8s.io/acme-challenge-type":"http01","certmanager.k8s.io/issuer":"letsencrypt-prod","kubernetes.io/ingress.class":"nginx"},"name":"kuard","namespace":"default"},"spec":{"rules":[{"host":"singh.hbot.dev","http":{"paths":[{"backend":{"serviceName":"kuard","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["singh.hbot.dev"],"secretName":"quickstart-example-tls"}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 43m nginx-ingress-controller Ingress default/kuard
Normal CreateCertificate 43m cert-manager Successfully created Certificate "quickstart-example-tls"
Normal UPDATE 10m (x2 over 43m) nginx-ingress-controller Ingress default/kuard
Normal UpdateCertificate 10m cert-manager Successfully updated Certificate "quickstart-example-tls"
Change issuer to prod
sixteen:cert-mgr hellohbot$ kubectl apply -f ingress.yaml
ingress.extensions/kuard configured
Remove old secret to trigger the process.
sixteen:cert-mgr hellohbot$ kubectl get secret
NAME TYPE DATA AGE
default-token-vnngd kubernetes.io/service-account-token 3 10d
letsencrypt-prod Opaque 1 3d2h
letsencrypt-staging Opaque 1 3d2h
quickstart-example-tls kubernetes.io/tls 3 33m
quickstart-nginx-ingress-token-c4tjk kubernetes.io/service-account-token 3 103m
singh-dev-staging-tls kubernetes.io/tls 3 21h
singh-secret kubernetes.io/tls 3 23h
sixteen:cert-mgr hellohbot$ kubectl delete secret quickstart-example-tls
secret "quickstart-example-tls" deleted
Check the new certificate
sixteen:cert-mgr hellohbot$ kubectl get certificate
NAME
quickstart-example-tls
sixteen:cert-mgr hellohbot$ kubectl describe certificate
Name: quickstart-example-tls
Namespace: default
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-14T09:32:45Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: kuard
UID: 1fab9656-463c-11e9-a2d5-42010a9400fd
Resource Version: 2252545
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/quickstart-example-tls
UID: 1facf771-463c-11e9-a2d5-42010a9400fd
Spec:
Acme:
Config:
Domains:
singh.hbot.dev
Http 01:
Ingress Class: nginx
Dns Names:
singh.hbot.dev
Issuer Ref:
Kind: Issuer
Name: letsencrypt-prod
Secret Name: quickstart-example-tls
Status:
Conditions:
Last Transition Time: 2019-03-14T10:06:53Z
Message: Certificate issuance in progress. Temporary certificate issued.
Reason: TemporaryCertificate
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal OrderCreated 33m cert-manager Created Order resource "quickstart-example-tls-1671619353"
Normal OrderComplete 33m cert-manager Order "quickstart-example-tls-1671619353" completed successfully
Normal CertIssued 33m cert-manager Certificate issued successfully
Normal Generated 19s (x2 over 33m) cert-manager Generated new private key
Normal GenerateSelfSigned 19s (x2 over 33m) cert-manager Generated temporary self signed certificate
Normal Cleanup 19s cert-manager Deleting old Order resource "quickstart-example-tls-1671619353"
Normal OrderCreated 19s cert-manager Created Order resource "quickstart-example-tls-2367785339"
in ingress you are using issuer as letsencrypt-staging change it to production and also change tls-secrets it will work
Production url for let's encrypt issuer : https://acme-v02.api.letsencrypt.org/directory
in the issuer you have used the staging url of let's encypt staging server change it to production URL and again try to get tls.cert and key it will run with https://
staging certificate some time not work with https and browser give error it is for testing purpose.
cert-manager and nginx ingress and other things are looking perfect as it should have to be.
I'm trying to set up an Apache Forward Proxy that terminates the SSL connection. The reason I'm trying to do this is to run Apache filters (specifically mod_pagespeed) on the returned code. Before I deal with mod_pagespeed, I'm testing this POC by trying to insert a header into the response (which will prove that I can edit the response), but I'm having issues with SSL proxying (non-SSL proxying works fine).
Note that I'm not concerned about any certificate errors or the like -- this is purely for internal testing.
I've got the server set up and see the X-MSCProxy Header on a non-SSL page:
jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy pagespeed_proxy:3ja82ad9#localhost:8080 -D - -o /dev/null http://www.slate.com
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Proxy auth using Basic with user 'pagespeed_proxy'
> GET http://www.slate.com/ HTTP/1.1
> Host: www.slate.com
...
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 30 Oct 2017 18:10:40 GMT
Date: Mon, 30 Oct 2017 18:10:40 GMT
< Server: Apache/2.2.29 (Amazon)
Server: Apache/2.2.29 (Amazon)
...
< Content-Length: 187051
Content-Length: 187051
...
< X-Instart-Request-ID: 8286987369135064135:FWP01-NPPRY22:1509387040:0
X-Instart-Request-ID: 8286987369135064135:FWP01-NPPRY22:1509387040:0
< Via: 1.1 172.17.0.2:8080
Via: 1.1 172.17.0.2:8080
< X-MSCProxy: SansPS
X-MSCProxy: SansPS
But when I make the same request to Slate's SSL page I don't see my proxy:
jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy pagespeed_proxy:3ja82ad9#localhost:8080 -D - -o /dev/null https://www.slate.com
* Connected to localhost (::1) port 8080 (#0)
* Establish HTTP proxy tunnel to www.slate.com:443
* Proxy auth using Basic with user 'pagespeed_proxy'
> CONNECT www.slate.com:443 HTTP/1.1
> Host: www.slate.com:443
< HTTP/1.0 200 Connection Established
HTTP/1.0 200 Connection Established
< Proxy-agent: Apache/2.4.25 (Debian)
Proxy-agent: Apache/2.4.25 (Debian)
<
* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: ssl004.insnw.net
* Server certificate: GlobalSign CloudSSL CA - SHA256 - G3
* Server certificate: GlobalSign Root CA
> GET / HTTP/1.1
> Host: www.slate.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< Content-Length: 187044
Content-Length: 187044
< Connection: keep-alive
Connection: keep-alive
< Server: Apache/2.2.29 (Amazon)
Server: Apache/2.2.29 (Amazon)
< X-Instart-Request-ID: 762420041708891440:FWP01-NPPRY21:1509387251:0
X-Instart-Request-ID: 762420041708891440:FWP01-NPPRY21:1509387251:0
I've found a lot of posts that say this is possible (and, technically, it should be) with various httpd.conf suggestions, but nothing I've tried has worked. Right now my httpd.conf looks like:
<VirtualHost *:8080>
ProxyRequests On
ProxyVia On
Header set X-MSCProxy SansPS
#SSLEngine On
# suggestion that this allows termination
ProxyPreserveHost On
SSLProxyEngine on
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerExpire Off
SSLProxyCheckPeerName Off
SSLCertificateFile /etc/apache2/ssl/localhost.crt
SSLCertificateKeyFile /etc/apache2/ssl/localhost.key
ModPagespeed Off
</VirtualHost>
FWIW, when I enable SSLEngine on this proxy (as has been suggested) then the request simply doesn't work with this error from Apache:
[Mon Oct 30 18:20:20.705047 2017] [ssl:info] [pid 372:tid 140147985901312] [client 172.17.0.1:34012] AH01996: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Mon Oct 30 18:20:20.705107 2017] [ssl:info] [pid 372:tid 140147985901312] SSL Library Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking HTTP to HTTPS port!?
Which I guess makes sense as the proxy protocol isn't expecting an HTTPS connection directly to the proxy.
I would try to use the output filter feautre fom apache.
https://www.modpagespeed.com/doc/configuration#apache_specific
AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html
Try to add https:// to the curl proxy command like this:
jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy https://pagespeed_proxy:3ja82ad9#localhost:8080 -D - -o /dev/null https://www.slate.com
Apache complained about connecting to port 8080 with http even though https is configured for this port.
I successfully used Letsencrypt to generate certificates and I uploaded them to Heroku using:
this-site ********$ heroku addons:create ssl:endpoint
Creating ssl-graceful-41756... done, ($20.00/month)
Adding ssl-graceful-41756 to this-site... done
Next add your certificate with `heroku certs:add CERT KEY`.
Use `heroku addons:docs ssl` to view documentation.
this-site ********$ sudo heroku certs:add /etc/letsencrypt/live/www.this-site.com/fullchain.pem /etc/letsencrypt/live/www.this-site.com/privkey.pem
Resolving trust chain... done
Adding SSL Endpoint to this-site... done
this-site now served by qwasf-34234.herokussl.com
Certificate details:
Common Name(s): www.this-site.com
Expires At: 2016-09-02 19:15 UTC
Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At: 2016-06-04 19:15 UTC
Subject: /CN=www.this-site.com
SSL certificate is verified by a root authority.
However, when I visit qwasf-34234.herokussl.com, it is not working. It has a page that says: Heroku | No such app ; There is no app configured at that hostname.
Perhaps the app owner has renamed it, or you mistyped the URL.
I am copy and pasting the exact new host that heroku gave me. Going to https://qwasf-34234.herokussl.com yields the same page.
I verified the certificate with:
this-site ********$ heroku certs
Endpoint Common Name(s) Expires Trusted
-------------------------- --------------------- -------------------- -------
qwasf-34234.herokussl.com www.this-site.com 2016-09-02 19:15 UTC True
More checks:
this-site *******$ curl -kvI https://www.this-site.com
* Rebuilt URL to: https://www.michaelsutyak.com/
* Trying 23.21.142.230...
* Connected to www.this-site.com (23.21.142.230) port 443 (#0)
* TLS 1.2 connection using TLS_********************
* Server certificate: *.herokuapp.com
* Server certificate: DigiCert ******
* Server certificate: DigiCert *******
> HEAD / HTTP/1.1
> Host: www.this-site.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Cowboy
Server: Cowboy
< Connection: keep-alive
Connection: keep-alive
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Date: Sat, 04 Jun 2016 20:57:00 GMT
Date: Sat, 04 Jun 2016 20:57:00 GMT
< Via: 1.1 vegur
Via: 1.1 vegur
<
* Connection #0 to host www.this-site.com left intact
What is going on here and how can this work? I just want https for my site.
You cannot access the Heroku SSL endpoint directly. That endpoint represents the hostname where you need to point your domain to, as explained in the DNS and domain configuration of the Heroku article.
If you want to point a subdomain (e.g. www.this-site.com), then create a DNS record CNAME in your DNS hosting provider that points the www record to the Heroku SSL endpoint:
www CNAME qwasf-34234.herokussl.com
If you want to point the root domain (this-site.com), then you need to use a provide that supports the CNAME-like record for the root domain, as explained in this Heroku article as you can't use a CNAME for the root domain.
Make sure your domain is not still pointing to the herokuapp.com hostname.
You can test my assertion by sending a cURL request to the SSL endpoint, but passing the Host header (as the browser would do).
$ curl -i qwasf-34234.herokussl.com -H "Host: www.this-site.com"
You cannot visit the qwasf-34234.herokussl.com domain that Heroku gives you. Instead, you are supposed to change your DNS to point to that as a CNAME, instead of qwasf-34234.herokuapp.com.
I was writing a very simple Golang script and use this library golang-jenkins to connect with our internal HTTPS server. But I face the following x509 cert issue and wasn't sure what to do with the x509 cert problem. Our team has zero access to Jenkins and would like to know what else we can do to dig more about the issue.
$ go run jenkins.go
2014/07/28 22:00:29 [] Get https://jenkins.mydomain.com/api/json: x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: algorithm unimplemented" while trying to verify candidate authority certificate "MyDomain Internal Root CA")
using curl:
$ curl -v "https://jenkins.mydomain.com/api/json"
* Adding handle: conn: 0x7f8469004000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f8469004000) send_pipe: 1, recv_pipe: 0
* About to connect() to jenkins.mydomain.com port 443 (#0)
* Trying 10.38.8.70...
* Connected to jenkins.mydomain.com (10.38.8.70) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: jenkins.mydomain.com
* Server certificate: MyDomain Server CA - 2014
* Server certificate: MyDomain Internal Root CA
> GET /api/json HTTP/1.1
> User-Agent: curl/7.30.0
> Host: jenkins.mydomain.com
> Accept: */*
>
< HTTP/1.1 200 OK
* Server nginx is not blacklisted
< Server: nginx
< Date: Tue, 29 Jul 2014 05:03:45 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: JSESSIONID.214ca1a4=1ry000odf815goiv7vl8tr627;Path=/;Secure
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Jenkins: 1.554.3
< X-Jenkins-Session: c660ff91
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is currently broken in Go, it will be supported in v1.4, the only workaround is to downgrade the TLS MaxVersion.
A quick look at golang-jenkins, it doesn't allow specifying the http.Client to use and just uses http.DefaultClient, the only ugly way to downgrade TLS's MaxVersion is to override http.DefaultClient.Transport.
You should be able to do something like this in func init() before you try to connect to anything:
cfg := &tls.Config{
MaxVersion: tls.VersionTLS11, // try tls.VersionTLS10 if this doesn't work
PreferServerCipherSuites: true,
}
http.DefaultClient.Transport = &http.Transport{
TLSClientConfig: cfg,
}
Keep in mind this will set the transport for anything that uses http.DefaultClient directly, like http.Get, however if you use your own instance, you will be fine.
Discussion about the bug: https://groups.google.com/forum/#!topic/golang-nuts/oK3EBAY2Uig