Hi,
when I activate the Letsencrypt module and install a certificate for my site in Zotonic, which works fine by the way, it starts to log two WARNING records every minute.
2022-10-27 14:38:24 WARNING <0.2674.0> [:] ▸ reason="Option {verify, verify_peer} and cacertfile/cacerts is missing" description="Authenticity is not established by certificate path validation"
2022-10-27 14:38:24 WARNING <0.3352.0> [:] ▸ reason="Option {verify, verify_peer} and cacertfile/cacerts is missing" description="Authenticity is not established by certificate path validation"
2022-10-27 14:39:24 WARNING <0.2674.0> [:] ▸ reason="Option {verify, verify_peer} and cacertfile/cacerts is missing" description="Authenticity is not established by certificate path validation"
2022-10-27 14:39:24 WARNING <0.3352.0> [:] ▸ reason="Option {verify, verify_peer} and cacertfile/cacerts is missing" description="Authenticity is not established by certificate path validation"
I also note that there are two tcp connections to the letsencrypt site ESTABLISHED all the time.
$ netstat -ant | grep :443
tcp 0 0 185.157.221.71:55462 172.65.32.248:443 ESTABLISHED
tcp 0 0 185.157.221.71:55470 172.65.32.248:443 ESTABLISHED
Has anyone else noted this problem? I don’t understand why you like to keep the connection to the Letsencrypt site open once you have installed your cert.
Interesting, can you also file this as an issue on GitHub with Zotonic? It feels like some retry mechanism is in action, otherwise it wouldn’t try to reconnect. We also should add the certificates to the LE requests.
And it is exactly every minute, which should help us find the timer that is triggering this.
Looked into it, and the warning seems to come from the check if the hostname is really the current site. This check must be done without any TLS checks as at that moment we can still use our self-signed certificate.
The open connection comes from the use of the gun application for the LE requests. I don’t think that is appropriate, and will change that to using httpc (using the z_fetch code).
Ahh, OK,
Thanks.
I had to fiddle a bit with my firewall (nftables) setting before the check passed since I am running zotonic on port 8000/8443. (port and ssl_port set to 80/443 in config). My guess is that the failed check(s) caused the process not to terminate maybe. I have not seen this happening after restart with the fixed nftables.
Using z_fetch is a good idea anyway I think.
So nftables settings for anyone intested is:
add rule ip filter INPUT tcp dport { 8000, 8443, 1883, 8883 } counter accept
## Redirect http/https to zotonic port
add rule ip nat PREROUTING tcp dport 80 counter redirect to :8000
add rule ip nat PREROUTING tcp dport 443 counter redirect to :8443
## Block 8000/8443 ports from outside
add rule ip nat PREROUTING tcp dport 8000 counter redirect to :80
add rule ip nat PREROUTING tcp dport 8443 counter redirect to :443
# Fix for letsencrypt
add rule ip nat OUTPUT ip daddr <myhostip> tcp dport 80 counter redirect to :8000
add rule ip nat OUTPUT ip daddr <myhostip> tcp dport 443 counter redirect to :8443