No internet connection
  1. Home
  2. Support

SSL setup - talkyard one auto config not working

By Daniel Tallentire @danielt2021-04-28 10:45:51.763Z

Hi. I'm setting up my 2nd talkyard box, trying to use SSL.
On my first setup, I didn't have port 80 open, which might have thrown it off for the automatic cert generation.
Port 80 is now open too.

It still doesn't seem to generate the https cert.

In the nginx log I get:

2021/04/28 10:41:58 [info] 14#14: *112 [lua] init-by-lua-file.lua:97: domain_whitelist_callback(): Should not have cert: echo.parkersoftware.com [TyMGENCRTNO], context: ssl_certificate_by_lua*, client: 90.255.232.40, server: 0.0.0.0:443

2021/04/28 10:41:58 [info] 14#14: *112 [lua] autossl.lua:398: ssl_certificate(): domain echo.parkersoftware.com does not pass whitelist_callback, skipping, context: ssl_certificate_by_lua*, client: 90.255.232.40, server: 0.0.0.0:443

my domain name is in the play-framework,conf file, and ssl is enabled.

Any suggestions on what to do to fix it?

Solved in post #4, click to view
  • 3 replies
  1. KajMagnus @KajMagnus2021-04-28 19:27:15.454Z

    One needs to restart the app container, after having edited play-framework.conf, like so:

    docker-compose restart app
    

    Port 80 needs to be open yes (unless you edit the Nginx config file and enable a newer type of cert challenge that works over HTTPS).

    But the port 80 request won't happen until a bit later — this domain_whitelist_callback() problem happens at an earlier stage.

    ***

    There was a domain_whitelist_callback() problem related to redirects, which is fixed in the upcoming version.
    But this doesn't sound like your case.
    (It was (is) this: If the app server tries to redirect the browser to a newer Internet address (if one has moved to a new domain), then, the cert generation won't work for the old domain (because of a 30X redirect status code instead of 200 OK). )

    I could try setting up a new server tomorrow with a cert and see if I also run into this problem

    1. DDaniel Tallentire @danielt2021-04-28 21:57:03.751Z

      I still get this after using docker-compose restart app:

      2021/04/28 20:40:45 [info] 14#14: *576 [lua] init-by-lua-file.lua:97: domain_whitelist_callback(): Should not have cert: echo.parkersoftware.com [TyMGENCRTNO], context: ssl_certificate_by_lua*, client: 90.255.232.40, server: 0.0.0.0:443
      2021/04/28 20:40:45 [info] 14#14: *576 [lua] autossl.lua:398: ssl_certificate(): domain echo.parkersoftware.com does not pass whitelist_callback, skipping, context: ssl_certificate_by_lua*, client: 90.255.232.40, server: 0.0.0.0:443
      

      I also see some of these:

      2021/04/28 21:25:00 [info] 14#14: *588 [lua] autossl.lua:391: ssl_certificate(): ignore domain: nil, err: nil, context: ssl_certificate_by_lua*, client: 138.246.253.24, server: 0.0.0.0:443
      

      in the nginx errors

      1. KajMagnus @KajMagnus2021-04-29 07:41:28.070Z

        I think I found the problem: It is that already-fixed-in-the-latest-version redirect issue.

        I just promoted the latest version to the regular release channel — so, now, if you upgrade to the latest version, thereafter HTTPS should work:

        sudo -i
        cd /opt/talkyard/
        ./scripts/upgrade-if-needed.sh
        

        That'll download and restart with images version v0.2021.12-b45a9a961. (Or you can wait until tomorrow — if you enabled the auto-upgrade Cron job, the server should auto upgrade itself each night (UTC time zone), if needed.)

        The problem is that your site being login-required, makes Talkyard redirect the browser to a login page — but then the Nginx-Lua code gets a 30X HTTP redirect status code, and thinks "Oh it's not 200 OK, so therefore, no cert needed". The latest version, though, understands that also 30X status codes, need a HTTPS cert.

        ***

        About this:

        2021/04/28 21:25:00 [info] 14#14: *588 [lua] autossl.lua:391: ssl_certificate(): ignore domain: nil, err: nil, context: ssl_certificate_by_lua*, ...
        

        That happens if accessing the server via IP address — then, the domain would be nil (in the Nginx-Lua code). Maybe that could be some monitoring tool? or external bots on the internet? accesses the server via IP addr.

        Reply1 LikeSolution