Hi. I'm setting up my 2nd talkyard box, trying to use SSL.
On my first setup, I didn't have port 80 open, which might have thrown it off for the automatic cert generation.
Port 80 is now open too.
It still doesn't seem to generate the https cert.
In the nginx log I get:
2021/04/28 10:41:58 [info] 14#14: *112 [lua] init-by-lua-file.lua:97: domain_whitelist_callback(): Should not have cert: echo.parkersoftware.com [TyMGENCRTNO], context: ssl_certificate_by_lua*, client: 90.255.232.40, server: 0.0.0.0:443
2021/04/28 10:41:58 [info] 14#14: *112 [lua] autossl.lua:398: ssl_certificate(): domain echo.parkersoftware.com does not pass whitelist_callback, skipping, context: ssl_certificate_by_lua*, client: 90.255.232.40, server: 0.0.0.0:443
my domain name is in the play-framework,conf file, and ssl is enabled.
Any suggestions on what to do to fix it?
KajMagnus @KajMagnus2021-04-28 19:27:15.454ZOne needs to restart the
appcontainer, after having editedplay-framework.conf, like so:docker-compose restart appPort 80 needs to be open yes (unless you edit the Nginx config file and enable a newer type of cert challenge that works over HTTPS).
But the port 80 request won't happen until a bit later — this
domain_whitelist_callback()problem happens at an earlier stage.***
There was a
domain_whitelist_callback()problem related to redirects, which is fixed in the upcoming version.
But this doesn't sound like your case.
(It was (is) this: If the app server tries to redirect the browser to a newer Internet address (if one has moved to a new domain), then, the cert generation won't work for the old domain (because of a 30X redirect status code instead of 200 OK). )I could try setting up a new server tomorrow with a cert and see if I also run into this problem
- DDaniel Tallentire @danielt
I still get this after using docker-compose restart app:
2021/04/28 20:40:45 [info] 14#14: *576 [lua] init-by-lua-file.lua:97: domain_whitelist_callback(): Should not have cert: echo.parkersoftware.com [TyMGENCRTNO], context: ssl_certificate_by_lua*, client: 90.255.232.40, server: 0.0.0.0:443 2021/04/28 20:40:45 [info] 14#14: *576 [lua] autossl.lua:398: ssl_certificate(): domain echo.parkersoftware.com does not pass whitelist_callback, skipping, context: ssl_certificate_by_lua*, client: 90.255.232.40, server: 0.0.0.0:443I also see some of these:
2021/04/28 21:25:00 [info] 14#14: *588 [lua] autossl.lua:391: ssl_certificate(): ignore domain: nil, err: nil, context: ssl_certificate_by_lua*, client: 138.246.253.24, server: 0.0.0.0:443in the nginx errors
KajMagnus @KajMagnus2021-04-29 07:41:28.070ZI think I found the problem: It is that already-fixed-in-the-latest-version redirect issue.
I just promoted the latest version to the regular release channel — so, now, if you upgrade to the latest version, thereafter HTTPS should work:
sudo -i cd /opt/talkyard/ ./scripts/upgrade-if-needed.shThat'll download and restart with images version
v0.2021.12-b45a9a961. (Or you can wait until tomorrow — if you enabled the auto-upgrade Cron job, the server should auto upgrade itself each night (UTC time zone), if needed.)The problem is that your site being login-required, makes Talkyard redirect the browser to a login page — but then the Nginx-Lua code gets a 30X HTTP redirect status code, and thinks "Oh it's not 200 OK, so therefore, no cert needed". The latest version, though, understands that also 30X status codes, need a HTTPS cert.
***
About this:
2021/04/28 21:25:00 [info] 14#14: *588 [lua] autossl.lua:391: ssl_certificate(): ignore domain: nil, err: nil, context: ssl_certificate_by_lua*, ...That happens if accessing the server via IP address — then, the domain would be
nil(in the Nginx-Lua code). Maybe that could be some monitoring tool? or external bots on the internet? accesses the server via IP addr.
- In reply todanielt⬆:KajMagnus @KajMagnus2021-06-07 17:41:42.765Z
Hi Daniel there's a cert renewal bug: Self hosted bug: Auto cert renewal Lua problem (Certbot is fine)
I'm pretty sure it affects your site.
- DDaniel Tallentire @danielt
Thanks @KajMagnus I will put a note in my calendar to check it when it is up for renewal.