Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL fails on branches #238

Open
alyx opened this issue Aug 13, 2021 · 4 comments
Open

SSL fails on branches #238

alyx opened this issue Aug 13, 2021 · 4 comments

Comments

@alyx
Copy link

alyx commented Aug 13, 2021

In my deployment, I've found SSL certificate generation works perfectly for the primary subdomain for a site hosted in a Meli instance, but consistently seems to fail for branch subdomains.

I see the following error in the log output:

{"level":"debug","ts":1628840270.8583307,"logger":"http.stdlib","msg":"http: TLS handshake error from 69.28.90.113:58350: no server TLS configuration available for ClientHello: &{CipherSuites:[4866 4867 4865 49196 49200 159 52393 52392 52394 49195 49199 158 49188 49192 107 49187 49191 103 49162 49172 57 49161 49171 51 157 156 61 60 53 47 255] ServerName:main.demo.pages.qa SupportedCurves:[X25519 CurveP256 CurveID(30) CurveP521 CurveP384] SupportedPoints:[0 1 2] SignatureSchemes:[ECDSAWithP256AndSHA256 ECDSAWithP384AndSHA384 ECDSAWithP521AndSHA512 Ed25519 SignatureScheme(2056) SignatureScheme(2057) SignatureScheme(2058) SignatureScheme(2059) PSSWithSHA256 PSSWithSHA384 PSSWithSHA512 PKCS1WithSHA256 PKCS1WithSHA384 PKCS1WithSHA512 SignatureScheme(771) SignatureScheme(769) SignatureScheme(770) SignatureScheme(1026) SignatureScheme(1282) SignatureScheme(1538)] SupportedProtos:[h2 http/1.1] SupportedVersions:[772 771] Conn:0xc000d0c030 config:0xc000001380}"}

and in browsers loading the branch subdomain just fails with an SSL protocol error.

Testing both using the default CA (which, following Caddy's change, seems to now be ZeroSSL) and with manually setting the ACME server to Let's Encrypt via MELI_ACME_SERVER: https://acme-v02.api.letsencrypt.org/directory, the error seems to consistently happen.

Using Meli image: getmeli/meli:beta, 1.0.0-beta.20 per package.json.
@MrLemur
Copy link

MrLemur commented Aug 13, 2021

Known issue: https://docs.meli.sh/configuration/reverse-proxy

@alyx
Copy link
Author

alyx commented Aug 13, 2021

Ah, I saw that but assumed that was only the situation when running behind a reverse proxy. Perhaps it would make sense to copy that warning over to https://docs.meli.sh/configuration/ssl ?

@MrLemur
Copy link

MrLemur commented Aug 13, 2021

I think implementing #233 will make the situation easier, without having to mess around with sudomains of subdomains. Follows what Netlify does with having a subdomain like f78gh0f7wgff4fwdsa--sitename.netlify.app

@gempain
Copy link
Contributor

gempain commented Aug 13, 2021
edited

@alyx as @MrLemur rightly raised, this is an issue we still need to fix. This change is making it to the top of our todo list and we will implement it just like Netlify. We'll be using -- as a separator and prevent users from using this separator in their site name.

@mtiller mtiller mentioned this issue Feb 2, 2022
Open
mt35-rs added a commit to mtiller/meli that referenced this issue Feb 2, 2022
@mt35-rs
Adds a helm chart
e184f5b 
This commit includes a helm chart or Meli.  I created it based on the
k8s manifest contributed by @Berndinox.  Hopefully that `values.yaml`
file I provided sufficiently explains the various knobs to turn.  One
potential area of improvement would be allowing existing PVCs to
be used.

Note that this includes the feature I mentioned in getmeli#233 but which
also applies to getmeli#238 which is the ability to explicitly list all sites
so that the ingress configuration can fetch SSL certificates
_for branch host names_.

Ideally, this helm chart would be packaged up and shared...somewhere.
I'm actually not that well versed in how to host helm charts for
open source software.  I know there used to be a public registry
hosted by Google but then they withdrew support and the
landscape got very fragmented.  If there _is_ a place to host such
a chart, it would be good to publish this there so that an ordinary
helm installation could reference it.

Not that the `values.yaml` file include the image and tag.  This
can be customized to run a custom Meli image instead of the
official Docker hub image.

This closes getmeli#246.
mt35-rs added a commit to mtiller/meli that referenced this issue Feb 2, 2022
@mt35-rs
feat(k8s): Adds a helm chart
b8acdee 
This commit includes a helm chart or Meli.  I created it based on the
k8s manifest contributed by @Berndinox.  Hopefully that `values.yaml`
file I provided sufficiently explains the various knobs to turn.  One
potential area of improvement would be allowing existing PVCs to
be used.

Note that this includes the feature I mentioned in getmeli#233 but which
also applies to getmeli#238 which is the ability to explicitly list all sites
so that the ingress configuration can fetch SSL certificates
_for branch host names_.

Ideally, this helm chart would be packaged up and shared...somewhere.
I'm actually not that well versed in how to host helm charts for
open source software.  I know there used to be a public registry
hosted by Google but then they withdrew support and the
landscape got very fragmented.  If there _is_ a place to host such
a chart, it would be good to publish this there so that an ordinary
helm installation could reference it.

Not that the `values.yaml` file include the image and tag.  This
can be customized to run a custom Meli image instead of the
official Docker hub image.

This closes getmeli#246.
@mtiller mtiller mentioned this issue Feb 2, 2022
Merged
gempain pushed a commit that referenced this issue Feb 2, 2022
@mtiller @mt35-rs
feat(k8s): Adds a helm chart (#248)
8a731eb 
This commit includes a helm chart or Meli.  I created it based on the
k8s manifest contributed by @Berndinox.  Hopefully that `values.yaml`
file I provided sufficiently explains the various knobs to turn.  One
potential area of improvement would be allowing existing PVCs to
be used.

Note that this includes the feature I mentioned in #233 but which
also applies to #238 which is the ability to explicitly list all sites
so that the ingress configuration can fetch SSL certificates
_for branch host names_.

Ideally, this helm chart would be packaged up and shared...somewhere.
I'm actually not that well versed in how to host helm charts for
open source software.  I know there used to be a public registry
hosted by Google but then they withdrew support and the
landscape got very fragmented.  If there _is_ a place to host such
a chart, it would be good to publish this there so that an ordinary
helm installation could reference it.

Not that the `values.yaml` file include the image and tag.  This
can be customized to run a custom Meli image instead of the
official Docker hub image.

This closes #246.

Co-authored-by: Michael Tiller <michael.tiller@ricardo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alyx @gempain @MrLemur