New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apache + ttn stack on the same machine + letsencrypt acme certificate get problem #1752
Comments
When you run The Things Stack behind a reverse proxy, you'll have to completely disable TLS in the configuration and make the proxy responsible for terminating all TLS connections (not only HTTP, but also gRPC, MQTT etc.). I suppose we could document how to disable all TLS listeners of The Things Stack, and what ports need to be mapped in the reverse proxy. I think we can expect that people who would do this already know how their proxy works, so I don't think we should document how to do this specifically with apache/nginx/haproxy/envoy/etc. |
Hi @htdvisser , Thanks for response. I tested on local computer with public/static IP address (lte based) - I don't know what the structure of network are. Both variants require the same (initializaton of certificate on standard 80/443 port for each client/ip station). There is another issues regarding to VPS or any Public/Static IP devices - no matter the structure of network is. I look at the "console log screen" for a while and there is a lot of "hackers activity trials" reported by TTN stack (and we see only only web attacks on standard http/htts port on the screen). The domain/subdomain have only dns records and not been used for webpage which robots/search engines may discover. I asume hackers robots search all Static IP4 address for responding devices, and sooner or later device will be found and atacked by hacker machines. So, its very easy to make any server busy with mass attacks for known http/https ports, even if they 100% are secure. I think it is very reasonable not to use 80/443 ports for console/web interface and have possibility to change them for TTN stack console. It's for administation purposes (not public) and the administators are aware of this settings. The only questions are: |
The specifications for the HTTP-01 and TLS-ALPN-01 challenges of ACME require using port 80/443. You can not get or renew certificates using those challenges if you use different ports. You can try requesting ACME certificates using the DNS-01 challenge with a tool like certbot (this is outside the scope of our documentation) or from a paid certificate authority (also outside the scope of our documentation). When you have such certificates, you can configure The Things Stack according to the "Custom Certificates" instructions: https://thethingsstack.io/v3.3.2/guides/getting-started/certificates/#custom-certificates and with the following environment:
|
thanks |
OAuth Clients outside Tenant scope
Summary
problem when apache is installed and enabled (listening 80/443) on the ttn machine.
TTN console blocked on 80/443 ports and working on 1885,8885 ports.
In this case ttn cant' get/update certifiate.
Its very common situation, if somebody wants to put TTN stack and some DB/web app on the same device.
#1731
TTN shows error: missed certificate /or Host not in White List.
Steps to Reproduce
docker-compose.yml
file:.env
file moved port to 8885 instead 443:stop apache (service apache2 stop)
reconfigure ttn-stack to enable (80, 443 port - remove (hashes) )
connect with web browser to main subdomain it gets the certificate sucessfully (on 80/443 ports)
docker-compose.yml
file:.env
file standard ports used 443 - in this case ttn get letsencrypt certificate3) Now if we have updated certificate we can switch back to first configuration (port 80/443 used by apache, ttn use 1885/8885 for console) - and its succefully open console on https://subdomain.domain.com:8885/. It is possible it's working only for current host/ip and until certificate will expire (3months)
What do you see now?
...
What do you want to see instead?
...
Environment
...
How do you propose to implement this?
Is there a way to configure both ttn and apache on the same machine?
or force lets encrypt to get cerfication on different port?
Can you do this yourself and submit a Pull Request?
...
The text was updated successfully, but these errors were encountered: