isso icon indicating copy to clipboard operation
isso copied to clipboard

Published 20 hours ago verified publisher icon isso-comments

Issue with custom CA certificates (was: Posting comments doesn't work with '404 not found')

Open taoeffect opened this issue 2 years ago • 4 comments

Checklist

  • [ ] I am running the latest version. Installing Isso from GitHub from the master branch does not fix my issue — I am using the latest docker image: ghcr.io/isso-comments/isso:0.13.0
  • [x] I have checked the troubleshooting guide
  • [x] I have searched the open issues, but my issue has not already been reported

What is not working?

I have ISSO showing imported comments, but posting comments doesn't work.

When I try to post a comment, a POST is sent to https://comments.domain.tld/new?uri=%2F2019%2F12%2Fblog-title-slug%2F and ISSO returns 404:

<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>URI does not exist %s</p>

How can one reproduce this issue?

Here is my isso.cfg:

[general]
name = domain
host =
  http://blog.domain.tld/
  https://blog.domain.tld/
dbpath = /config/comments.db
gravatar = true

[guard]
enabled = true
ratelimit = 2

Here is my nginx config for comments.domain.tld:

server {
  server_name comments.domain.tld;
  listen 443 ssl;
  listen 80;
  ssl_certificate /etc/letsencrypt/live/comments.domain.tld/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/comments.domain.tld/privkey.pem;
  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://isso:8081;
  }
}

Here is the HTML that's used to load the comments on the page:

              <script data-isso="//comments.domain.tld/"
                      data-isso-vote="false"
                      src="//comments.domain.tld/js/embed.min.js"></script>
              <section id="isso-thread">
                  <noscript>Javascript needs to be activated to view comments.</noscript>
              </section>

ISSO is being run using the docker image ghcr.io/isso-comments/isso:0.13.0, with the default command which I believe is this (only modified the port):

/isso/bin/gunicorn -b 0.0.0.0:8081 -w 4 --preload isso.run --worker-tmp-dir /dev/shm

taoeffect avatar Sep 09 '22 04:09 taoeffect

OK - here's something super weird: I can post comments to posts that already have comments thanks to the wordpress import tool.

But on any posts that have zero comments, it doesn't work.

taoeffect avatar Sep 09 '22 05:09 taoeffect

OK - figured it out!

This is unique to my setup, and perhaps this can help someone else who has a similar setup: the problem is related to this line (and btw, there's a bug here because %s is printed instead of the URI): https://github.com/posativ/isso/blob/13bcfbf41d92eebadfdf78db96dfbff6ada15095/isso/views/comments.py#L305

The issue is that I was using a local setup with a local root CA to server HTTPS locally so that I could access the site locally under HTTPS. However, when ISSO tries to fetch the post title by accessing the website via origin, it fails because it's accessing it via HTTPS, and the docker container isn't told to trust the local root CA I'm using.

This problem is solved by copying in the root certificate into /usr/local/share/ca-certificates/ and running update-ca-certificates inside the container.

It would be nice though if this weird roundabout query wasn't necessary though - if instead the title could be passed in along with the original comment somehow, then this wouldn't be necessary.

taoeffect avatar Sep 09 '22 05:09 taoeffect

It would be nice though if this weird roundabout query wasn't necessary though - if instead the title could be passed in along with the original comment somehow, then this wouldn't be necessary.

Ah ha! This is possible! 😄

Furthermore you can override the automatic title detection inside the embed tag, as well as the thread ID, e.g.:

<section id="isso-thread" data-title="Foo!" data-isso-id="/path/to/resource"></section>

Now having done that everything works and there's no need to copy the CA cert in or access the page over HTTP for it work locally!

Perhaps this issue could be turned into a request for improving the error that's reported by the server?

There's already a bug in the error message (the %s thing), but what would be even better is if the error message recommended users try setting data-title and data-isso-id per the client configuration docs.

taoeffect avatar Sep 09 '22 05:09 taoeffect

Improving the error handling is on Isso's TODO list, see https://github.com/posativ/isso/issues/673

You're most welcome to submit a PR to make this issue more clear (for now, at least on the JS console.log)

ix5 avatar Sep 09 '22 07:09 ix5

@taoeffect Thank you so much for this workaround!! Had many painful hours of debugging already and thanks to your finding I can sleep again :)

finga avatar Feb 11 '24 15:02 finga

@finga no problem, I'm glad it was helpful to a follower of the Sacred Chao.

taoeffect avatar Feb 11 '24 20:02 taoeffect