sozu icon indicating copy to clipboard operation
sozu copied to clipboard

Published 20 hours ago verified publisher icon sozu-proxy

Could not look up a certificate for server name 'domain'

Open newdev8 opened this issue 2 years ago • 11 comments

I just installed sozu and setup my config as follows:

[[listeners]]
address = "0.0.0.0:443"
protocol = "https"
tls_versions = ["TLSv1.2", "TLSv1.3"]
cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

[applications]

[applications.AppName]
protocol = "http"
https_redirect = true

frontends = [
  { address = "127.0.0.1:1444", hostname = "domain", certificate = "/etc/domain/cert.pem", key = "/etc/domain/key.pem", certificate_chain = "/etc/cloudflare/chain.pem" }
]

backends  = [
  { address = "127.0.0.1:444" }
]

But when I access my domain from the browser I get the following error:

could not look up a certificate for server name 'domain'
Sending fatal alert AccessDenied
could not perform handshake: General("no server certificate chain resolved")

newdev8 avatar Jul 13 '22 10:07 newdev8

Hello,

We have made some improvements to the certificate part on the branch 0.14. Could you test using this version ?

I will try to reproduce your issue on the main branch as well.

FlorentinDUBOIS avatar Jul 13 '22 12:07 FlorentinDUBOIS

Hey, after trying branch 0.14 I am still getting the same error. Maybe it's me doing something wrong. I am running an actix server on port 444 with the same SSL certificate/key as the one used in my sozu configuration file.

newdev8 avatar Jul 13 '22 13:07 newdev8

Thank you! Sounds interesting, I will take a look at it.

FlorentinDUBOIS avatar Jul 13 '22 13:07 FlorentinDUBOIS

Hello, I'm having the same issue. I'm using letsencrypt certificate. Config is the standard thing from examples. At first tls would not work at all, but now sozu handles encryption for one domain. Main or subdomain, but not both. If I change https_redirect in the .toml config for cluster and restart sozu, it switches. Build: custom from the 'main' branch. TLSv1.3 only | Linux Mint 21| rustc 1.64.0.

PlainBane avatar Oct 24 '22 16:10 PlainBane

Hello, The issue is lib/src/router/trie.rs ~162 pub fn lookup(&self, partial_key: &[u8], accept_wildcard: bool) The domain lookup by key fails sometimes. It doesn't seem to handle subdomains correctly. It depends on what it has on domains list and what key it is looking for. I can't test it with domain wildcards, so can't fix it. I made a quick and dirty work-around in my code an it works fine.

PlainBane avatar Oct 26 '22 13:10 PlainBane