tobychui
[BUG] Get Certificate from the Proxy List screen returns 403
Describe the bug
If you fqdn does not have a certificate and you press the "Get Certificate" button the:
renewCertificate(renewDomainKey, false, btn);
https://github.com/tobychui/zoraxy/blob/549e492ffd081df6032d9f1003917c1e63d1a1b1/src/web/components/cert.html#L155
does something different to what happens when you create a new proxy endpoint
To Reproduce Steps to reproduce the behavior:
- Create a New porxy endpoint and do not get a cert
- Goto the Proxy list page
- Press "Get Certificate"
Error: one or more domains had a problem: [{fqdn}] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: {EXternal IP}: Invalid response from http://{fqdn}/.well-known/acme-challenge/ZnJhtZZQTO3o4r0LqZbUWC-pDOVdZ9_lBd5tFKIIXvc: 401
Note a "Get Certificate" on an existing cert works fine. The call is to a function called "renewCertificate" when you press the "Get" button in the UI!
Expected behavior New certificate to be obtained or renewed if one already exists
Screenshots If applicable, add screenshots to help explain your problem.
Host Environment (please complete following information, DO NOT REMOVE ANY FIELD(S)):
- Arch: x86_64
- Device: Docker
- OS: Ubuntu
- Version Ubuntu 24.04.1 LTS noble
- Are you using Docker? yes
- Docker Version: 28.0.2, build 0442a73
Supplementary links
My setup is public FQDN DNS -> CNAME -> DNS of my ISP static IP In this example all in same DNS zone and zone is hosted on Route53
IP - external:443 -> NAT dockerhost:2643 -> docker -p 2643:443 -> Zoraxy listening on 443
I put these all back to defaults as I thought they might be the issue:
But I am 95% sure it is the fact the button is a renew and not a get on the proxy list screen.
Additional context
Why are people getting this error...
I am guessing especially when you have a slower DNS provider than Route 53 the prcoess will be:
- I want to provide thing.mydomain
- Create rule in Zoraxy
- Oh I need to create a DNS record
- Create record
- Press Get does not work, wonder if DNS has propergated yet
- Exceed Let's Encrypt rate limit
- Or even if you remember the DNS record still on inital create you do not get a cert and then come back to press "Get Cert" later once DNS has propergated
Other notes
"Get Certificate" Button on the Proxy page:
renewCertificate(renewDomainKey, false, btn);
https://github.com/tobychui/zoraxy/blob/549e492ffd081df6032d9f1003917c1e63d1a1b1/src/web/components/cert.html#L155
The Create Endpoint code in src/web/components/rules.html
//Request ACME for certificate, see cert.html component
obtainCertificate(rootname, defaultCA.trim(), function(){
// Renew the parent certificate list
initManagedDomainCertificateList();
@smudge1977 I guess you mean the implementation here didn't check for if a cert already exists or not and go straight to "renewCertificate"
https://github.com/tobychui/zoraxy/blob/549e492ffd081df6032d9f1003917c1e63d1a1b1/src/web/components/httprp.html#L636C1-L663C6
Yeah I think this can be further optimized a bit.
The front end calls this: https://github.com/tobychui/zoraxy/blob/549e492ffd081df6032d9f1003917c1e63d1a1b1/src/web/tools/https.html#L214
var ca = $("#ca").dropdown("get value");
$.ajax({
url: "/api/acme/obtainCert",
method: "GET",
data: {
domains: domains,
filename: filename,
email: email,
ca: ca,
},
So here in the backend: https://github.com/tobychui/zoraxy/blob/549e492ffd081df6032d9f1003917c1e63d1a1b1/src/mod/acme/acme.go#L106 (which dosen't work when there is no existing cert)
The add new proxy does this: https://github.com/tobychui/zoraxy/blob/549e492ffd081df6032d9f1003917c1e63d1a1b1/src/web/components/rules.html#L222 Which calls this endpoint: https://github.com/tobychui/zoraxy/blob/549e492ffd081df6032d9f1003917c1e63d1a1b1/src/reverseproxy.go#L210 But I can't find where this then does the actual create of the cert... (which workds)
@smudge1977 Further pass that function it is the work by @yeungalan . I guess you might need to ask him for the certificate implementation details.