Let's Encrypt certificate is not renewed automatically #4132
Comments
|
Hello @mapreri Would you please check that both port 80 and 443 are open publicly and that are both directly handled by GlobaLeaks without any intermediate proxy? I suspect you may have either port 80 closed or implementing a redirect to port 443. If you could pass to me the address of your server i could verify the exact issue. |
|
They are open and handled by the standard globaleaks iptables rules.
You can look at <redacted> for example.
I must add that I don't think renewal ever worked, every 3 months I found
myself disabling and re-enabling LE to obtain a new cert (last time this
morning)
…On Sat, 13 Jul 2024, 8:31 am Giovanni Pellerano, ***@***.***> wrote:
Hello @mapreri <https://github.com/mapreri>
Would you please check that both port 80 and 443 are open publicly and
that are both directly handled by GlobaLeaks without any intermediate proxy?
I suspect you may have either port 80 closed or implementing a redirect to
port 443.
If you could pass to me the address of your server i could verify the
exact issue.
—
Reply to this email directly, view it on GitHub
<#4132 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAL7FE7BW6BE5JL32EYP3LTZMDCUBAVCNFSM6AAAAABKZ7TYJSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRWG44TIOJQGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Thank you @mapreri , this is actually quite strange. If you could share to me the access log i will try to see which is the reason. Near to the expiration the application starts requesting renewal with a request every day; Do you have some firewalls rules that prevent outgoing connections? P.s.: I acknowledge that you have removed the "Powered by GlobaLeaks" attribution clause; this is actually in violation of the software license: https://github.com/globaleaks/GlobaLeaks/blob/main/LICENSE |
I don't have any firewall rules limiting outgoing connections. What's the best way to share the access.log privately to you?
AFAIK it's not a violation of the AGPL as long as the code running is completely unmodified from what I originally obtained by the licensor (which it is, in this case). Nevertheless, I reckon this customer is kinda ill-advised, so I'm going behind his back and reinstating the line 😜 - I am a fairly active FOSS sustainer after all heh |
I see now that it's actually an addendum to the AGPL that you did. That is fine, however I recommend you add a note in the README mentioning that you have additional terms to the AGPL, as I know that nobody reads the full LICENSE document after they see a standard FOSS license (I already read nearly all of them more than once, I can do without reading them all over once more…) |
|
Did you manage to find what was causing your instance to not renew the certificate? If now you can find me on our community slack at: community.globaleaks.org |
|
No, I haven't found anything relevant with a quick grep of the logs tbh. What should I be looking for? Else, I'm fine sending them to you if you can provide a... email address and a gpg key to encrypt to I suppose? |
What version of GlobaLeaks are you using?
4.15.6
What browser(s) are you seeing the problem on?
No response
What operating system(s) are you seeing the problem on?
Linux
Describe the issue
The certificate obtained via Let's Encrypt using the included LE client is never renewed, despite the "Auto-renewal: Enabled" flag.
Not sure what might be going on, this could be a configuration issue on my side.
Proposed solution
No response
The text was updated successfully, but these errors were encountered: