Custom domain can't be accessed from Gemini: no TLS certificate ![Atom feed](
data:image/svg+xml,<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg"
id="RSSicon"
viewBox="0 0 8 8" width="16" height="16">
<title>RSS feed icon</title>
<style type="text/css">
.button {stroke: none; fill: orange;}
.symbol {stroke: none; fill: white;}
</style>
<rect class="button" width="8" height="8" rx="1.5" />
<circle class="symbol" cx="2" cy="6" r="1" />
<path class="symbol" d="m 1,4 a 3,3 0 0 1 3,3 h 1 a 4,4 0 0 0 -4,-4 z" />
<path class="symbol" d="m 1,2 a 5,5 0 0 1 5,5 h 1 a 6,6 0 0 0 -6,-6 z" />
</svg>)
![Atom feed](data:image/svg+xml,<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg"
id="RSSicon"
viewBox="0 0 8 8" width="16" height="16">
<title>RSS feed icon</title>
<style type="text/css">
.button {stroke: none; fill: orange;}
.symbol {stroke: none; fill: white;}
</style>
<rect class="button" width="8" height="8" rx="1.5" />
<circle class="symbol" cx="2" cy="6" r="1" />
<path class="symbol" d="m 1,4 a 3,3 0 0 1 3,3 h 1 a 4,4 0 0 0 -4,-4 z" />
<path class="symbol" d="m 1,2 a 5,5 0 0 1 5,5 h 1 a 6,6 0 0 0 -6,-6 z" />
</svg>)
Custom domain can't be accessed from Gemini: no TLS certificate
"Ariel Costas" <ariel@costas.dev>
Fri, 14 Jan 2022 11:45:11 +0000 🔗
✉️ Reply [Download]
"Ariel Costas" <ariel@costas.dev>
Fri, 14 Jan 2022 11:45:11 +0000 🔗
✉️ Reply [Download]
Hi there,
I've read (in the fediverse) about a user being unable to set up a custom domain in Flounder. I tried replicating it the same, and got to the same problem: the capsule can't be accessed via the gemini:// protocol because no TLS certificate is sent by the server.
Some details:
* In both cases, a subdomain is used to point to flounder, and using a CNAME DNS record.
```
$ drill bmc.costas.dev
[...]
;; ANSWER SECTION:
bmc.costas.dev. 3100 IN CNAME bebomuchocafe.flounder.online.
bebomuchocafe.flounder.online. 1299 IN A 173.230.145.243
[...]
```
* A TLS certificate is generated by Let's Encrypt for the HTTPS proxy. This can be seen by visiting
=> https://bmc.costas.dev
* The Gemini server doesn't send a TLS certificate when connecting. This can be tested
```
$ openssl s_client -crlf -connect bmc.costas.dev:1965
CONNECTED(00000003)
139841509586304:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1543:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 316 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```
-- Ariel Costas
Re: Custom domain can't be accessed from Gemini: no TLS certificate
"Alex" <alex@alexwennerberg.com>
Sat, 15 Jan 2022 01:08:00 +0000 🔗
✉️ Reply [Download] Parent
"Alex" <alex@alexwennerberg.com>
Sat, 15 Jan 2022 01:08:00 +0000 🔗
✉️ Reply [Download] Parent
This does appear to be a bug of some sort on my part, either in code or documentation, i think other users have had issues with cname records (though not the direct ip A record). I will try and resolve when i have a chance, else try and use the A record method. Thanks for reporting
Alex
> On Jan 14, 2022, at 3:45 AM, Ariel Costas <ariel@costas.dev> wrote:
>
> Hi there,
>
> I've read (in the fediverse) about a user being unable to set up a custom domain in Flounder. I tried replicating it the same, and got to the same problem: the capsule can't be accessed via the gemini:// protocol because no TLS certificate is sent by the server.
>
> Some details:
> * In both cases, a subdomain is used to point to flounder, and using a CNAME DNS record.
>
> ```
> $ drill bmc.costas.dev
> [...]
> ;; ANSWER SECTION:
> bmc.costas.dev. 3100 IN CNAME bebomuchocafe.flounder.online.
> bebomuchocafe.flounder.online. 1299 IN A 173.230.145.243
> [...]
> ```
>
> * A TLS certificate is generated by Let's Encrypt for the HTTPS proxy. This can be seen by visiting
> => https://bmc.costas.dev
>
> * The Gemini server doesn't send a TLS certificate when connecting. This can be tested
>
> ```
> $ openssl s_client -crlf -connect bmc.costas.dev:1965
> CONNECTED(00000003)
> 139841509586304:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1543:SSL alert number 80
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 316 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> ```
>
> -- Ariel Costas
Re: Custom domain can't be accessed from Gemini: no TLS certificate
"Ariel Costas" <ariel@costas.dev>
Sun, 16 Jan 2022 16:46:17 +0000 🔗
✉️ Reply [Download] Parent
"Ariel Costas" <ariel@costas.dev>
Sun, 16 Jan 2022 16:46:17 +0000 🔗
✉️ Reply [Download] Parent
Hi there
On 1/15/22 2:07 AM, Alex wrote:
> This does appear to be a bug of some sort on my part, either in code or documentation, i think other users have had issues with cname records (though not the direct ip A record). I will try and resolve when i have a chance, else try and use the A record method. Thanks for reporting
I haven't tried replacing the CNAME for an A record, but the aforementioned user (Adrián Perales, aperalesf.flounder.online) has and it started working successfully after approximately 12 hours.
While this is a functioning workaround, it's something that should be fixed (or at least documented[1]).
[1]: https://admin.flounder.online/custom-domains.gmi
Regards
-- Ariel
Re: Custom domain can't be accessed from Gemini: no TLS certificate
"Alex" <alex@alexwennerberg.com>
Sun, 16 Jan 2022 17:00:34 +0000 🔗
✉️ Reply [Download] Parent
"Alex" <alex@alexwennerberg.com>
Sun, 16 Jan 2022 17:00:34 +0000 🔗
✉️ Reply [Download] Parent
I agree, I’ll take a look as soon as i have a chance
Alex
> On Jan 16, 2022, at 8:46 AM, Ariel Costas <ariel@costas.dev> wrote:
>
> Hi there
>
> On 1/15/22 2:07 AM, Alex wrote:
> > This does appear to be a bug of some sort on my part, either in code or documentation, i think other users have had issues with cname records (though not the direct ip A record). I will try and resolve when i have a chance, else try and use the A record method. Thanks for reporting
>
> I haven't tried replacing the CNAME for an A record, but the aforementioned user (Adrián Perales, aperalesf.flounder.online) has and it started working successfully after approximately 12 hours.
>
> While this is a functioning workaround, it's something that should be fixed (or at least documented[1]).
>
> [1]: https://admin.flounder.online/custom-domains.gmi
>
> Regards
>
> -- Ariel
Re: Custom domain can't be accessed from Gemini: no TLS certificate
"Alex Wennerberg" <alex@alexwennerberg.com>
Sun, 16 Jan 2022 18:46:06 +0000 🔗
✉️ Reply [Download] Parent
"Alex Wennerberg" <alex@alexwennerberg.com>
Sun, 16 Jan 2022 18:46:06 +0000 🔗
✉️ Reply [Download] Parent
OK, I took a look into this issue.
The problem is that the library that I use only loads certs on server restart, which doesn't happen that often. I will modify the code so that it loads the certs whenever a new domain is added.
All the best,
Alex
Re: Custom domain can't be accessed from Gemini: no TLS certificate
"Alex Wennerberg" <alex@alexwennerberg.com>
Mon, 17 Jan 2022 18:10:42 +0000 🔗
✉️ Reply [Download] Parent
"Alex Wennerberg" <alex@alexwennerberg.com>
Mon, 17 Jan 2022 18:10:42 +0000 🔗
✉️ Reply [Download] Parent
This issue should now be resolved
All the best,
Alex