Custom domain can't be accessed from Gemini: no TLS certificate

Hi there, I've read (in the fediverse) about a user being unable to set up a custom domain in Flounder. I tried replicating it the same, and got to the same problem: the capsule can't be accessed via the gemini:// protocol because no TLS certificate is sent by the server. Some details: * In both cases, a subdomain is used to point to flounder, and using a CNAME DNS record. ``` $ drill bmc.costas.dev [...] ;; ANSWER SECTION: bmc.costas.dev. 3100 IN CNAME bebomuchocafe.flounder.online. bebomuchocafe.flounder.online. 1299 IN A 173.230.145.243 [...] ``` * A TLS certificate is generated by Let's Encrypt for the HTTPS proxy. This can be seen by visiting => https://bmc.costas.dev * The Gemini server doesn't send a TLS certificate when connecting. This can be tested ``` $ openssl s_client -crlf -connect bmc.costas.dev:1965 CONNECTED(00000003) 139841509586304:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1543:SSL alert number 80 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 316 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- ``` -- Ariel Costas

This does appear to be a bug of some sort on my part, either in code or documentation, i think other users have had issues with cname records (though not the direct ip A record). I will try and resolve when i have a chance, else try and use the A record method. Thanks for reporting Alex > On Jan 14, 2022, at 3:45 AM, Ariel Costas <ariel@costas.dev> wrote: > > Hi there, > > I've read (in the fediverse) about a user being unable to set up a custom domain in Flounder. I tried replicating it the same, and got to the same problem: the capsule can't be accessed via the gemini:// protocol because no TLS certificate is sent by the server. > > Some details: > * In both cases, a subdomain is used to point to flounder, and using a CNAME DNS record. > > ``` > $ drill bmc.costas.dev > [...] > ;; ANSWER SECTION: > bmc.costas.dev. 3100 IN CNAME bebomuchocafe.flounder.online. > bebomuchocafe.flounder.online. 1299 IN A 173.230.145.243 > [...] > ``` > > * A TLS certificate is generated by Let's Encrypt for the HTTPS proxy. This can be seen by visiting > => https://bmc.costas.dev > > * The Gemini server doesn't send a TLS certificate when connecting. This can be tested > > ``` > $ openssl s_client -crlf -connect bmc.costas.dev:1965 > CONNECTED(00000003) > 139841509586304:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1543:SSL alert number 80 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 316 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- > ``` > > -- Ariel Costas

Hi there On 1/15/22 2:07 AM, Alex wrote: > This does appear to be a bug of some sort on my part, either in code or documentation, i think other users have had issues with cname records (though not the direct ip A record). I will try and resolve when i have a chance, else try and use the A record method. Thanks for reporting I haven't tried replacing the CNAME for an A record, but the aforementioned user (Adrián Perales, aperalesf.flounder.online) has and it started working successfully after approximately 12 hours. While this is a functioning workaround, it's something that should be fixed (or at least documented[1]). [1]: https://admin.flounder.online/custom-domains.gmi Regards -- Ariel

I agree, I’ll take a look as soon as i have a chance Alex > On Jan 16, 2022, at 8:46 AM, Ariel Costas <ariel@costas.dev> wrote: > > Hi there > > On 1/15/22 2:07 AM, Alex wrote: > > This does appear to be a bug of some sort on my part, either in code or documentation, i think other users have had issues with cname records (though not the direct ip A record). I will try and resolve when i have a chance, else try and use the A record method. Thanks for reporting > > I haven't tried replacing the CNAME for an A record, but the aforementioned user (Adrián Perales, aperalesf.flounder.online) has and it started working successfully after approximately 12 hours. > > While this is a functioning workaround, it's something that should be fixed (or at least documented[1]). > > [1]: https://admin.flounder.online/custom-domains.gmi > > Regards > > -- Ariel

OK, I took a look into this issue. The problem is that the library that I use only loads certs on server restart, which doesn't happen that often. I will modify the code so that it loads the certs whenever a new domain is added. All the best, Alex

[View original message: https://lists.flounder.online/flounder/threads/dc8b8389-7d18-3f01-4b59-ec9dbe84d308@costas.dev.html] This issue should now be resolved All the best, Alex