Setting up Let's encrypt with Go – handshake errors

huangapple
go评论96阅读模式
英文:

Setting up Let's encrypt with Go - handshake errors

问题

我正在尝试在使用Go编写的负载均衡器上设置Let's Encrypt,我尝试了自动和手动设置,但总是出现错误。

域名正确地指向我们的服务器(Digital Ocean),我甚至可以在浏览器中打开网站而没有错误,而且SSL检查报告显示该域名没有错误。问题在于,当我在服务器上从CLI运行Go可执行文件时,我反复收到错误。

  1. 自动设置(acme/autocert):

服务器代码如下,证书和密钥在我首次从服务器启动后通过浏览器查看域名时创建:

go func() {
    log.Printf("Staring HTTP service on %s ...", ":80")

    http.HandleFunc("/*", http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
        http.Redirect(w, r, "https://"+app.Cfg.S_HOST+":443"+r.RequestURI, http.StatusMovedPermanently)
    }))

    if err := http.ListenAndServe(":80", nil); err != nil {
        errs <- err
    }

}()

log.Printf("Staring HTTPS service on %s ...", ":443")

http.HandleFunc("/hello", http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
    w.Header().Set("Content-Type", "text/plain")
    w.Write([]byte("This is an example server.\n"))
}))

certManager := autocert.Manager{
    Prompt:     autocert.AcceptTOS,
    HostPolicy: autocert.HostWhitelist(app.Cfg.S_HOST), //your domain here
    Cache:      autocert.DirCache("certs"), //folder for storing certificates
}

server := &http.Server{
    Addr: ":443",
    TLSConfig: &tls.Config{
        ServerName: app.Cfg.S_HOST,
        GetCertificate: certManager.GetCertificate,
    },
}

if err := server.ListenAndServeTLS("", ""); err != nil {
    print(err.Error())
} //key and cert are comming from Let's Encrypt

我收到以下错误:

  1. http: TLS握手错误来自(ip):59451:读取tcp(我的服务器IP):443->(ip):59451:读取:连接被对等方重置

  2. hello.ServerName为空:2017/04/01 17:14:38 http: TLS握手错误来自(ip):58193:acme/autocert:缺少服务器名称

  3. http: TLS握手错误来自(ip):45822:acme/autocert:主机未配置

  4. http: TLS握手错误来自(ip):58440:EOF

然后,我还尝试手动创建证书(成功),并简单地使用该代码,但我一次又一次地收到错误:

服务器代码如下:

go func() {
    log.Printf("Staring HTTP service on %s ...", ":80")

    http.HandleFunc("/*", http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
        http.Redirect(w, r, "https://"+app.Cfg.S_HOST+":443"+r.RequestURI, http.StatusMovedPermanently)
    }))

    if err := http.ListenAndServe(":80", nil); err != nil {
        errs <- err
    }

}()

log.Printf("Staring HTTPS service on %s ...", ":443")

http.HandleFunc("/hello", http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
    w.Header().Set("Content-Type", "text/plain")
    w.Write([]byte("This is an example server.\n"))
}))

// ssl["cert"]和ssl["key"]是证书和密钥路径(letsencrypt/live...)
if err := http.ListenAndServeTLS(sslAddr, ssl["cert"], ssl["key"], nil); err != nil {
    errs <- err
}

错误:

  1. http2: server: error reading preface from client (ip):10319: bogus greeting "POST / HTTP/1.1\r\nHost: 4"

  2. http: TLS握手错误来自(ip):10322:EOF

  3. http: TLS握手错误来自(ip):13504:读取tcp(我的服务器IP):443->(ip):13504:读取:连接被对等方重置

  4. http2: server: error reading preface from client (ip):9672: timeout waiting for client preface

有人可以帮助我吗?谢谢。

英文:

I'm trying to set up let's encrypt on a load balancer written in Go, I tried both the automatic and manual setup but I always get errors.

The domain is pointing correctly to our server (Digital Ocean) and I can even open the site from a browser without errors, also an ssl check report no errors on this domain. The fact is that when I run the Go executable on server from CLI I get errors repeatedly.

  1. Automatic (acme/autocert) setup:

The server code is that, the certificate and the key are created when I look at the domain from a browser for the first time after the server start:

    go func() {
	    log.Printf(&quot;Staring HTTP service on %s ...&quot;, &quot;:80&quot;)

	    http.HandleFunc(&quot;/*&quot;, http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
		    http.Redirect(w, r, &quot;https://&quot; + app.Cfg.S_HOST + &quot;:443&quot; + r.RequestURI, http.StatusMovedPermanently)
	    }))

	    if err := http.ListenAndServe(&quot;:80&quot;, nil); err != nil {
		    errs &lt;- err
	    }

    }()



    log.Printf(&quot;Staring HTTPS service on %s ...&quot;, &quot;:443&quot;)

    http.HandleFunc(&quot;/hello&quot;, http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
	    w.Header().Set(&quot;Content-Type&quot;, &quot;text/plain&quot;)
	    w.Write([]byte(&quot;This is an example server.\n&quot;))
    }))


    certManager := autocert.Manager{
	    Prompt:     autocert.AcceptTOS,
	    HostPolicy: autocert.HostWhitelist(app.Cfg.S_HOST), //your domain here
	    Cache:      autocert.DirCache(&quot;certs&quot;), //folder for storing certificates
    }

    server := &amp;http.Server{
	    Addr: &quot;:443&quot;,
	    TLSConfig: &amp;tls.Config{
		    ServerName: app.Cfg.S_HOST,
		    GetCertificate: certManager.GetCertificate,
	    },
    }

    if err := server.ListenAndServeTLS(&quot;&quot;, &quot;&quot;); err != nil {
	    print(err.Error())
    } //key and cert are comming from Let&#39;s Encrypt

I get those errors:

  1. http: TLS handshake error from (ip):59451: read tcp (myserver IP):443->(ip):59451: read: connection reset by peer

  2. hello.ServerName empty:2017/04/01 17:14:38 http: TLS handshake error from (ip):58193: acme/autocert: missing server name

  3. http: TLS handshake error from (ip):45822: acme/autocert: host not configured

  4. http: TLS handshake error from (ip):58440: EOF

Then I tried also creating the certificate manually (succesfully) and simply using that code and I get errors again and again:

The server code is:

    go func() {
	    log.Printf(&quot;Staring HTTP service on %s ...&quot;, &quot;:80&quot;)

	    http.HandleFunc(&quot;/*&quot;, http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
		    http.Redirect(w, r, &quot;https://&quot; + app.Cfg.S_HOST + &quot;:443&quot; + r.RequestURI, http.StatusMovedPermanently)
	    }))

	    if err := http.ListenAndServe(&quot;:80&quot;, nil); err != nil {
	    	errs &lt;- err
	    }

    }()



    log.Printf(&quot;Staring HTTPS service on %s ...&quot;, &quot;:443&quot;)

    http.HandleFunc(&quot;/hello&quot;, http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
	    w.Header().Set(&quot;Content-Type&quot;, &quot;text/plain&quot;)
	    w.Write([]byte(&quot;This is an example server.\n&quot;))
    }))


    // ssl[&quot;cert&quot;] and ssl[&quot;key&quot;] are the cert and key path (letsencrypt/live...)
	if err := http.ListenAndServeTLS(sslAddr, ssl[&quot;cert&quot;], ssl[&quot;key&quot;], nil); err != nil {
		errs &lt;- err
	}

Errors:

  1. http2: server: error reading preface from client (ip):10319: bogus
    greeting "POST / HTTP/1.1\r\nHost: 4"

  2. http: TLS handshake error from (ip):10322: EOF

  3. http: TLS handshake error from (ip):13504: read tcp (my server ip):443->(ip):13504: read: connection reset by peer

  4. http2: server: error reading preface from client (ip):9672: timeout waiting for client preface

Can someone help me please? Thanks

答案1

得分: 1

正如JimB和其他人在评论中所说,这可能是错误请求的结果。当使用https://www.ssllabs.com/ssltest/来测试网站的https配置时,无效的请求将被记录。一个良好的测试分数可以让你相信这些日志消息是无害的,可以安全地忽略。

此外,acme/autocert包正在快速发展(截至2018年1月),请确保你的版本是最新的。

英文:

As JimB and others said in the comments, this can be the result of bad requests. Invalid requests will be logged when using https://www.ssllabs.com/ssltest/ to test a site's https configuration. A good test score can give you confidence the log messages are benign and can be safely ignored.

Also the acme/autocert package is evolving rapidly (at Jan 2018), please check your version is up to date.

huangapple
  • 本文由 发表于 2017年4月2日 04:16:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/43161559.html
  • go
  • lets-encrypt
  • ssl
  • ssl-certificate
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定