coolaj86
/
greenlock.js-ARCHIVED
3
3
Fork 0
Code Issues 13 Pull Requests 1 Releases Activity
Labels Milestones
New Issue

Sticky: logRejectedDomains - tls SNI rejections #11

Closed
opened 6 years ago by coolaj86 · 5 comments
coolaj86 commented 6 years ago
Owner

Typically there are two types of tls SNI rejections:

  • Configuration Errors
  • Bots

Configuration Errors

When you're getting started with Greenlock™, it's common that you might forget to properly set a domain, or point a DNS record, or create the folder for the site to serve from.

You might see a rejection for 'example.com' that probably means you forgot to update the example file with your domain.

You might see an error 'www.youractualsite.com' which might mean you set up 'youractualsite.com' correctly, but forgot to set up the 'www' for proper redirects to the site.

The good news is that these types of errors are your fault, which means that you can fix them. Yay!

Obviously, we want you to see these messages, especially early on.

Bots

Bots are constantly probing the Internet to see how your server responds to a given request.

It will be very common to see requests come in from bot probes that are testing for bogus names on your server such as yahoo.com or google.com or some Chinese or Russian domain. There's nothing you can do about this.

Because we can't easily determine programmatically whether an error is created by a bot or a misconfiguration, we log all of these errors.

Turn off logging

Set logRejectedDomains: false to turn off logging, but be warned, if you have a configuration problem later, you've silenced the error.

Typically there are two types of tls SNI rejections: * Configuration Errors * Bots Configuration Errors ==================== When you're getting started with Greenlock™, it's common that you might forget to properly set a domain, or point a DNS record, or create the folder for the site to serve from. You might see a rejection for 'example.com' that probably means you forgot to update the example file with your domain. You might see an error 'www.youractualsite.com' which might mean you set up 'youractualsite.com' correctly, but forgot to set up the 'www' for proper redirects to the site. The good news is that these types of errors are your fault, which means that _you_ can fix them. Yay! Obviously, we want you to see these messages, especially early on. Bots ==== Bots are constantly probing the Internet to see how your server responds to a given request. It will be very common to see requests come in from bot probes that are testing for bogus names on your server such as yahoo.com or google.com or some Chinese or Russian domain. There's nothing you can do about this. Because we can't easily determine programmatically whether an error is created by a bot or a misconfiguration, we log all of these errors. Turn off logging ================ Set `logRejectedDomains: false` to turn off logging, but be warned, if you have a configuration problem later, you've silenced the error.
Ghost commented 6 years ago

Hi again ) . Could you explain what to do if there is IP adress in this error, not domain? I use greenlock-express and there is no option to write a domain somewhere. There is just an array with two domains for sertificate creation. And sometimes this error occures:

[Error] approveDomains rejected tls sni '185.66.65.183'
[Error] (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11)

It is not critical, but error log is full of this. And I afraid of turning "logRejectedDomains" off.
Thanks.

Hi again ) . Could you explain what to do if there is IP adress in this error, not domain? I use greenlock-express and there is no option to write a domain somewhere. There is just an array with two domains for sertificate creation. And sometimes this error occures: [Error] approveDomains rejected tls sni '185.66.65.183' [Error] (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11) It is not critical, but error log is full of this. And I afraid of turning "logRejectedDomains" off. Thanks.
Ghost commented 6 years ago

I mean:
Error - approveDomains rejected tls sni '185.66.65.183'
Error - (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11)

Can't edit previous post because of JS error:
Uncaught ReferenceError: issuesTribute is not defined
at HTMLAnchorElement. (index.js?v=c638d41d50d302cdc4c4e23aa40e960f:608)
at HTMLAnchorElement.dispatch (jquery.min.js:4)
at HTMLAnchorElement.r.handle (jquery.min.js:4)

I mean: Error - approveDomains rejected tls sni '185.66.65.183' Error - (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11) Can't edit previous post because of JS error: Uncaught ReferenceError: issuesTribute is not defined at HTMLAnchorElement.<anonymous> (index.js?v=c638d41d50d302cdc4c4e23aa40e960f:608) at HTMLAnchorElement.dispatch (jquery.min.js:4) at HTMLAnchorElement.r.handle (jquery.min.js:4)
coolaj86 commented 5 years ago
Poster
Owner

Sorry for the long wait.

It’s the same thing. It’s just some bit or music figured web client spewing out a random IP address at your server.

The longer your IP address has been rotating through cloud services, the more likely you are to get all sorts of random things.

Sorry for the long wait. It’s the same thing. It’s just some bit or music figured web client spewing out a random IP address at your server. The longer your IP address has been rotating through cloud services, the more likely you are to get all sorts of random things.
coolaj86 commented 5 years ago
Poster
Owner

I’ll have to double check on the logging option to see what’s up. It should turn off logging junk domains, but perhaps there’s some sort of check that happens before another that’s causing IPs to slip through while domains are dropped.

I’ll have to double check on the logging option to see what’s up. It _should_ turn off logging junk domains, but perhaps there’s some sort of check that happens before another that’s causing IPs to slip through while domains are dropped.
coolaj86 commented 5 years ago
Poster
Owner

Greenlock v3 no longer logs bad sni, and has a notify callback for handling other errors.

The manage callbacks take care of what used to be approveDomains.

Greenlock v3 no longer logs bad sni, and has a `notify` callback for handling other errors. The `manage` callbacks take care of what used to be `approveDomains`.
coolaj86 closed this issue 5 years ago
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
acmev2
dns-challenge-regression-fix
github
greenlock
master
next
node-letsencrypt-python
npm
v1
v2
v2.1
v2.2
v2.3
v2.4
v2.5
v3
v4
wip
Labels
Apply labels
Clear labels
No items
No Label
Milestone
Set milestone
Clear milestone
No items
No Milestone
Assignees
Assign users
Clear assignees
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch '%!s(MISSING)'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes