coolaj86
/
greenlock.js-ARCHIVED
3
3
Fork 0
Code Issues 6 Pull Requests 1 Releases Activity

Sticky: logRejectedDomains - tls SNI rejections #11

New Issue
Closed
opened 2018-05-17 20:05:26 +00:00 by coolaj86 · 5 comments
coolaj86 commented 2018-05-17 20:05:26 +00:00
Owner
Copy Link

Typically there are two types of tls SNI rejections:

  • Configuration Errors
  • Bots

Configuration Errors

When you're getting started with Greenlock™, it's common that you might forget to properly set a domain, or point a DNS record, or create the folder for the site to serve from.

You might see a rejection for 'example.com' that probably means you forgot to update the example file with your domain.

You might see an error 'www.youractualsite.com' which might mean you set up 'youractualsite.com' correctly, but forgot to set up the 'www' for proper redirects to the site.

The good news is that these types of errors are your fault, which means that you can fix them. Yay!

Obviously, we want you to see these messages, especially early on.

Bots

Bots are constantly probing the Internet to see how your server responds to a given request.

It will be very common to see requests come in from bot probes that are testing for bogus names on your server such as yahoo.com or google.com or some Chinese or Russian domain. There's nothing you can do about this.

Because we can't easily determine programmatically whether an error is created by a bot or a misconfiguration, we log all of these errors.

Turn off logging

Set logRejectedDomains: false to turn off logging, but be warned, if you have a configuration problem later, you've silenced the error.

Typically there are two types of tls SNI rejections: * Configuration Errors * Bots Configuration Errors ==================== When you're getting started with Greenlock™, it's common that you might forget to properly set a domain, or point a DNS record, or create the folder for the site to serve from. You might see a rejection for 'example.com' that probably means you forgot to update the example file with your domain. You might see an error 'www.youractualsite.com' which might mean you set up 'youractualsite.com' correctly, but forgot to set up the 'www' for proper redirects to the site. The good news is that these types of errors are your fault, which means that _you_ can fix them. Yay! Obviously, we want you to see these messages, especially early on. Bots ==== Bots are constantly probing the Internet to see how your server responds to a given request. It will be very common to see requests come in from bot probes that are testing for bogus names on your server such as yahoo.com or google.com or some Chinese or Russian domain. There's nothing you can do about this. Because we can't easily determine programmatically whether an error is created by a bot or a misconfiguration, we log all of these errors. Turn off logging ================ Set `logRejectedDomains: false` to turn off logging, but be warned, if you have a configuration problem later, you've silenced the error.
Ghost commented 2018-11-05 15:34:48 +00:00
Copy Link

Hi again ) . Could you explain what to do if there is IP adress in this error, not domain? I use greenlock-express and there is no option to write a domain somewhere. There is just an array with two domains for sertificate creation. And sometimes this error occures:

[Error] approveDomains rejected tls sni '185.66.65.183'
[Error] (see coolaj86/greenlock.js#11)

It is not critical, but error log is full of this. And I afraid of turning "logRejectedDomains" off.
Thanks.

Hi again ) . Could you explain what to do if there is IP adress in this error, not domain? I use greenlock-express and there is no option to write a domain somewhere. There is just an array with two domains for sertificate creation. And sometimes this error occures: [Error] approveDomains rejected tls sni '185.66.65.183' [Error] (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11) It is not critical, but error log is full of this. And I afraid of turning "logRejectedDomains" off. Thanks.
Ghost commented 2018-11-05 15:38:21 +00:00
Copy Link

I mean:
Error - approveDomains rejected tls sni '185.66.65.183'
Error - (see coolaj86/greenlock.js#11)

Can't edit previous post because of JS error:
Uncaught ReferenceError: issuesTribute is not defined
at HTMLAnchorElement. (index.js?v=c638d41d50d302cdc4c4e23aa40e960f:608)
at HTMLAnchorElement.dispatch (jquery.min.js:4)
at HTMLAnchorElement.r.handle (jquery.min.js:4)

I mean: Error - approveDomains rejected tls sni '185.66.65.183' Error - (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11) Can't edit previous post because of JS error: Uncaught ReferenceError: issuesTribute is not defined at HTMLAnchorElement.<anonymous> (index.js?v=c638d41d50d302cdc4c4e23aa40e960f:608) at HTMLAnchorElement.dispatch (jquery.min.js:4) at HTMLAnchorElement.r.handle (jquery.min.js:4)
coolaj86 commented 2019-09-10 04:06:09 +00:00
Author
Owner
Copy Link

Sorry for the long wait.

It’s the same thing. It’s just some bit or music figured web client spewing out a random IP address at your server.

The longer your IP address has been rotating through cloud services, the more likely you are to get all sorts of random things.

Sorry for the long wait. It’s the same thing. It’s just some bit or music figured web client spewing out a random IP address at your server. The longer your IP address has been rotating through cloud services, the more likely you are to get all sorts of random things.
coolaj86 commented 2019-09-10 04:08:13 +00:00
Author
Owner
Copy Link

I’ll have to double check on the logging option to see what’s up. It should turn off logging junk domains, but perhaps there’s some sort of check that happens before another that’s causing IPs to slip through while domains are dropped.

I’ll have to double check on the logging option to see what’s up. It _should_ turn off logging junk domains, but perhaps there’s some sort of check that happens before another that’s causing IPs to slip through while domains are dropped.
coolaj86 commented 2019-11-01 21:57:33 +00:00
Author
Owner
Copy Link

Greenlock v3 no longer logs bad sni, and has a notify callback for handling other errors.

The manage callbacks take care of what used to be approveDomains.

Greenlock v3 no longer logs bad sni, and has a `notify` callback for handling other errors. The `manage` callbacks take care of what used to be `approveDomains`.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
github
next
v4
npm
v3
wip
dns-challenge-regression-fix
v2.4
v2.5
v2.3
v2
v2.2
acmev2
v2.1
greenlock
v1
node-letsencrypt-python
v4.0.5
v4.0.4
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.5
v3.1.4
v3.1.3
v3.0.25
v3.0.24
v3.0.23
v3.0.21
v3.0.20
v3.0.19
v3.0.18
v3.0.17
v3.0.16
v3.0.15
v3.0.12
v3.0.11
v3.0.10
v3.0.9
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v2.8.8
v2.8.7
v2.8.6
v2.8.5
v2.8.4
v2.8.3
v2.8.2
v2.8.1
v2.8.0
v2.7.23
v2.7.22
v2.7.21
v2.7.20
v2.7.19
v2.7.18
v2.7.17
v2.7.16
v2.7.15
v2.7.14
v2.7.13
v2.7.12
v2.7.11
v2.7.10
v2.7.9
v2.7.8
v2.7.7
v2.7.6
v2.7.5
v2.7.4
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.10
v2.6.9
v2.6.8
v2.6.7
v2.6.6
v2.6.5
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.10
v2.4.9
v2.4.8
v2.4.7
v2.4.2
v2.4.1
v2.4.0
v2.3.13
v2.3.12
v2.3.11
v2.3.10
v2.3.9
v2.3.8
v2.3.7
v2.3.6
v2.3.5
v2.3.4
v2.3.3
v2.3.2
v2.3.1
v2.3.0
v2.2.20
v2.2.19
v2.2.18
v2.2.17
v2.2.16
v2.2.15
v2.2.14
v2.2.13
v2.2.12
v2.2.11
v2.2.10
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.0
v2.1.19
v2.1.18
v2.1.17
v2.1.16
v2.1.15
v2.1.14
v2.1.13
v2.1.12
v2.1.11
v2.1.10
v2.1.9
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v1.5.8
v2.0.5
v2.0.4
v1.5.7
v1.5.6
v1.5.5
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.2
v1.0.0
v1.0.1
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/greenlock.js-ARCHIVED#11
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?