Server only listening to HTTP_PORT with TLS when Let's Encrypt is enabled #5280

gregkare · 2018-11-06T16:31:52Z

Gitea version (or commit ref): 1.6.0-rc2
Operating system: Linux / macOS
Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Not relevant

Description

Let's Encrypt support was merged in #4189 and ships in 1.6.0-rc1. Has anyone been able to make this work? Reading the code (

gitea/cmd/web.go

Line 83 in 3d84f1f

    
           go http.ListenAndServe(listenAddr+":"+setting.PortToRedirect, certManager.HTTPHandler(http.HandlerFunc(runLetsEncryptFallbackHandler))) // all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validatio happens here)

) PORT_TO_REDIRECT from the config file is supposed to be used to redirect HTTP to HTTPS and also by Let's Encrypt to generate certificates. However I'm only getting a daemon running on the HTTP_PORT (using TLS). When ENABLE_LETSENCRYPT is set to false and REDIRECT_OTHER_PORT is set to true a daemon listens on PORT_TO_REDIRECT and redirects HTTP to HTTPS. I can reproduce the issue running the 1.6.0-rc2 binary directly on macOS, as well as in Kubernetes/Docker.

Update: Setting PORT_TO_REDIRECT or not leads to the same result, only listening on HTTPS

Here are the relevant parts of my config:

...
[server]
PROTOCOL = https
HTTP_PORT = 3000
DOMAIN = gitea.example.com
PORT_TO_REDIRECT = 3001
ENABLE_LETSENCRYPT = true
LETSENCRYPT_ACCEPTTOS = true
LETSENCRYPT_DIRECTORY = https
LETSENCRYPT_EMAIL = [email protected]

Am I missing something? I have checked the code, as well as read https://docs.gitea.io/en-us/https-setup/

The text was updated successfully, but these errors were encountered:

fser · 2018-11-28T09:28:53Z

Same here! Although I noticed something in the code:

	case setting.HTTPS:
		if setting.EnableLetsEncrypt {
			err = runLetsEncrypt(listenAddr, setting.Domain, setting.LetsEncryptDirectory, setting.LetsEncryptEmail, context2.ClearHandler(m))
			break
		}
		if setting.RedirectOtherPort {
			go runHTTPRedirector()
                }

My point being, if LetsEncrypt is enabled, then the RedirectOtherPort will not be reached. I was tempted to swap the two conditions...

Ref: https://github.com/go-gitea/gitea/blob/master/cmd/web.go#L174-L181

lafriks · 2018-11-28T21:26:55Z

@fser that is ok as letsencrypt handler will also act as http redirector to redirect http to https

fser · 2018-11-28T22:24:54Z

How does it work? It's only listening on HTTP_PORT, with or without REDIRECT_OTHER_PORT set to true and PORT_TO_REDIRECT to 8080.

lafriks · 2018-11-29T16:57:16Z

It does not use REDIRECT_OTHER_PORT but does use PORT_TO_REDIRECT here:
https://github.com/go-gitea/gitea/blob/master/cmd/web.go#L83

lafriks · 2018-11-29T16:59:19Z

It could be also bug can't tell atm as I have not tried this functionality yet :)

gregkare · 2018-12-05T12:50:51Z

I do not see anything listening on PORT_TO_REDIRECT either, with ENABLE_LETSENCRYPT set to true. Has someone managed to make that feature work?

gbl08ma · 2018-12-09T00:18:02Z

I have the same issue: when ENABLE_LETSENCRYPT is set to true, Gitea does not listen on PORT_TO_REDIRECT as documented.

I took a couple of minutes to look at the code and I identified the problem:

On line 83 of cmd/web.go, the HTTP server is supposed to be started. This goroutine is launched and its error return value is ignored, which means there are no errors in any logs (if there were, people would have certainly already caught the bug).

The problem lies in this expression: listenAddr+":"+setting.PortToRedirect. If you trace where listenAddr is actually set, you'll see that on line 155 the port will already have been appended. So on line 83, it is actually attempting to listen on an address like 0.0.0.0:443:80, which I imagine actually results in an error, but of course, the error return value is ignored due to the way the goroutine is launched.

If in that expression on line 83 listenAddr is replaced with setting.HTTPAddr, the bug should be fixed. I could open a pull request but I already spent three hours today trying to set up Gitea for the first time, scratching my head at what could go wrong and messing with the configuration because "certainly this must have been tested, it's documented right there, it must be a problem with my config", then convincing myself there must be a problem in the code, which there was. Ugh.

gregkare · 2018-12-11T13:30:26Z

I have posted a PR here: #5525 (replaced PR, pushed to the wrong org)

@gbl08ma

* Fix the Let's Encrypt handler by listening on a valid address Also handle errors in the HTTP server go routine, return a fatal error when something goes wrong. Thanks to @gbl08ma for finding the actual bug Here is an example of the error handling: 2018/12/11 14:23:07 [....io/gitea/cmd/web.go:87 func1()] [E] Failed to start the Let's Encrypt handler on port 30: listen tcp 0.0.0.0:30: bind: permission denied Closes #5280 * Fix a typo

@gbl08ma

* Fix the Let's Encrypt handler by listening on a valid address Also handle errors in the HTTP server go routine, return a fatal error when something goes wrong. Thanks to @gbl08ma for finding the actual bug Here is an example of the error handling: 2018/12/11 14:23:07 [....io/gitea/cmd/web.go:87 func1()] [E] Failed to start the Let's Encrypt handler on port 30: listen tcp 0.0.0.0:30: bind: permission denied Closes go-gitea#5280 * Fix a typo

@gbl08ma

* Fix the Let's Encrypt handler by listening on a valid address Also handle errors in the HTTP server go routine, return a fatal error when something goes wrong. Thanks to @gbl08ma for finding the actual bug Here is an example of the error handling: 2018/12/11 14:23:07 [....io/gitea/cmd/web.go:87 func1()] [E] Failed to start the Let's Encrypt handler on port 30: listen tcp 0.0.0.0:30: bind: permission denied Closes #5280 * Fix a typo

gregkare · 2018-12-12T09:43:25Z

I could confirm that the Let's Encrypt setup in Gitea works now, I deployed the latest Docker tag and now have a valid Let's Encrypt certificate

lafriks added the type/bug label Nov 29, 2018

lafriks added the backport/v1.6 label Dec 9, 2018

lafriks added this to the 1.6.1 milestone Dec 9, 2018

techknowlogick modified the milestones: 1.6.1, 1.6.2 Dec 9, 2018

lafriks removed the backport/v1.6 label Dec 9, 2018

gregkare mentioned this issue Dec 11, 2018

Fix Let's Encrypt handler #5524

Closed

gregkare mentioned this issue Dec 11, 2018

Fix the Let's Encrypt handler by listening on a valid address #5525

Merged

techknowlogick closed this as completed in #5525 Dec 11, 2018

gregkare mentioned this issue Dec 11, 2018

Backport #5525 Fix the Let's Encrypt handler #5527

Merged

go-gitea locked and limited conversation to collaborators Nov 24, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Server only listening to HTTP_PORT with TLS when Let's Encrypt is enabled #5280

Server only listening to HTTP_PORT with TLS when Let's Encrypt is enabled #5280

gregkare commented Nov 6, 2018 •

edited

Loading

fser commented Nov 28, 2018

lafriks commented Nov 28, 2018

fser commented Nov 28, 2018

lafriks commented Nov 29, 2018 •

edited

Loading

lafriks commented Nov 29, 2018

gregkare commented Dec 5, 2018

gbl08ma commented Dec 9, 2018

gregkare commented Dec 11, 2018 •

edited

Loading

gregkare commented Dec 12, 2018

Server only listening to HTTP_PORT with TLS when Let's Encrypt is enabled #5280

Server only listening to HTTP_PORT with TLS when Let's Encrypt is enabled #5280

Comments

gregkare commented Nov 6, 2018 • edited Loading

Description

fser commented Nov 28, 2018

lafriks commented Nov 28, 2018

fser commented Nov 28, 2018

lafriks commented Nov 29, 2018 • edited Loading

lafriks commented Nov 29, 2018

gregkare commented Dec 5, 2018

gbl08ma commented Dec 9, 2018

gregkare commented Dec 11, 2018 • edited Loading

gregkare commented Dec 12, 2018

gregkare commented Nov 6, 2018 •

edited

Loading

lafriks commented Nov 29, 2018 •

edited

Loading

gregkare commented Dec 11, 2018 •

edited

Loading