Closed
Description
Version
0.32.0-rc1
Config
{
"AutoTLS": {
"Enabled": true
},
"Addresses": {
"API": "/ip4/127.0.0.1/tcp/5701",
"Announce": [],
"AppendAnnounce": [],
"Gateway": "/ip4/127.0.0.1/tcp/8780",
"NoAnnounce": [],
"Swarm": [
"/ip4/0.0.0.0/tcp/4071",
"/ip6/::/tcp/4071",
"/ip4/0.0.0.0/tcp/4072/tls/sni/*.libp2p.direct/ws",
"/ip4/0.0.0.0/udp/4071/webrtc-direct",
"/ip4/0.0.0.0/udp/4071/quic-v1",
"/ip4/0.0.0.0/udp/4071/quic-v1/webtransport",
"/ip6/::/udp/4071/webrtc-direct",
"/ip6/::/udp/4071/quic-v1",
"/ip6/::/udp/4071/quic-v1/webtransport"
]
},
...Description
Example 1, error due to solving challenges: presenting for challenge: no public address found:
2024-11-04T20:45:28.283+0100 INFO autotls.acme_client [email protected]/client.go:404 trying to solve challenge {"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
2024-11-04T20:45:36.324+0100 DEBUG autotls.acme_client acme/http.go:275 http request {"method": "POST", "url": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/425608111597", "headers": {"Content-Type":["application/jose+json"],"User-Agent":["CertMagic acmez (linux; amd64)"]}, "response_headers": {"Boulder-Requester":["2038430587"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["454"],"Content-Type":["application/json"],"Date":["Mon, 04 Nov 2024 19:45:36 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["yiS4Q9ue15rzi_h41L_gI6UhRmR95FOK2XBx4z7cpj9DQfwyXEE"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]}, "status_code": 200}
2024-11-04T20:45:36.324+0100 ERROR autotls.obtain [email protected]/config.go:639 could not get certificate from issuer {"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] solving challenges: presenting for challenge: no public address found (order=https://acme-v02.api.letsencrypt.org/acme/order/2038430587/320023393197) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2024-11-04T20:45:36.324+0100 ERROR autotls.obtain [email protected]/async.go:117 will retry {"error": "[*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] Obtain: [*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct] solving challenges: presenting for challenge: no public address found (order=https://acme-v02.api.letsencrypt.org/acme/order/2038430587/320023393197) (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 9.413219385, "max_duration": 2592000}
2024-11-04T20:46:36.326+0100 INFO autotls.obtain [email protected]/config.go:555 obtaining certificate {"identifier": "*.k51qzi5uqu5dha1xbwsoc8lyjf6fldczy61ozgi3n9rr3tipfuzjzqst8fqooi.libp2p.direct"}
Problem
when behind NAT, we do not delay the initial registration attempt until a publicly dialable address is present. We should avoid ERROR in logs when we know registration attempt would fail anyway, and delay until its safe.
Specific problems:
- do not attempt getting cert if we depend on /p2p-circuit addrs
- do not attempt getting cert if the only "public addr" is ipv6 blocked by firewall