tgxworld
January 1, 2019, 10:18pm
22
We still need the proxy for until the old SiteSetting.favicon_url is removed. We’re currently deprecating it in the next release.
$ wget https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png
--2019-01-02 06:15:32-- https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png
Resolving dungeon.gg (dungeon.gg)... 35.199.105.252
Connecting to dungeon.gg (dungeon.gg)|35.199.105.252|:443... connected.
ERROR: cannot verify dungeon.gg's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’:
Unable to locally verify the issuer's authority.
Not sure if it is just me but I can’t seem curl or wget the upload. It works fine for me in the browser though.
2 Likes
If we only need it for a particular combination of a) weird browsers and b) weird configurations where the favicon URL is totally off-site then I say we pull it ASAP.
3 Likes
neemiasvf
January 1, 2019, 11:48pm
24
Hey Alan!
Why does this happen? I’ve noticed that some browsers also accuse my website of not being secure because they cannot verify the certificate’s issuer. It’s a paid certificate and as you can see, it’s issued by COMODO, which is very well known.
tgxworld
January 2, 2019, 12:20am
25
@sam will have more context since he added the proxy but I don’t think we can remove it since we want to allow favicons to be served via the CDN.
https://github.com/discourse/discourse/blob/0daaae1cf37c269de5306daca3996e02174534e4/app/controllers/static_controller.rb#L106-L111
For this particular problem, it is something odd about @neemiasvf ’s SSL setup:
$ openssl s_client -connect dungeon.gg:443
<truncated>
Verify return code: 21 (unable to verify the first certificate)
@neemiasvf How do you have your SSL configured? Are you on the docker based install?
2 Likes
neemiasvf
January 2, 2019, 12:25am
26
I followed this tutorial: Advanced Setup Only: Allowing SSL / HTTPS for your Discourse Docker setup
Could you try this command again? It returned the following for me:
Summary
$ openssl s_client -connect dungeon.gg:443
CONNECTED(00000005)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = dungeon.gg
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = dungeon.gg
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=dungeon.gg
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHSzCCBjOgAwIBAgIQOsbI6HKtCalptsvvPrwnbjANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xODExMDIwMDAwMDBaFw0xOTA4MTEyMzU5NTlaME4xITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxEzAR
BgNVBAMTCmR1bmdlb24uZ2cwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQC7I4YQQco3PGOjnBxpkKywvYuNVm7nbJ+7cgp+JH702Sm+N8tzEcYGKh/JOle6
NRkQIW1I9Tb1Yx4dGMYRwUyi8F3D1D2bYQzytzF46IkwApcB8fRW1/mZh2Ys5tnF
jwLPwK2RJNGzgR/rE0iqLPH4SvG5WhSsYqOCXGf5u9W0PIcoRZJWNwp7sotHjF2D
JMT5bJJJRQLEGADh+6N6hIsKiIcHeQB6VqQPjy4f5+kyj5zVI+epaDqkmDdmzF80
QSFT7rLfgNfS4AayUi53ME5Z/NKLdHwLjbNFAUGSjicQ69ExEEXpFb+O8/9yXajK
BwQpArghFGFZlAR/rMu9LBDaxlZ4Wh+B3EP4iXt4kxCYu/m9e82rEFV1oKc1OhLr
uISf2Zq9TpkEVXLhfeetX9irHWxb9KYxkuQKsNzXolI3SHKBx3q0vcPBltYTUyEa
yLAXmrT3PiPJizbPTZivr0TUXk+zLflaC+nyjEJyNMgKDDF1cCxjy95yYcGvfLJk
HW8/GvpJ/M9Rz+BCR2G0PJm6ARsYTakUPNdBABMJXLO1VRmJ8USh3HFfQqlMRen0
1XmwmyYgEPy5CogP1VQ3/JQ2j/Acz4CdYZX61nmqoLn3QhByDfFU89C98N566Jwh
3Ed5fymWKsxpxiLYEtYnPH++rHT4epdN1kpBVzHvjYxgUwIDAQABo4IC4DCCAtww
HwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHt0yzT4
NnIfHY3mLUhadPtt7AV8MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQB
sjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20v
Q1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0Eu
Y3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29t
b2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJD
QS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNV
HREEHjAcggpkdW5nZW9uLmdngg53d3cuZHVuZ2Vvbi5nZzCCAQUGCisGAQQB1nkC
BAIEgfYEgfMA8QB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAAB
ZtXShR0AAAQDAEcwRQIgUpbi64pTttzMStIH1Wa/N2ITGU+w246ykhLeraz9cvsC
IQCK5UIPxmWQ5uoCoYsATS3EuMgrLYF1ii9a9peK6XP0AQB3AHR+2oMxrTMQkSGc
ziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABZtXShZUAAAQDAEgwRgIhANnVxzXg9El3
E9lDysgGU0cq6WhNEaT02aE2OeWxt0vJAiEAnBCG0aoHJpMtrwgxrO9HkWGTWLBC
iKC5LUqUjmt5yYEwDQYJKoZIhvcNAQELBQADggEBAAt0eDE98avSrz6Ef1BZccTI
pGQ7UvcdwTlKfWtFI4z7SxsKUvihpYD2bBLE7NyfWFxkNykmBQiR4ptaEe7OT/Ju
c1LvFPpx7tsEz2LlBGv9L1EK8HWTpCIotMtmmsZpArJh/KNA4yPMh2FEimq7vPhs
UjfFRKQ4qo7Sb0dF0uQpNc6VjxGNbtNjk/GZ6Efwv920wdjiYU1N2Hnj4hK/e4D5
BcibsEOu3uDWwa+KuV1/U/03SNGjLTsgPdVC7CaGeXOMSanFtXOF0KDZanMLVZnU
CcjhaS4Vn8BYGB47ppiEB0eDzyqNdfxqMiaB9JDDG4hePqmfQVorQBvN7fFF7ys=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=dungeon.gg
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2666 bytes and written 358 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 6038753C9F271BE81C5D22DFF4935E5AFECCE16C9FB6EECAEF5B6EE0D37F8908
Session-ID-ctx:
Master-Key: 93CE5931402313B65E0CD9C74A34CD52AF1B152DC03F364B6A8009D434C1A958FDFC6BB0D297608E47B3A3722AD21E4E
Start Time: 1546388599
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
closed
tgxworld
January 2, 2019, 12:27am
27
You’re getting the same output as I am
Can you try using the Let’s Encrypt setup instead?
1 Like
neemiasvf
January 2, 2019, 12:31am
28
Yeah, sure! That’s just gonna take me some time. But I honestly thought it would be better to pay for one.
neemiasvf
January 2, 2019, 1:18am
29
Done! Getting these returns now:
$ openssl s_client -connect dungeon.gg:443
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = dungeon.gg
verify return:1
---
Certificate chain
0 s:/CN=dungeon.gg
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGSzCCBTOgAwIBAgISA9pHO99tl6BBZGjn5r2K1wPgMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAxMDIwMDA4MTdaFw0x
OTA0MDIwMDA4MTdaMBUxEzARBgNVBAMTCmR1bmdlb24uZ2cwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQChpnWnqhEcBVX82IDSvg/5FuxYBch+Mo2Mc8gj
dNJVHlWqGLcs7ecj5/544x50wZfSIMPTR3nHfFlpmwCpfwTrJ5IFD/FMzeXasCJE
4ZsaCjz9BtyChK1MaLtr5O58SrdfzbWltTADV7CTF7zxhvEoL6SRL3YujbknrY/R
yUzbHWSte4fLGk1MBDLxEuh0Ee82ds0i4R2kLku/WdyAOUlcMdWwyDD6OT4SibK3
mbohUVpP3GJCVP/+Qf+F0L8EhvdjRjUppRWqZOz7oeqroytWw0EOdTRN21/vRSlK
ZjF3uw4py/CbQa3Ok+TrELW6qIMleKwYvFpSe11oKHtOJCLxN0yyEACN5b2CiK/a
RI3ziQorYnZyLPBKhjXmbK5MaS5BXgSnJw3herpDOnWWw97eGKxS76N9CkCBBFTV
A+jztwl5wkJvA4fu0s9pOXkfR/SCphMPPuuUGYMSTRmYjxxbEEBPavfPF3yH/6wG
8A4kkAr0qIiwarJewIMzxtCrJ0AH4A141WXBPzuvPTOKyZhnaR/8jNS3yl/14og9
PuUGBmvYd8HcoEtbdFC2wRLMOvmn5OCCPEaYJj1gvv7C2nk+jQNygek1xMzGcVCk
+UmmXGO6thrxTCHGZWg4f/vWHKoNeXT31GW2ebQtGHa2RuMsYuMCb4sEa1AGDxOR
a1wRlQIDAQABo4ICXjCCAlowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRs1udBQKZs
/BgHMTj7vZF1bhQ4LDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBv
BggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5s
ZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5s
ZXRzZW5jcnlwdC5vcmcvMBUGA1UdEQQOMAyCCmR1bmdlb24uZ2cwTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQDi
aUuuJujpQAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAWgMGp/DAAAEAwBGMEQC
IBgQgxGzqyhdWrbjk1IP0MzFAyFxxcOl9U/nE/L8m1hcAiAasrGy1K93nW3I5GjN
UP0wozbQ8MYo9mXnb0I4CTS2VAB2ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM
9OVFR/R4AAABaAwandEAAAQDAEcwRQIhAMRRCh/NqqjeVTjF9okWV5jo5jkXrgfw
F+XxmKSQbHSBAiA0HCPx7SgcBrQXcyMrvxovGp3/XCwUYwcRsagiY63+XDANBgkq
hkiG9w0BAQsFAAOCAQEAQK0B79dQbTMe40oXNfMZPl3eYTosZDTUNtofXBaHwNHg
z7g1hkYuO8BDCR7UVZ8hKmf/1PLn2EQFrPkMrM9e3k8a5sX9LuTa1xaZr1w4BMIi
Ke4pjS9MD29BYaeEjFzB1yjtqTwBIYRFb+tV9TjdGi77DKc+T0GAZCl37ULGxvtP
qw6VVJcDYBTcgd8DVyl/B+nerv+LWCpCItA0e+fhpqQ9NTZS+HNsv/C15xqc0Ayk
tYEK3IFt83x+9NFv+bMCufA3N+a2pHJ2Dg1tTQPqK/L2jebk01jj21gCaayYBhzX
nEoQPOVviCM7pQOgJHy0gMu4PEPSbosx2ftd/MBtnw==
-----END CERTIFICATE-----
subject=/CN=dungeon.gg
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3587 bytes and written 358 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 1E8EF7041BFF50428535FEB1AC1C02AB3B4440C8AFA1ABEB33F82727040DCAC2
Session-ID-ctx:
Master-Key: E857604B095B3379B4D5A16FDE838910893F71E0B37A1C94D65FCA699B873330F199F145A8E269E1218EB913E8947B25
Start Time: 1546391748
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
closed
$ wget https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png
--2019-01-01 23:17:39-- https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png
Resolving dungeon.gg (dungeon.gg)... 35.199.105.252
Connecting to dungeon.gg (dungeon.gg)|35.199.105.252|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1730 (1.7K) [image/png]
Saving to: ‘ea21955a8a3d56191e5d88eb8df873de430f6cb5.png’
ea21955a8a3d56191e5d88eb8df873de43 100%[================================================================>] 1.69K --.-KB/s in 0s
2019-01-01 23:17:39 (71.7 MB/s) - ‘ea21955a8a3d56191e5d88eb8df873de430f6cb5.png’ saved [1730/1730]
sam
January 2, 2019, 1:20am
30
favicon proxy is actually an opposite problem, see:
https://github.com/discourse/discourse/blob/a19170a4c2c37bb6f6ae9531fe4f925777f3e8d5/app/assets/javascripts/discourse.js.es6#L64-L70
It exists due to this feature:
The Show new / updated topic count on browser icon user setting (which is default off) that @chrishunt built back in the day uses canvas to render. The trouble is that canvas has some insane rules here… which I really do not understand.
HTML provides a crossorigin attribute for images that, in combination with an appropriate CORS header, allows images defined by the element that are loaded from foreign origins to be used in a as if they had been loaded from the current origin.
Basically if you want to render a foreign image in canvas you need to sacrifice a 3 chickens. Because … reasons.
To avoid this we proxy the image locally.
So back on topic... the simplest thing to do here going forward is:
Strip this proxy route and logic
IF using new favicon scheme simply have the client use “on-site” upload url
IF using old scheme then break the feature (favicon notifications) till admins re-upload favicon. (or … maybe you migrate in a onceoff)
2 Likes
neemiasvf
January 2, 2019, 1:29am
31
Guess what?
When you disable Show new / updated topic count on browser icon in user preferences, the favicon loads with no problem.
@codinghorror , if you login back again at https://dungeon.gg and disable that option, you can see that it works fine.
It is indeed because of that feature, as @sam pointed out.
For now, I’ll be updating all of my users preferences so that they don’t have that problem. Meanwhile, you guys work on a solution for this.
Again, I’d like to offer help in solving this issue, IF you need it. I’m just now graduating in Computer Science and I really like Discourse and am very enthusiastic about it, so…
As for the certificate @tgxworld , here are the results, which are now waaaay better: SSL Server Test: dungeon.gg (Powered by Qualys SSL Labs)
tgxworld
January 2, 2019, 1:54am
32
There wasn’t anything broken from what I can tell. Your site had SSL incorrectly configured somehow that was preventing us from downloading the image properly as part of the following logic:
https://github.com/discourse/discourse/blob/9e508132523313ef9adf6b55830b4c926c0c4fdd/app/controllers/static_controller.rb#L118-L123
I actually tried to download it manually which is how I noticed that SSL might not have been configured correctly.
neemiasvf
January 2, 2019, 1:55am
33
I just now updated all of my user’s preferences by doing:
UserOption.all do |uo|
uo.set_defaults
uo.save
end
That should solve the problem temporarily.
neemiasvf
January 2, 2019, 1:57am
34
Yeah, but even after I changed the configuration to Let’s Encrypt, the problem persisted. The actual solution was changing the setting for Show new / updated topic count on browser icon to false.
sam
January 2, 2019, 2:00am
35
I am afraid this is impossible. You somehow have a setup where your server is unable to make HTTPS requests to itself.
Run:
./launcher enter app
rails c
FileHelper.download('https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png')
You will notice that does not work cause somehow something is not configured right.
My first recommendation would to do ./launcher rebuild app, next up I would recommend looking at your Docker DNS settings, maybe somehow DNS is not resolving from when you are inside the container.
1 Like
neemiasvf
January 2, 2019, 2:05am
36
Right.
By running this:
FileHelper.download('https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png')
I got:
ArgumentError: missing keywords: max_file_size, tmp_file_name
from /var/www/discourse/lib/file_helper.rb:22:in `download'
So I went ahead and ran:
FileHelper.download('https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png', max_file_size: 99999, tmp_file_name: 'test')
And I got:
=> #<File:/tmp/test20190102-5149-67ou.png>
sam
January 2, 2019, 2:05am
37
And since our source is going to be on S3 if S3 uploads are enabled, there is nothing we can do.
tgxworld
January 2, 2019, 2:06am
38
That is because the favicon is cached for 30 minutes.
1 Like
neemiasvf
January 2, 2019, 2:07am
39
tgxworld
January 2, 2019, 2:10am
40
The problem has already been solved by switching to Let’s Encrypt for your SSL needs. You just have to wait 30 mins till the cache is cleared.
4 Likes
neemiasvf
January 2, 2019, 2:12am
41
I see. Anyways, it’s already solved due to changing user’s preferences.
haha