Favicon is failing to load for logged-in users

tgxworld · January 1, 2019, 10:18pm

We still need the proxy for until the old SiteSetting.favicon_url is removed. We’re currently deprecating it in the next release.

$ wget https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png
--2019-01-02 06:15:32--  https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png
Resolving dungeon.gg (dungeon.gg)... 35.199.105.252
Connecting to dungeon.gg (dungeon.gg)|35.199.105.252|:443... connected.
ERROR: cannot verify dungeon.gg's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’:
  Unable to locally verify the issuer's authority.

Not sure if it is just me but I can’t seem curl or wget the upload. It works fine for me in the browser though.

codinghorror · January 1, 2019, 11:38pm

If we only need it for a particular combination of a) weird browsers and b) weird configurations where the favicon URL is totally off-site then I say we pull it ASAP.

neemiasvf · January 1, 2019, 11:48pm

Hey Alan!

Why does this happen? I’ve noticed that some browsers also accuse my website of not being secure because they cannot verify the certificate’s issuer. It’s a paid certificate and as you can see, it’s issued by COMODO, which is very well known.

tgxworld · January 2, 2019, 12:20am

@sam will have more context since he added the proxy but I don’t think we can remove it since we want to allow favicons to be served via the CDN.

https://github.com/discourse/discourse/blob/0daaae1cf37c269de5306daca3996e02174534e4/app/controllers/static_controller.rb#L106-L111

For this particular problem, it is something odd about @neemiasvf’s SSL setup:

$ openssl s_client -connect dungeon.gg:443 
<truncated>
Verify return code: 21 (unable to verify the first certificate)

@neemiasvf How do you have your SSL configured? Are you on the docker based install?

neemiasvf · January 2, 2019, 12:25am

I followed this tutorial: Advanced Setup Only: Allowing SSL / HTTPS for your Discourse Docker setup

Could you try this command again? It returned the following for me:

Summary

$ openssl s_client -connect dungeon.gg:443
CONNECTED(00000005)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = dungeon.gg
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = dungeon.gg
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=dungeon.gg
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHSzCCBjOgAwIBAgIQOsbI6HKtCalptsvvPrwnbjANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xODExMDIwMDAwMDBaFw0xOTA4MTEyMzU5NTlaME4xITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxEzAR
BgNVBAMTCmR1bmdlb24uZ2cwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQC7I4YQQco3PGOjnBxpkKywvYuNVm7nbJ+7cgp+JH702Sm+N8tzEcYGKh/JOle6
NRkQIW1I9Tb1Yx4dGMYRwUyi8F3D1D2bYQzytzF46IkwApcB8fRW1/mZh2Ys5tnF
jwLPwK2RJNGzgR/rE0iqLPH4SvG5WhSsYqOCXGf5u9W0PIcoRZJWNwp7sotHjF2D
JMT5bJJJRQLEGADh+6N6hIsKiIcHeQB6VqQPjy4f5+kyj5zVI+epaDqkmDdmzF80
QSFT7rLfgNfS4AayUi53ME5Z/NKLdHwLjbNFAUGSjicQ69ExEEXpFb+O8/9yXajK
BwQpArghFGFZlAR/rMu9LBDaxlZ4Wh+B3EP4iXt4kxCYu/m9e82rEFV1oKc1OhLr
uISf2Zq9TpkEVXLhfeetX9irHWxb9KYxkuQKsNzXolI3SHKBx3q0vcPBltYTUyEa
yLAXmrT3PiPJizbPTZivr0TUXk+zLflaC+nyjEJyNMgKDDF1cCxjy95yYcGvfLJk
HW8/GvpJ/M9Rz+BCR2G0PJm6ARsYTakUPNdBABMJXLO1VRmJ8USh3HFfQqlMRen0
1XmwmyYgEPy5CogP1VQ3/JQ2j/Acz4CdYZX61nmqoLn3QhByDfFU89C98N566Jwh
3Ed5fymWKsxpxiLYEtYnPH++rHT4epdN1kpBVzHvjYxgUwIDAQABo4IC4DCCAtww
HwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHt0yzT4
NnIfHY3mLUhadPtt7AV8MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQB
sjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20v
Q1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0Eu
Y3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29t
b2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJD
QS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNV
HREEHjAcggpkdW5nZW9uLmdngg53d3cuZHVuZ2Vvbi5nZzCCAQUGCisGAQQB1nkC
BAIEgfYEgfMA8QB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAAB
ZtXShR0AAAQDAEcwRQIgUpbi64pTttzMStIH1Wa/N2ITGU+w246ykhLeraz9cvsC
IQCK5UIPxmWQ5uoCoYsATS3EuMgrLYF1ii9a9peK6XP0AQB3AHR+2oMxrTMQkSGc
ziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABZtXShZUAAAQDAEgwRgIhANnVxzXg9El3
E9lDysgGU0cq6WhNEaT02aE2OeWxt0vJAiEAnBCG0aoHJpMtrwgxrO9HkWGTWLBC
iKC5LUqUjmt5yYEwDQYJKoZIhvcNAQELBQADggEBAAt0eDE98avSrz6Ef1BZccTI
pGQ7UvcdwTlKfWtFI4z7SxsKUvihpYD2bBLE7NyfWFxkNykmBQiR4ptaEe7OT/Ju
c1LvFPpx7tsEz2LlBGv9L1EK8HWTpCIotMtmmsZpArJh/KNA4yPMh2FEimq7vPhs
UjfFRKQ4qo7Sb0dF0uQpNc6VjxGNbtNjk/GZ6Efwv920wdjiYU1N2Hnj4hK/e4D5
BcibsEOu3uDWwa+KuV1/U/03SNGjLTsgPdVC7CaGeXOMSanFtXOF0KDZanMLVZnU
CcjhaS4Vn8BYGB47ppiEB0eDzyqNdfxqMiaB9JDDG4hePqmfQVorQBvN7fFF7ys=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=dungeon.gg
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2666 bytes and written 358 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 6038753C9F271BE81C5D22DFF4935E5AFECCE16C9FB6EECAEF5B6EE0D37F8908
    Session-ID-ctx: 
    Master-Key: 93CE5931402313B65E0CD9C74A34CD52AF1B152DC03F364B6A8009D434C1A958FDFC6BB0D297608E47B3A3722AD21E4E
    Start Time: 1546388599
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
closed

tgxworld · January 2, 2019, 12:27am

You’re getting the same output as I am

Screenshot%20from%202019-01-02%2008-25-42

Can you try using the Let’s Encrypt setup instead?

neemiasvf · January 2, 2019, 12:31am

Yeah, sure! That’s just gonna take me some time. But I honestly thought it would be better to pay for one.

neemiasvf · January 2, 2019, 1:18am

Done! Getting these returns now:

$ openssl s_client -connect dungeon.gg:443

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = dungeon.gg
verify return:1
---
Certificate chain
 0 s:/CN=dungeon.gg
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGSzCCBTOgAwIBAgISA9pHO99tl6BBZGjn5r2K1wPgMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAxMDIwMDA4MTdaFw0x
OTA0MDIwMDA4MTdaMBUxEzARBgNVBAMTCmR1bmdlb24uZ2cwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQChpnWnqhEcBVX82IDSvg/5FuxYBch+Mo2Mc8gj
dNJVHlWqGLcs7ecj5/544x50wZfSIMPTR3nHfFlpmwCpfwTrJ5IFD/FMzeXasCJE
4ZsaCjz9BtyChK1MaLtr5O58SrdfzbWltTADV7CTF7zxhvEoL6SRL3YujbknrY/R
yUzbHWSte4fLGk1MBDLxEuh0Ee82ds0i4R2kLku/WdyAOUlcMdWwyDD6OT4SibK3
mbohUVpP3GJCVP/+Qf+F0L8EhvdjRjUppRWqZOz7oeqroytWw0EOdTRN21/vRSlK
ZjF3uw4py/CbQa3Ok+TrELW6qIMleKwYvFpSe11oKHtOJCLxN0yyEACN5b2CiK/a
RI3ziQorYnZyLPBKhjXmbK5MaS5BXgSnJw3herpDOnWWw97eGKxS76N9CkCBBFTV
A+jztwl5wkJvA4fu0s9pOXkfR/SCphMPPuuUGYMSTRmYjxxbEEBPavfPF3yH/6wG
8A4kkAr0qIiwarJewIMzxtCrJ0AH4A141WXBPzuvPTOKyZhnaR/8jNS3yl/14og9
PuUGBmvYd8HcoEtbdFC2wRLMOvmn5OCCPEaYJj1gvv7C2nk+jQNygek1xMzGcVCk
+UmmXGO6thrxTCHGZWg4f/vWHKoNeXT31GW2ebQtGHa2RuMsYuMCb4sEa1AGDxOR
a1wRlQIDAQABo4ICXjCCAlowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRs1udBQKZs
/BgHMTj7vZF1bhQ4LDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBv
BggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5s
ZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5s
ZXRzZW5jcnlwdC5vcmcvMBUGA1UdEQQOMAyCCmR1bmdlb24uZ2cwTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQDi
aUuuJujpQAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAWgMGp/DAAAEAwBGMEQC
IBgQgxGzqyhdWrbjk1IP0MzFAyFxxcOl9U/nE/L8m1hcAiAasrGy1K93nW3I5GjN
UP0wozbQ8MYo9mXnb0I4CTS2VAB2ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM
9OVFR/R4AAABaAwandEAAAQDAEcwRQIhAMRRCh/NqqjeVTjF9okWV5jo5jkXrgfw
F+XxmKSQbHSBAiA0HCPx7SgcBrQXcyMrvxovGp3/XCwUYwcRsagiY63+XDANBgkq
hkiG9w0BAQsFAAOCAQEAQK0B79dQbTMe40oXNfMZPl3eYTosZDTUNtofXBaHwNHg
z7g1hkYuO8BDCR7UVZ8hKmf/1PLn2EQFrPkMrM9e3k8a5sX9LuTa1xaZr1w4BMIi
Ke4pjS9MD29BYaeEjFzB1yjtqTwBIYRFb+tV9TjdGi77DKc+T0GAZCl37ULGxvtP
qw6VVJcDYBTcgd8DVyl/B+nerv+LWCpCItA0e+fhpqQ9NTZS+HNsv/C15xqc0Ayk
tYEK3IFt83x+9NFv+bMCufA3N+a2pHJ2Dg1tTQPqK/L2jebk01jj21gCaayYBhzX
nEoQPOVviCM7pQOgJHy0gMu4PEPSbosx2ftd/MBtnw==
-----END CERTIFICATE-----
subject=/CN=dungeon.gg
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3587 bytes and written 358 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 1E8EF7041BFF50428535FEB1AC1C02AB3B4440C8AFA1ABEB33F82727040DCAC2
    Session-ID-ctx: 
    Master-Key: E857604B095B3379B4D5A16FDE838910893F71E0B37A1C94D65FCA699B873330F199F145A8E269E1218EB913E8947B25
    Start Time: 1546391748
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed

$ wget https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png

--2019-01-01 23:17:39--  https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png
Resolving dungeon.gg (dungeon.gg)... 35.199.105.252
Connecting to dungeon.gg (dungeon.gg)|35.199.105.252|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1730 (1.7K) [image/png]
Saving to: ‘ea21955a8a3d56191e5d88eb8df873de430f6cb5.png’

ea21955a8a3d56191e5d88eb8df873de43 100%[================================================================>]   1.69K  --.-KB/s    in 0s      

2019-01-01 23:17:39 (71.7 MB/s) - ‘ea21955a8a3d56191e5d88eb8df873de430f6cb5.png’ saved [1730/1730]

sam · January 2, 2019, 1:20am

favicon proxy is actually an opposite problem, see:

github.com

discourse/discourse/blob/a19170a4c2c37bb6f6ae9531fe4f925777f3e8d5/app/assets/javascripts/discourse.js.es6#L64-L70


      
          if (Discourse.User.currentProp("dynamic_favicon")) {
            let url = Discourse.SiteSettings.site_favicon_url;
            if (/^http/.test(url)) {
              url = Discourse.getURL("/favicon/proxied?" + encodeURIComponent(url));
            }
            new window.Favcount(url).set(this.get("notifyCount"));
          }

It exists due to this feature:

The Show new / updated topic count on browser icon user setting (which is default off) that @chrishunt built back in the day uses canvas to render. The trouble is that canvas has some insane rules here… which I really do not understand.

Basically if you want to render a foreign image in canvas you need to sacrifice a 3 chickens. Because … reasons.

To avoid this we proxy the image locally.

So back on topic... the simplest thing to do here going forward is:

~~Strip this proxy route and logic~~

~~IF using new favicon scheme simply have the client use “on-site” upload url~~

~~IF using old scheme then break the feature (favicon notifications) till admins re-upload favicon. (or … maybe you migrate in a onceoff)~~

neemiasvf · January 2, 2019, 1:29am

Guess what?

When you disable Show new / updated topic count on browser icon in user preferences, the favicon loads with no problem.

@codinghorror, if you login back again at https://dungeon.gg and disable that option, you can see that it works fine.

It is indeed because of that feature, as @sam pointed out.

For now, I’ll be updating all of my users preferences so that they don’t have that problem. Meanwhile, you guys work on a solution for this.

Again, I’d like to offer help in solving this issue, IF you need it. I’m just now graduating in Computer Science and I really like Discourse and am very enthusiastic about it, so…

As for the certificate @tgxworld, here are the results, which are now waaaay better: SSL Server Test: dungeon.gg (Powered by Qualys SSL Labs)

tgxworld · January 2, 2019, 1:54am

There wasn’t anything broken from what I can tell. Your site had SSL incorrectly configured somehow that was preventing us from downloading the image properly as part of the following logic:

github.com

discourse/discourse/blob/9e508132523313ef9adf6b55830b4c926c0c4fdd/app/controllers/static_controller.rb#L118-L123


      
          file = FileHelper.download(
            UrlHelper.absolute(SiteSetting.site_favicon_url),
            max_file_size: 50.kilobytes,
            tmp_file_name: FAVICON,
            follow_redirect: true
          )

I actually tried to download it manually which is how I noticed that SSL might not have been configured correctly.

neemiasvf · January 2, 2019, 1:55am

I just now updated all of my user’s preferences by doing:

UserOption.all do |uo|
  uo.set_defaults
  uo.save
end

That should solve the problem temporarily.

neemiasvf · January 2, 2019, 1:57am

Yeah, but even after I changed the configuration to Let’s Encrypt, the problem persisted. The actual solution was changing the setting for Show new / updated topic count on browser icon to false.

sam · January 2, 2019, 2:00am

I am afraid this is impossible. You somehow have a setup where your server is unable to make HTTPS requests to itself.

Run:

./launcher enter app
rails c
FileHelper.download('https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png')

You will notice that does not work cause somehow something is not configured right.

My first recommendation would to do ./launcher rebuild app, next up I would recommend looking at your Docker DNS settings, maybe somehow DNS is not resolving from when you are inside the container.

neemiasvf · January 2, 2019, 2:05am

Right.

By running this:

FileHelper.download('https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png')

I got:

ArgumentError: missing keywords: max_file_size, tmp_file_name
from /var/www/discourse/lib/file_helper.rb:22:in `download'

So I went ahead and ran:

FileHelper.download('https://dungeon.gg/uploads/default/original/1X/ea21955a8a3d56191e5d88eb8df873de430f6cb5.png', max_file_size: 99999, tmp_file_name: 'test')

And I got:

=> #<File:/tmp/test20190102-5149-67ou.png>

sam · January 2, 2019, 2:05am

And since our source is going to be on S3 if S3 uploads are enabled, there is nothing we can do.

tgxworld · January 2, 2019, 2:06am

That is because the favicon is cached for 30 minutes.

neemiasvf · January 2, 2019, 2:07am

I see. Anyways, it’s already solved due to changing user’s preferences.

tgxworld · January 2, 2019, 2:10am

The problem has already been solved by switching to Let’s Encrypt for your SSL needs. You just have to wait 30 mins till the cache is cleared.

neemiasvf · January 2, 2019, 2:12am

Alright. I’ll wait a bit more and change the setting back again. If it works, I’ll give you a haha

Topic		Replies	Views
Firefox experiences Network Protocol Violation on Discourse based Websites Support	75	11304	October 29, 2018
Avatar, Site Logos, and Cert Errors Installation unsupported-install	61	3619	May 25, 2020
Our discourse Images are not lightboxed Support	34	3528	July 28, 2020
Setup wizard emoji wrong in subfolder install Bug subfolder	39	3057	July 25, 2018
Run other websites on the same machine as Discourse Self-Hosting how-to , advanced-setup	64	129688	October 7, 2024

Favicon is failing to load for logged-in users

Related topics