Unable to clear redirect from force_ssl

[concertiv]

Per the README, I've got config.middleware.insert_before ActionDispatch::SSL, Letsencrypt::Middleware in config/application.rb. Indeed, running heroku run rake middleware shows:

...
use Letsencrypt::Middleware
use ActionDispatch::SSL
...

But, heroku run rake letsencrypt:renew results in:

Testing filename works (to bring up app)...rake aborted!
redirection forbidden

This is on ruby 2.3.1, Rails 4.2.6.

Have I missed something?

[jalada]

Hi @kbbpartners. Maybe something is redirecting ahead of your Heroku app; what's your DNS setup?

[concertiv]

Edited for brevity. The salient points have been left for future reference.

I tried turning off force_ssl and using config.middleware.use Letsencrypt::Middleware in config/environments/production.rb.

This time, it failed with Letsencrypt::Error::ChallengeUrlError.

Note that the challenge set on Heroku in this case was Im754AYPH3ec3Q2Jr3TH8Gv6uJEiH-fGmz3dkP9gxe0.

2017-02-23T15:42:24.950593+00:00 app[web.1]: Started GET "/.well-known/acme-challenge/Im754AYPH3ec3Q2Jr3TH8Gv6uJEiH-fGmz3dkP9gxe0" for <redacted> at 2017-02-23 15:42:24 +0000
2017-02-23T15:42:24.952031+00:00 app[web.1]: Seeking challenge at /.well-known/acme-challenge/zhBMYnMQAmM4Av8ZHe7ciyYR4kw-iZn7T_X8uIqottQ
2017-02-23T15:42:24.952088+00:00 app[web.1]: env['PATH_INFO'] /.well-known/acme-challenge/Im754AYPH3ec3Q2Jr3TH8Gv6uJEiH-fGmz3dkP9gxe0
2017-02-23T15:42:24.952133+00:00 app[web.1]: Letsencrypt.challenge_configured? zhBMYnMQAmM4Av8ZHe7ciyYR4kw-iZn7T_X8uIqottQ.XM4fq5V5gS2MPsr3ImLhU34D4ALv_JWYXPtfBTK-4tw

So now I'm wondering why is Letsencrypt.configuration.acme_challenge_filename set to zhBMYnMQAmM4Av8ZHe7ciyYR4kw-iZn7T_X8uIqottQ?

[concertiv]

I'm going to close this issue, although we were unable to resolve this issue. In the end, here is where we left it:

• The redirection was the result of a mismatch of the Letsencrypt.configuration.acme_challenge_filename and the current path at env['PATH_INFO']. Since this match was failing, the middleware called @app.call(env), which triggered the redirection downstream.
• We were never able to understand how the middleware should be aware of the current value of the Heroku environment variables ACME_CHALLENGE_FILENAME and ACME_CHALLENGE_FILE_CONTENT. The rake task updates the Heroku variables mid-stream, but the Letsencrypt.configuration values remained as they were at the time of initialization of the middleware. As a result, they never matched. We weren't able to find a satisfactory way to pass the updated values back to the middleware.

[jalada]

I'm unsure why there is a mismatch between your ACME_CHALLENGE_FILENAME variable and the request from LetsEncrypt. Could it be that it is a previous value from a previous run of the rake task?

The middleware is aware of the current variables because they've been updated by the Heroku task. Assuming you are updating the environment variables for the correct app (the one responding to web requests), the app will restart when the variables are changed via the API and will have the new values.

Is there something about your Heroku configuration that means this restart doesn't happen in the normal manner?

[jalada]

@kbbpartners I've had an idea that may help fix this, and I'm tracking it with issue #41, I'll try and get a fix out for you to retry.

[jalada]

@kbbpartners please can you try v1.1.1.

[concertiv]

Thanks! I'll have a look ASAP.

[jalada]

Hey @kbbpartners, I noticed a bug with my fix. If you haven't already, don't bother trying 1.1.1, and just try v1.1.3 :)

[concertiv]

No problem—we hit a LetsEncrypt rate limit during our efforts to correct this, so we're in a holding pattern for a few days anyway.

[concertiv]

OK—I can confirm that this worked.

However, I noticed one minor issue. We have two Custom Domains and then the standard-issue Heroku Domain. We only need certificates for the Custom Domains, so the third certificate (for the Heroku Domain) is superfluous for us—we never use that subdomain.

I'm guessing this is probably related to #44

Anyway, thank you!