Handling sites without DNS

[ghost]

It would be good to change how lets proxy handles sites it cannot generate a cert for.

In my current use case, I have set it up on a server and am testing sites without valid DNS.
In Firefox it currently returns a "SSL_ERROR_INTERNAL_ERROR_ALERT" error code.

If it instead returned a selfsigned cert or a cert for a different domain (the hostname perhaps) I would be able to accept this error as OK in my browser and continue.

[rekby]

Hello.

lets-proxy have .lock certificates now.
You can save any certificate as domain.com.rsa.cer (certificate chain) + domain.com.rsa.key (private key) file + domain.com.lock (flag file - check only exist, content may be any - empty or not empty).

In this case lets-proxy will handle requests to domain.com with domain.com.rsa.cer certificate without check it domain (cert may be for any domain), expire date and etc.

Is it usable for you?

[ghost]

Sorry for the slow reply!
Yes your work around does work, however, I felt one of the main points of this tool is that you could set it up without knowing what domains you are going to serve. Manually creating certificates for each domain gets in the way of this.

I agree that this is an enhancement, but it is one that I would like to see.

[rekby]

It can be optional feature.

Can you describe your scenario - for better support it.

[ghost]

I have an application where any user can sign up and create their own shop. The application is hosted on a single server and from a single set of site files. The shop is then chosen depending on the domain name (similar to WordPress multi-sites). Users are welcome to use their own existing domain and point it at the server. We have no way of knowing what the domain will be and so can't do any manual set up for it.
As you can see, Lets-proxy is the perfect SSL solution.

However I am building a new replacement server with no live DNS records and found that I cannot test this set up because let-proxy doesn't proxy when it cannot generate an SSL cert.

[rekby]

Lets proxy must proxy and handle domains with existed certificate (you can copy storage folder from prev server).

But it can't issue cert without good dns record by lets encrypt design (lets-proxy doesn't support dns verification).

[ghost]

I completely agree that we can't issue valid SSL certs without DNS setup.

The issue is around how Lets Proxy handles sites it can't verify - for example in a staging/dev environment without any DNS set up.
We would still want Lets Proxy installed so that the hosting stack was identical to production.

When I last tested this Lets Proxy doesn't return anything creating an impassable SSL error.
I suggest that we instead return a standard "snake oil" SSL cert. Then browsers will error (This SSL cert doesn't match) but this error gives you the option of continuing anyway ( for example https://wrong.host.badssl.com/ )

In other words a fallback SSL certificate to use when nothing else matches.

[rekby]

Is it ok if for your test env you will self create some certificate, then forward all queries to the certificate (independent of domain name)?

[ghost]

I'm happy providing a certificate (either self signed or valid for another domain) and for any domain to ends up there, assuming that 1. let's proxy can't generate a cert for them and 2. there isn't a .lock certificate for them.