@ramon-ga hello!

Maybe related to this - though I can't say exactly at moment.

Did your setup change in some way from what you had before? Maybe extra proxy providers before your service?

Hi @FZambia
quite possible this is related to that issue.
I briefly read it, and i think they released an update for crypto/acme
golang/go#21890 (comment)

It's possible that you check if the dependency is up to date?
Else i'll find time next week to build it and test it...

The setup is as before on the old server, and there's no proxy in front.

Yes, I'll update dependency. Looks like this also requires HTTP handler that works on port 80 to be registered in server and only solves a task of acme http_01 challenging.

@ramon-ga added new boolean option ssl_autocert_http in 4920a8f - could you try Centrifugo from master branch on your host? You can try without enabling that option first - maybe updating acme library is enough. Otherwise that option will turn on handling http_01 challenges on port 80.

@FZambia thanks for your effort on this! I tried it, see below.

With ssl_autocert_http:false:

[I]: 2018/04/09 07:21:01 Start serving raw websocket, SockJS, API, admin, web endpoints on :443
[I]: 2018/04/09 07:21:25 http: TLS handshake error from 212.51.141.47:53095: acme/autocert: unable to authorize "****.****.**"; tried ["tls-sni-02" "tls-sni-01"]
[I]: 2018/04/09 07:21:26 http: TLS handshake error from 212.51.141.47:53096: acme/autocert: missing certificate

With ssl_autocert_http:true it's working fine.

Points to consider:

• Should be written in log, that listen on port 80 too
• Maybe in that case, admin panel should no be accessible on port 80
• For me it's nice that on port 443 and 80 the service is available, but not for everyone?

ok, fine 👍

Should be written in log, that listen on port 80 too

Agree, will add it.

Maybe in that case, admin panel should no be accessible on port 80

Could you write more about admin panel? As far as I understand it must work on main port which is 443 in this case and not on port 80 - or am I wrong?

For me it's nice that on port 443 and 80 the service is available, but not for everyone

This is turned on only if ssl_autocert_http turned on and only serves acme challenges on that port redirecting all other plain HTTP requests to HTTPS. What's you suggestion here?

As far as I understand it must work on main port which is 443 in this case and not on port 80

Correct

This is turned on only if ssl_autocert_http turned on and only serves acme challenges on that port redirecting all other plain HTTP requests to HTTPS. What's you suggestion here?

Perfect, redirecting all other plain HTTP requests to HTTPS is a perfect solution

Correct

Sorry - so do you see any problem with admin interface at moment?

No i don't see any problem for me this works fine.

I'm thinking just about that maybe someone don't like to see that the admin interface is accessible over unencrypted http. But for me it's fine.
Now if ssl_autocert_http is enabled, the admin interface is accessible through http too.

Are you sure it was not a redirect to https admin page?

Are you sure it was not a redirect to https admin page?

I started the new version again, and you're right it's a redirect.
The last time the url wasn't changed to https (i'm pretty sure), now after a forced reload the url changed too and the redirect stays. Maybe this was a caching problem on my side.
Sorry for the misinformation.

@ramon-ga added logging in latest commit, so looks like this can be released?

All this works like a charm, thank you for your effort!

Tasks done:

• pull latest commit
• build
• delete existing certificates
• run with new config flag ssl_autocert_http: true
• open web with http for both domains
• will redirect to https
• certs Let's Encrypt Authority X3 received
• admin interface with wss connected

Log:

[I]: 2018/04/13 07:15:33 Redis: 127.0.0.1:6379/0, pool: 256, using password: no, API enabled: no
[I]: 2018/04/13 07:15:33 Config path: /etc/centrifugo/config.json
[I]: 2018/04/13 07:15:33 Version: 
[I]: 2018/04/13 07:15:33 PID: 20774
[I]: 2018/04/13 07:15:33 Engine: Redis
[I]: 2018/04/13 07:15:33 GOMAXPROCS: 8
[I]: 2018/04/13 07:15:33 SockJS url: //cdn.jsdelivr.net/sockjs/1.1/sockjs.min.js
[I]: 2018/04/13 07:15:33 Start serving raw websocket, SockJS, API, admin, web endpoints on :443
[I]: 2018/04/13 07:15:33 Serving ACME http_01 challenge on :80

Just released this in 1.7.9