Autocert behavior for IP address lookups?

228 views

Skip to first unread message

James Wendel

unread,

Jan 31, 2022, 11:59:10 PM1/31/22

to golang-nuts

I made a cache client for autocert that has been working fine, but I noticed something odd in my logs. Specifically, I am seeing calls against Autocert's Cache.Get(...) method (CS link) for IP addresses. By that I mean, the `key` value passed into Get(..) is my host's IP address. My understanding is that this shouldn't happen with the HostPolicy usnig HostWhitelist, but it seems to be anyways.

The one thing I do notice is right after the Cache.Get(...) calls, I see an HTTP error in my logs (xxx.xxx.xx.xxx is my host's IP address):

http: TLS handshake error from 192.241.213.196:53056: acme/autocert: host "xxx.xxx.xxx.xxx" not configured in HostWhitelist".

It seems the scanner seems to be some security research (stretchoid).

My question: Is it expected that Cache.Get(...) gets called before the HostPolicy is invoked? That seems wrong to me.

Here's my AutoCert code (swapping out my specific config values for example.com):

m := &autocert.Manager{
Cache: smcache.NewSMCache(smcache.Config{ProjectID: "project-id", SecretPrefix: "prefixhere-", DebugLogging: true}),
Prompt: autocert.AcceptTOS,
Email: "em...@example.com",
HostPolicy: autocert.HostWhitelist("is.example.com", "test.example.com"),
}
s := &http.Server{
Addr: ":https",
TLSConfig: m.TLSConfig(),
Handler: e,
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
IdleTimeout: 70 * time.Second,
ReadHeaderTimeout: 5 * time.Second,
}

go func() {
panic(http.ListenAndServe(getHTTPPort(), m.HTTPHandler(nil)))
}()

panic(s.ListenAndServeTLS("", ""))

Thanks,

-James

Reply all

Reply to author

Forward

0 new messages