"Cannonical" approach fails both in Prod and Dev

[JoseMPena]

Following the suggested steps in the README and Hexdocs fails both in development (test) and production using native client.

Development

In Dev, running the example test (as documented) returns "address already in use" although there is no process currently using in port 4002.

In endpoint.ex

...
directory_url:
        case Application.get_env(:client_hub, :cert_mode, "local") do
          "local" -> {:internal, port: 4002}
          "staging" -> "https://acme-staging-v02.api.letsencrypt.org/directory"
          "production" -> "https://acme-v02.api.letsencrypt.org/directory"
        end

In the test file "as is"

defmodule ClientHubWeb.Endpoint.CertificationTest do
  use ExUnit.Case, async: false
  import SiteEncrypt.Phoenix.Test
  test "certification" do
    clean_restart(ClientHubWeb.Endpoint)
    cert = get_cert(ClientHubWeb.Endpoint)
    # assert cert.domains == ~w/mysite.com www.mysite.com/
  end
end

This test fails with:

12:14:03.891 [error] Failed to start Ranch listener SiteEncrypt.Acme.Server_4002 in :ranch_ssl:listen([cacerts: :..., key: :..., cert: :..., alpn_preferred_protocols: ["h2", "http/1.1"], next_protocols_advertised: ["h2", "http/1.1"], reuse_sessions: true, secure_renegotiate: true, port: 4002]) for reason :eaddrinuse (address already in use)

12:14:03.904 [error] Error starting the child {:ranch_listener_sup, SiteEncrypt.Acme.Server_4002}: {:shutdown, {:failed_to_start_child, :ranch_acceptors_sup, {:listen_error, SiteEncrypt.Acme.Server_4002, :eaddrinuse}}}

but lsof says there's nothing currently listening on that port.

In Production

In Prod, both Chrome and Firefox throw NET::ERR_CERT_AUTHORITY_INVALID while visiting the URL

Some stats, according to ssllabs.com:

Key: RSA 1024 bits (e 65537)   WEAK
Certificate Transparency: No
DNS CAA: No
Trusted: No   NOT TRUSTED (Why?)Mozilla  Apple  Android  Java  Windows

[JoseMPena]

It does work in Production after forcing the cert via SiteEncrypt.force_certify(MySystemWeb.Endpoint)

[sasa1977]

In test error, ranch reports that the address is already in use. If you can't see anything with lsof or e.g. telnet, it could perhaps be some race condition during the endpoint restart (e.g. the previous instance lingers on for awhile). However, I've never seen this happen so far. Is this failing during the test run, or is the app failing to start before the test even executes?

The prod error likely means that a self-signed certificate is used, which means that certification didn't start automatically. Do you see anything of interest in logs? Also, is mode perhaps configured to :manual?

[JoseMPena]

Thanks for replying. The Production "issue" is solved by using the force_certify method as described in the README (at least in my case it's working so far). In Test, however, the culprit seems to be the function clean_restart() (it fails with the test running in isolation and with every other line commented out). Will check the method definition in your code whenever I get some time :)