From: ori@eigenstate.org
To: 9front@9front.org
Subject: Re: [9front] [patch] improve http challenge documentation in acmed(8)
Date: Fri, 08 Mar 2024 00:20:25 -0500 [thread overview]
Message-ID: <2AE60CCE17D0E1348A7304A6DBB41D4D@eigenstate.org> (raw)
In-Reply-To: <2C4AAFA0306F2CEE8D0C2D23A7AE8C94@eigenstate.org>
I'd posted a diff in IRC, I think, and then promptly lost it.
Rewritten, how does this sound?
--- a/sys/man/8/acmed
+++ b/sys/man/8/acmed
@@ -97,7 +97,7 @@
.IP
For HTTP challenges,
.I chalout
-must be a directory that your webserver will serve at
+must be a directory that your webserver is serving at
.br
.BI http:// mydomain.com /.well-known/acme-challenge .
.br
@@ -111,6 +111,9 @@
database.
It defaults to
.BR /lib/ndb/dnschallenge .
+Because the certificate issuer will access these to
+validate the domain,
+the DNS or HTTP servers must be configured before acmed is run.
.TP
.B -t
.I type
@@ -176,6 +179,11 @@
.IR webfs (4)
to be mounted as the ACME protocol uses HTTP
to talk to the provider.
+Additionally, the contents of the challenge directory must
+be available over plaintext HTTP,
+served at the URL
+.IR http://mydomain.com/.well-known/acme-challenge/$challenge .
+This URL will be accessed during the certificate verification process.
.IP
.EX
auth/acmed me@example.com /sys/lib/tls/acmed/mydomain.com.csr \\
Quoth ori@eigenstate.org:
> I think the phrasing could be better; I'll take a pass over it.
>
>
> Quoth eso@self.rodeo:
> > ping
> >
> > On 2023-12-19 20:22, eso@self.rodeo wrote:
> > > working through the example for http challenge in acmed(8) left out a
> > > few steps and clarifications. now, following the example with your
> > > webserver will (should) give your domain https. i also added
> > > /rc/bin/service/!tcp443 as an example service for acmed(8) to
> > > reference. while i was at it, i also updated listen(8) to include tcp80
> > > and tcp443.
> > >
> > > eso
> > >
> > >
> > > diff 66fc6a3e6443d7eb8298f65b0c9803197d196ec7 uncommitted
> > > --- a/sys/man/8/acmed
> > > +++ b/sys/man/8/acmed
> > > @@ -176,11 +176,33 @@
> > > .IR webfs (4)
> > > to be mounted as the ACME protocol uses HTTP
> > > to talk to the provider.
> > > +.PP
> > > +Change -o to be the path your webserver
> > > +will be serving at
> > > +.br
> > > +.BI http:// mydomain.com /.well-known/acme-challenge .
> > > .IP
> > > .EX
> > > -auth/acmed me@example.com /sys/lib/tls/acmed/mydomain.com.csr \\
> > > +auth/acmed -o /path/to/webroot/.well-known/acme-challenge/ \\
> > > +me@example.com /sys/lib/tls/acmed/mydomain.com.csr \\
> > > > /sys/lib/tls/acmed/mydomain.com.crt
> > > .EE
> > > +.PP
> > > +The
> > > +.B cert.key
> > > +must also be loaded into
> > > +.IR factotum (4).
> > > +.IP
> > > +.EX
> > > +cat cert.key > /mnt/factotum/ctl
> > > +.EE
> > > +.PP
> > > +Now you can configure
> > > +.BR /rc/bin/service/tcp443
> > > +to handle
> > > +.br
> > > +HTTPS connections with your webserver of choice.
> > > +.br
> > > .PP
> > > When using the DNS challenge method,
> > > your DNS server
> > > --- a/sys/man/8/listen
> > > +++ b/sys/man/8/listen
> > > @@ -1,6 +1,6 @@
> > > .TH LISTEN 8
> > > .SH NAME
> > > -listen, listen1, tcp7, tcp9, tcp19, tcp21, tcp23, tcp25, tcp53,
> > > tcp110, tcp113, tcp143, tcp445, tcp513, tcp515, tcp564, tcp565, tcp566,
> > > tcp567, tcp993, tcp995, tcp1723, tcp17019, tcp17020 \- listen for calls
> > > on a network device
> > > +listen, listen1, tcp7, tcp9, tcp19, tcp21, tcp23, tcp25, tcp53, tcp80,
> > > tcp110, tcp113, tcp143, tcp443, tcp445, tcp513, tcp515, tcp564, tcp565,
> > > tcp566, tcp567, tcp993, tcp995, tcp1723, tcp17019, tcp17020 \- listen
> > > for calls on a network device
> > > .SH SYNOPSIS
> > > .B aux/listen
> > > .RB [ -iq ]
> > > @@ -182,6 +182,9 @@
> > > .B tcp53
> > > TCP port for DNS.
> > > .TP
> > > +.B tcp80
> > > +HTTP port.
> > > +.TP
> > > .B tcp110
> > > POP3 port.
> > > .TP
> > > @@ -192,6 +195,9 @@
> > > .TP
> > > .B tcp143
> > > IMAP4rev1 port.
> > > +.TP
> > > +.B tcp443
> > > +HTTPS port.
> > > .TP
> > > .B tcp445
> > > CIFS/SMB file sharing.
> > >
> > >
> > > diff 66fc6a3e6443d7eb8298f65b0c9803197d196ec7 uncommitted
> > > --- /dev/null
> > > +++ b/rc/bin/service/!tcp443
> > > @@ -1,0 +1,4 @@
> > > +#!/bin/rc
> > > +
> > > +# See acmed(8)
> > > +/bin/tlssrv -c/sys/lib/tls/acmed/mydomain.com.crt
> > > /rc/bin/rc-httpd/rc-httpd
>
prev parent reply other threads:[~2024-03-08 5:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-20 4:22 eso
2024-01-13 4:27 ` eso
2024-01-13 4:33 ` ori
2024-03-08 5:20 ` ori [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2AE60CCE17D0E1348A7304A6DBB41D4D@eigenstate.org \
--to=ori@eigenstate.org \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).