From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 29995 invoked from network); 13 Jan 2024 04:34:25 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 13 Jan 2024 04:34:25 -0000 Received: from mimir.eigenstate.org ([206.124.132.107]) by 9front; Fri Jan 12 23:33:13 -0500 2024 Received: from mimir.eigenstate.org (localhost [127.0.0.1]) by mimir.eigenstate.org (OpenSMTPD) with ESMTP id 69f91c78 for <9front@9front.org>; Fri, 12 Jan 2024 20:33:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=eigenstate.org; h= message-id:to:subject:date:from:in-reply-to:mime-version :content-type:content-transfer-encoding; s=mail; bh=lGEQT7SHqxAF 11HPP5uy3eEEZ48=; b=TSfy0YCqa1cKJud8t6ZnB5g1t4kMGAV5JDBJZvXenv7G JjaXuJCAinPKvN8Py72vUY0r9JxsFZIgEDYvboNnNnrCpzRQRRSgaUbKwtmEUNKt SkyO/CveOFPVa7noizP1u0f5WTm6PEfUHsNcbS70tOWPIYxleOUExOuADZ2KXmI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=eigenstate.org; h=message-id :to:subject:date:from:in-reply-to:mime-version:content-type :content-transfer-encoding; q=dns; s=mail; b=Wur7uJGK9IaN75HB2+8 nqMsnhCmAlPpyDsoJ8naZVdNsAoV8HhZZWQR4TyAT2ZMHoRb8oQg7pQvBrf5wTr7 +49p//fApcwBcNNXl3gWb2CvrgfCgSnhqNDAQ8vgPxIqFxSybjCavNPYAajSQzPl delR5KesJFzNSU4bwjYrs7es= Received: from abbatoir (pool-108-6-24-2.nycmny.fios.verizon.net [108.6.24.2]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id f1f02b59 (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO) for <9front@9front.org>; Fri, 12 Jan 2024 20:33:10 -0800 (PST) Message-ID: <2C4AAFA0306F2CEE8D0C2D23A7AE8C94@eigenstate.org> To: 9front@9front.org Date: Fri, 12 Jan 2024 23:33:09 -0500 From: ori@eigenstate.org In-Reply-To: <3f60a52674208801328181dd7b59bfb1@self.rodeo> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: service-oriented core GPU-based shader-oriented layer Subject: Re: [9front] [patch] improve http challenge documentation in acmed(8) Reply-To: 9front@9front.org Precedence: bulk I think the phrasing could be better; I'll take a pass over it. Quoth eso@self.rodeo: > ping > > On 2023-12-19 20:22, eso@self.rodeo wrote: > > working through the example for http challenge in acmed(8) left out a > > few steps and clarifications. now, following the example with your > > webserver will (should) give your domain https. i also added > > /rc/bin/service/!tcp443 as an example service for acmed(8) to > > reference. while i was at it, i also updated listen(8) to include tcp80 > > and tcp443. > > > > eso > > > > > > diff 66fc6a3e6443d7eb8298f65b0c9803197d196ec7 uncommitted > > --- a/sys/man/8/acmed > > +++ b/sys/man/8/acmed > > @@ -176,11 +176,33 @@ > > .IR webfs (4) > > to be mounted as the ACME protocol uses HTTP > > to talk to the provider. > > +.PP > > +Change -o to be the path your webserver > > +will be serving at > > +.br > > +.BI http:// mydomain.com /.well-known/acme-challenge . > > .IP > > .EX > > -auth/acmed me@example.com /sys/lib/tls/acmed/mydomain.com.csr \\ > > +auth/acmed -o /path/to/webroot/.well-known/acme-challenge/ \\ > > +me@example.com /sys/lib/tls/acmed/mydomain.com.csr \\ > > > /sys/lib/tls/acmed/mydomain.com.crt > > .EE > > +.PP > > +The > > +.B cert.key > > +must also be loaded into > > +.IR factotum (4). > > +.IP > > +.EX > > +cat cert.key > /mnt/factotum/ctl > > +.EE > > +.PP > > +Now you can configure > > +.BR /rc/bin/service/tcp443 > > +to handle > > +.br > > +HTTPS connections with your webserver of choice. > > +.br > > .PP > > When using the DNS challenge method, > > your DNS server > > --- a/sys/man/8/listen > > +++ b/sys/man/8/listen > > @@ -1,6 +1,6 @@ > > .TH LISTEN 8 > > .SH NAME > > -listen, listen1, tcp7, tcp9, tcp19, tcp21, tcp23, tcp25, tcp53, > > tcp110, tcp113, tcp143, tcp445, tcp513, tcp515, tcp564, tcp565, tcp566, > > tcp567, tcp993, tcp995, tcp1723, tcp17019, tcp17020 \- listen for calls > > on a network device > > +listen, listen1, tcp7, tcp9, tcp19, tcp21, tcp23, tcp25, tcp53, tcp80, > > tcp110, tcp113, tcp143, tcp443, tcp445, tcp513, tcp515, tcp564, tcp565, > > tcp566, tcp567, tcp993, tcp995, tcp1723, tcp17019, tcp17020 \- listen > > for calls on a network device > > .SH SYNOPSIS > > .B aux/listen > > .RB [ -iq ] > > @@ -182,6 +182,9 @@ > > .B tcp53 > > TCP port for DNS. > > .TP > > +.B tcp80 > > +HTTP port. > > +.TP > > .B tcp110 > > POP3 port. > > .TP > > @@ -192,6 +195,9 @@ > > .TP > > .B tcp143 > > IMAP4rev1 port. > > +.TP > > +.B tcp443 > > +HTTPS port. > > .TP > > .B tcp445 > > CIFS/SMB file sharing. > > > > > > diff 66fc6a3e6443d7eb8298f65b0c9803197d196ec7 uncommitted > > --- /dev/null > > +++ b/rc/bin/service/!tcp443 > > @@ -1,0 +1,4 @@ > > +#!/bin/rc > > + > > +# See acmed(8) > > +/bin/tlssrv -c/sys/lib/tls/acmed/mydomain.com.crt > > /rc/bin/rc-httpd/rc-httpd