From: "Dave MacFarlane" <driusan@driusan.net>
To: 9front@9front.org
Subject: [9front] wildcard in auth/acmed
Date: Mon, 15 Jan 2024 09:36:16 -0500 [thread overview]
Message-ID: <935781D6F8971CD305A289DD1822281C@driusan.net> (raw)
I was trying to use a Let's Encrypt certificate to host a subdomain,
and the only way I could figure out how to do that was a wildcard certificate
because !/bin/service/tcp443 takes the certificate as an argument before
rc-httpd knows what domain it's for.
A wildcard certificate for *.example.com doesn't cover example.com
with no prefix, so I had to add it as a subject alternative name, but Let's Encrypt
seems to ignore the -t dns and send an http-01 challenge for the non-wildcard
portion and a dns-01 challenge for the wildcard.
I added a "hybrid" type to auth/acmed which determines whether to use dnschallenge
or httpchallenge based on the challenge, but isn't compatible with -o since dnschallenge
and httpchallenge need different formats.
With this, I was able to register a certificate request I created by:
auth/rsa2csr 'CN=*.example.com,example.com' $certkey>$csr
auth/acmed -t hybrid $username $acmeuser $csr >$crt
diff 9c2e8e2b13b0d01b7adf88b61af6edfbddd872c1 uncommitted
--- a/sys/src/cmd/auth/acmed.c
+++ b/sys/src/cmd/auth/acmed.c
@@ -633,6 +633,18 @@
}
static int
+hybridchallenge(char *ty, char *dom, char *tok, int *matched)
+{
+ if (strcmp(ty, "http-01") == 0){
+ challengeout = "/usr/web/.well-known/acme-challenge";
+ return httpchallenge(ty, dom, tok, matched);
+ } else if (strcmp(ty, "dns-01") == 0){
+ challengeout = "/lib/ndb/dnschallenge";
+ return dnschallenge(ty, dom, tok, matched);
+ }
+ return -1;
+}
+static int
dochallenges(char *dom[], int ndom, JSON *order)
{
JSON *chals, *j, *cl, *id, *wc;
@@ -910,7 +922,13 @@
}else if(strcmp(ct, "dns") == 0){
challengeout = (co != nil) ? co : "/lib/ndb/dnschallenge";
challengefn = dnschallenge;
- }else {
+ }else if (strcmp(ct, "hybrid") == 0){
+ if (co != nil) {
+ sysfatal("-o not compatible with hybrid challenge");
+ }
+ challengefn = hybridchallenge;
+
+ } else {
sysfatal("unknown challenge type '%s'", ct);
}
next reply other threads:[~2024-01-15 14:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-15 14:36 Dave MacFarlane [this message]
2024-01-15 17:02 ` ori
2024-01-15 17:20 ` Dave MacFarlane
[not found] <2CEDDEA2213DC4D744EAF757A28E45EC@driusan.net>
2024-01-15 17:38 ` ori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=935781D6F8971CD305A289DD1822281C@driusan.net \
--to=driusan@driusan.net \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).