From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <9front-bounces@9front.inri.net> X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: from 9front.inri.net (9front.inri.net [168.235.81.73]) by inbox.vuxu.org (Postfix) with ESMTP id 3254F220B7 for ; Mon, 15 Jan 2024 18:04:00 +0100 (CET) Received: from mimir.eigenstate.org ([206.124.132.107]) by 9front; Mon Jan 15 12:02:43 -0500 2024 Received: from mimir.eigenstate.org (localhost [127.0.0.1]) by mimir.eigenstate.org (OpenSMTPD) with ESMTP id a3a65375 for <9front@9front.org>; Mon, 15 Jan 2024 09:02:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=eigenstate.org; h= message-id:to:subject:date:from:in-reply-to:mime-version :content-type:content-transfer-encoding; s=mail; bh=ewo0I22qdIP+ acbVUsJHlBAGCQg=; b=DqdyOzLcVCNT8JoF2VcjQYOHWGfwsluWnKELYDtYe2wl 34ajTHw9TPaRaizY+7IirjszPJ5lS4vQzXXI2NAlS0t7Hd+7MtvaikJUTmhlxj8T ccKs9gejA3gIgXWBX6Gzkd1J/xMcpjhrc1pgybfDCKhlJ58kfuHXE1yicgYBo38= DomainKey-Signature: a=rsa-sha1; c=nofws; d=eigenstate.org; h=message-id :to:subject:date:from:in-reply-to:mime-version:content-type :content-transfer-encoding; q=dns; s=mail; b=MOFV/EU56xzCbbt6OTp p0CBZUO0GU7ELz6CAWlmPs867dims1k4UEcEIE1ptRkhsT429h9I9SMuSGEQ6pqm QwTsA/YQb6vFcusy0Ns/ccu+WFala2t3CPEWX+55efkBW8+upGRq+7mm70ipV2NA w7frrwdLJ5Ig8tlW1xFwEGHc= Received: from abbatoir (pool-108-6-24-2.nycmny.fios.verizon.net [108.6.24.2]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id 74caa66d (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO) for <9front@9front.org>; Mon, 15 Jan 2024 09:02:40 -0800 (PST) Message-ID: To: 9front@9front.org Date: Mon, 15 Jan 2024 12:02:39 -0500 From: ori@eigenstate.org In-Reply-To: <935781D6F8971CD305A289DD1822281C@driusan.net> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: structured pipelining DOM framework Subject: Re: [9front] wildcard in auth/acmed Reply-To: 9front@9front.org Precedence: bulk I'm confused about why a hybrid challenge type is needed; my read of the RFC is that we should be using DNS challenges if there's a wildcard domain name. To my knowlege, wildcards should already work (though I haven't tested in a while). As a side note, you can create one cert that covers multiple domains. For example: auth/rsa2csr 'CN=foo.example.com,bar.example.com,test.ai' $key>$csr should work just fine for any of those domains. It doesn't even need to be the same 'base' URL; This is how we get a valid cert on both https://shithub.us and https://only9fans.com; both domains serve the came cert, with CN=shithub.us,only9fans.com Quoth Dave MacFarlane : > I was trying to use a Let's Encrypt certificate to host a subdomain, > and the only way I could figure out how to do that was a wildcard certificate > because !/bin/service/tcp443 takes the certificate as an argument before > rc-httpd knows what domain it's for. > > A wildcard certificate for *.example.com doesn't cover example.com > with no prefix, so I had to add it as a subject alternative name, but Let's Encrypt > seems to ignore the -t dns and send an http-01 challenge for the non-wildcard > portion and a dns-01 challenge for the wildcard. > > I added a "hybrid" type to auth/acmed which determines whether to use dnschallenge > or httpchallenge based on the challenge, but isn't compatible with -o since dnschallenge > and httpchallenge need different formats. > > With this, I was able to register a certificate request I created by: > > auth/rsa2csr 'CN=*.example.com,example.com' $certkey>$csr > auth/acmed -t hybrid $username $acmeuser $csr >$crt > > diff 9c2e8e2b13b0d01b7adf88b61af6edfbddd872c1 uncommitted > --- a/sys/src/cmd/auth/acmed.c > +++ b/sys/src/cmd/auth/acmed.c > @@ -633,6 +633,18 @@ > } > > static int > +hybridchallenge(char *ty, char *dom, char *tok, int *matched) > +{ > + if (strcmp(ty, "http-01") == 0){ > + challengeout = "/usr/web/.well-known/acme-challenge"; > + return httpchallenge(ty, dom, tok, matched); > + } else if (strcmp(ty, "dns-01") == 0){ > + challengeout = "/lib/ndb/dnschallenge"; > + return dnschallenge(ty, dom, tok, matched); > + } > + return -1; > +} > +static int > dochallenges(char *dom[], int ndom, JSON *order) > { > JSON *chals, *j, *cl, *id, *wc; > @@ -910,7 +922,13 @@ > }else if(strcmp(ct, "dns") == 0){ > challengeout = (co != nil) ? co : "/lib/ndb/dnschallenge"; > challengefn = dnschallenge; > - }else { > + }else if (strcmp(ct, "hybrid") == 0){ > + if (co != nil) { > + sysfatal("-o not compatible with hybrid challenge"); > + } > + challengefn = hybridchallenge; > + > + } else { > sysfatal("unknown challenge type '%s'", ct); > }