From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4
Received: (qmail 3381 invoked from network); 20 Dec 2023 04:23:38 -0000
Received: from 9front.inri.net (168.235.81.73)
  by inbox.vuxu.org with ESMTPUTF8; 20 Dec 2023 04:23:38 -0000
Received: from mail-108-mta63.mxroute.com ([136.175.108.63]) by 9front; Tue Dec 19 23:22:10 -0500 2023
Received: from filter006.mxroute.com ([136.175.111.2] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta63.mxroute.com (ZoneMTA) with ESMTPSA id 18c85759ab900065b4.001
 for <9front@9front.org>
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Wed, 20 Dec 2023 04:22:06 +0000
X-Zone-Loop: 8632687ea8c1bfb0f571b43aa7acbd2cb5c6bc911351
X-Originating-IP: [136.175.111.2]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=self.rodeo;
	s=x; h=Content-Transfer-Encoding:Content-Type:Message-ID:Subject:To:From:Date
	:MIME-Version:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
	List-Owner:List-Archive; bh=ZBVNQCex2dKmiNq60Ak0cnTQ/epCMbRqZcIpODwkUxU=; b=l
	L5tdNnEKAPbPGIH8wPi53CAWx/mQlFo/JtYkqvhdJJHKwj+ioqvRSQN1XnYahpvQFmQh/RG5RPPGT
	QgaCy2THqcbQTCBMp4NQVUQ5wF6ZDRBqNJJxk+SSwA9c256wbG4m8fd6sxecbBNDIO3OOQkSwFRO0
	RXRyjAFVcHelHXx+dq0VXaloiCUIYQCSkogv6rqmHwMy3JIAA4zxixUV27XKnviOAJhiELHWV5OBw
	U1INwoywr+kUTbM/7drZvMNe+KBlSWmiQ7ID7yfILdiGuiGZRsQS0k5FrMvaxOt/ePgpfCp2tBgZT
	NHK3RFWZio/ysoo6luh7ImWv3ey4luHtA==;
MIME-Version: 1.0
Date: Tue, 19 Dec 2023 20:22:04 -0800
From: eso@self.rodeo
To: 9front@9front.org
Message-ID: <bb47c92d5d2103c644fa44fb4b868833@self.rodeo>
X-Sender: eso@self.rodeo
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Id: eso@self.rodeo
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: self-healing shader API 
Subject: [9front] [patch] improve http challenge documentation in acmed(8)
Reply-To: 9front@9front.org
Precedence: bulk

working through the example for http challenge in acmed(8) left out a 
few steps and clarifications. now, following the example with your 
webserver will (should) give your domain https. i also added 
/rc/bin/service/!tcp443 as an example service for acmed(8) to reference. 
while i was at it, i also updated listen(8) to include tcp80 and tcp443.

eso


diff 66fc6a3e6443d7eb8298f65b0c9803197d196ec7 uncommitted
--- a/sys/man/8/acmed
+++ b/sys/man/8/acmed
@@ -176,11 +176,33 @@
  .IR webfs (4)
  to be mounted as the ACME protocol uses HTTP
  to talk to the provider.
+.PP
+Change -o to be the path your webserver
+will be serving at
+.br
+.BI http:// mydomain.com /.well-known/acme-challenge .
  .IP
  .EX
-auth/acmed me@example.com /sys/lib/tls/acmed/mydomain.com.csr \\
+auth/acmed -o /path/to/webroot/.well-known/acme-challenge/ \\
+me@example.com /sys/lib/tls/acmed/mydomain.com.csr \\
  	> /sys/lib/tls/acmed/mydomain.com.crt
  .EE
+.PP
+The
+.B cert.key
+must also be loaded into
+.IR factotum (4).
+.IP
+.EX
+cat cert.key > /mnt/factotum/ctl
+.EE
+.PP
+Now you can configure
+.BR /rc/bin/service/tcp443
+to handle
+.br
+HTTPS connections with your webserver of choice.
+.br
  .PP
  When using the DNS challenge method,
  your DNS server
--- a/sys/man/8/listen
+++ b/sys/man/8/listen
@@ -1,6 +1,6 @@
  .TH LISTEN 8
  .SH NAME
-listen, listen1, tcp7, tcp9, tcp19, tcp21, tcp23, tcp25, tcp53, tcp110, 
tcp113, tcp143, tcp445, tcp513, tcp515, tcp564, tcp565, tcp566, tcp567, 
tcp993, tcp995, tcp1723, tcp17019, tcp17020 \- listen for calls on a 
network device
+listen, listen1, tcp7, tcp9, tcp19, tcp21, tcp23, tcp25, tcp53, tcp80, 
tcp110, tcp113, tcp143, tcp443, tcp445, tcp513, tcp515, tcp564, tcp565, 
tcp566, tcp567, tcp993, tcp995, tcp1723, tcp17019, tcp17020 \- listen 
for calls on a network device
  .SH SYNOPSIS
  .B aux/listen
  .RB [ -iq ]
@@ -182,6 +182,9 @@
  .B tcp53
  TCP port for DNS.
  .TP
+.B tcp80
+HTTP port.
+.TP
  .B tcp110
  POP3 port.
  .TP
@@ -192,6 +195,9 @@
  .TP
  .B tcp143
  IMAP4rev1 port.
+.TP
+.B tcp443
+HTTPS port.
  .TP
  .B tcp445
  CIFS/SMB file sharing.


diff 66fc6a3e6443d7eb8298f65b0c9803197d196ec7 uncommitted
--- /dev/null
+++ b/rc/bin/service/!tcp443
@@ -1,0 +1,4 @@
+#!/bin/rc
+
+# See acmed(8)
+/bin/tlssrv -c/sys/lib/tls/acmed/mydomain.com.crt 
/rc/bin/rc-httpd/rc-httpd