Hello!

I'm trying to serve https (443) and gemini (1965) under 9front.

I've already a working rc-httpd (80) setup and now I would like to start using letsencrypt certificates.
Also rc-gemd (gemini server) needs a certificate in order to work.

I manage to get the certificate with acmed using the following procedure:

ramfs -p
cd /tmp
auth/rsagen -t 'service=acme role=sign hash=sha256 acct=iban@mydomain.com' >iban@mydomain.com.key
auth/rsa2jwk iban@mydomain.com.key >/sys/lib/tls/acmed/iban@mydomain.com.pub
cat iban@mydomain.com.key >/mnt/factotum/ctl
auth/rsagen -t 'service=tls role=client owner=*' >mydomain.com.key
chmod 600 iban@mydomain.com.key mydomain.com.key
cp iban@mydomain.com.key mydomain.com.key /sys/lib/tls/acmed/
auth/rsa2csr 'CN=mydomain.com' /sys/lib/tls/acmed/mydomain.com.key >/sys/lib/tls/acmed/mydomain.com.csr

webfs
auth/acmed -t http -o /sys/www/mydomain.com/.well-known/acme-challenge iban@mydomain.com /sys/lib/tls/acmed/mydomain.com.csr >/sys/lib/tls/acmed/mydomain.com.crt

I think acmed do the job because the certificate is generated and stored in the proper location.
DNS is in place and working fine, the dir /sys/www/mydomain.com/.well-known/acme-challenge is already in place as is served by rc-httpd.

This a (trimmed) decode of the certificate:
auth/pemdecode 'CERTIFICATE' /sys/lib/tls/acmed/mydomain.com.crt | auth/x5092pub
key proto=rsa size=2048 ek=10001 n=1E71BLABLABLABLABAE0CA13254122D600BLABLABLABD4D89D18EB7D7E0BLABLABLABLAC69 subject=mydomain.com

Then I try to serve https with:
aux/listen1 tcp!*!443 tlssrv -c /sys/lib/tls/acmed/mydomain.com.crt /rc/bin/rc-httpd/rc-httpd

And rc-gemd with:
aux/listen1 tcp!*!1965 tlssrv -c /sys/lib/tls/acmed/mydomain.com.crt /rc/bin/rc-gemd/rc-gemd

Problem is when I try to connect to https://mydomain.com I got this from the server side:
tlssrv:  tls reports failed: factotum_rsa_open: no key matches proto=rsa service=tls role=client

The same error occurs when I try to connect to gemini using a client:
tlssrv:  tls reports failed: factotum_rsa_open: no key matches proto=rsa service=tls role=client

Trying to add the keys to factotum using this:
cat /sys/lib/tls/acmed/iban@mydomain.com.key >/mnt/factotum/ctl
cat /sys/lib/tls/acmed/mydomain.com.key >/mnt/factotum/ctl

I'm still wondering if factotum is aware of these keys... anyway I checked if the factotum process is running:

cpu% pstree | grep -i factotum
130         ├factotum
408         │└factotum
4986        ├factotum
5119        │└factotum
11793       │└grep -i factotum

But I still got the same error from factotum when I try to use the certificates using tlssrv :-(

What I'm missing? How to debug the problem?

Any help very appreciated :)

Many thanks in advance.

Iban.
------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Te82df98419e38504-M79de2065128a8e168e4eb6ea
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription