Hello!

I'm trying to serve https (443) and gemini (1965) under 9front.

I've already a working rc-httpd (80) setup and now I would like to start using letsencrypt certificates.

Also rc-gemd (gemini server) needs a certificate in order to work.

I manage to get the certificate with acmed using the following procedure:

ramfs -p

cd /tmp

auth/rsagen -t 'service=acme role=sign hash=sha256 acct=iban@mydomain.com' >iban@mydomain.com.key

auth/rsa2jwk iban@mydomain.com.key >/sys/lib/tls/acmed/iban@mydomain.com.pub

cat iban@mydomain.com.key >/mnt/factotum/ctl

auth/rsagen -t 'service=tls role=client owner=*' >mydomain.com.key

chmod 600 iban@mydomain.com.key mydomain.com.key

cp iban@mydomain.com.key mydomain.com.key /sys/lib/tls/acmed/

auth/rsa2csr 'CN=mydomain.com' /sys/lib/tls/acmed/mydomain.com.key >/sys/lib/tls/acmed/mydomain.com.csr

webfs

auth/acmed -t http -o /sys/www/mydomain.com/.well-known/acme-challenge iban@mydomain.com /sys/lib/tls/acmed/mydomain.com.csr >/sys/lib/tls/acmed/mydomain.com.crt

I think acmed do the job because the certificate is generated and stored in the proper location.

DNS is in place and working fine, the dir /sys/www/mydomain.com/.well-known/acme-challenge is already in place as is served by rc-httpd.

This a (trimmed) decode of the certificate:

auth/pemdecode 'CERTIFICATE' /sys/lib/tls/acmed/mydomain.com.crt | auth/x5092pub

key proto=rsa size=2048 ek=10001 n=1E71BLABLABLABLABAE0CA13254122D600BLABLABLABD4D89D18EB7D7E0BLABLABLABLAC69 subject=mydomain.com

Then I try to serve https with:

aux/listen1 tcp!*!443 tlssrv -c /sys/lib/tls/acmed/mydomain.com.crt /rc/bin/rc-httpd/rc-httpd

And rc-gemd with:

aux/listen1 tcp!*!1965 tlssrv -c /sys/lib/tls/acmed/mydomain.com.crt /rc/bin/rc-gemd/rc-gemd

Problem is when I try to connect to https://mydomain.com I got this from the server side:

tlssrv:  tls reports failed: factotum_rsa_open: no key matches proto=rsa service=tls role=client

The same error occurs when I try to connect to gemini using a client:

tlssrv:  tls reports failed: factotum_rsa_open: no key matches proto=rsa service=tls role=client

Trying to add the keys to factotum using this:

cat /sys/lib/tls/acmed/iban@mydomain.com.key >/mnt/factotum/ctl

cat /sys/lib/tls/acmed/mydomain.com.key >/mnt/factotum/ctl

I'm still wondering if factotum is aware of these keys... anyway I checked if the factotum process is running:

cpu% pstree | grep -i factotum

130         ├factotum

408         │└factotum

4986        ├factotum

5119        │└factotum

11793       │└grep -i factotum

But I still got the same error from factotum when I try to use the certificates using tlssrv :-(

What I'm missing? How to debug the problem?

Any help very appreciated :)

Many thanks in advance.

Iban.

9fans / 9fans / see discussions + participants + delivery options Permalink