9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed
From: igor@9lab.org
To: 9fans@9fans.net
Cc: igor@9lab.org
Subject: Re: [9fans] problem with factotum
Date: Wed, 13 Sep 2023 21:17:57 +0200	[thread overview]
Message-ID: <4663D4643733A59E1A6CCF760BE268A3@9lab.org> (raw)
In-Reply-To: <16946300170.afaf613.904485@composer.9fans.topicbox.com>

A working setup with tlssrv(8) and acmed(8) is documented here:

• https://9lab.org/plan9/web-server-with-go-based-static-site-generator-hugo/#https-port-443

A comparison of those steps with your steps below might reveal
the issue.

Quoth Iban Nieto <iban.nieto@gmail.com>:
> Hello!
> I'm trying to serve https (443) and gemini (1965) under 9front.
> I've already a working rc-httpd (80) setup and now I would like to start using letsencrypt certificates.
> Also rc-gemd (gemini server) needs a certificate in order to work.
> I manage to get the certificate with acmed using the following procedure:
> ramfs -p
> cd /tmp
> auth/rsagen -t 'service=acme role=sign hash=sha256 acct=iban@mydomain.com' >iban@mydomain.com.key
> auth/rsa2jwk iban@mydomain.com.key >/sys/lib/tls/acmed/iban@mydomain.com.pub
> cat iban@mydomain.com.key >/mnt/factotum/ctl
> auth/rsagen -t 'service=tls role=client owner=*' >mydomain.com.key
> chmod 600 iban@mydomain.com.key mydomain.com.key
> cp iban@mydomain.com.key mydomain.com.key /sys/lib/tls/acmed/
> auth/rsa2csr 'CN=mydomain.com' /sys/lib/tls/acmed/mydomain.com.key >/sys/lib/tls/acmed/mydomain.com.csr
> webfs
> auth/acmed -t http -o /sys/www/mydomain.com/.well-known/acme-challenge iban@mydomain.com /sys/lib/tls/acmed/mydomain.com.csr >/sys/lib/tls/acmed/mydomain.com.crt
> I think acmed do the job because the certificate is generated and stored in the proper location.
> DNS is in place and working fine, the dir /sys/www/mydomain.com/.well-known/acme-challenge is already in place as is served by rc-httpd.
> This a (trimmed) decode of the certificate:
> auth/pemdecode 'CERTIFICATE' /sys/lib/tls/acmed/mydomain.com.crt | auth/x5092pub
> key proto=rsa size=2048 ek=10001 n=1E71BLABLABLABLABAE0CA13254122D600BLABLABLABD4D89D18EB7D7E0BLABLABLABLAC69 subject=mydomain.com
> Then I try to serve https with:
> aux/listen1 tcp!*!443 tlssrv -c /sys/lib/tls/acmed/mydomain.com.crt /rc/bin/rc-httpd/rc-httpd
> And rc-gemd with:
> aux/listen1 tcp!*!1965 tlssrv -c /sys/lib/tls/acmed/mydomain.com.crt /rc/bin/rc-gemd/rc-gemd
> Problem is when I try to connect to https://mydomain.com I got this from the server side:
> tlssrv:  tls reports failed: factotum_rsa_open: no key matches proto=rsa service=tls role=client
> The same error occurs when I try to connect to gemini using a client:
> tlssrv:  tls reports failed: factotum_rsa_open: no key matches proto=rsa service=tls role=client
> Trying to add the keys to factotum using this:
> cat /sys/lib/tls/acmed/iban@mydomain.com.key >/mnt/factotum/ctl
> cat /sys/lib/tls/acmed/mydomain.com.key >/mnt/factotum/ctl
> I'm still wondering if factotum is aware of these keys... anyway I checked if the factotum process is running:
> cpu% pstree | grep -i factotum
> 130         ├factotum
> 408         │└factotum
> 4986        ├factotum
> 5119        │└factotum
> 11793       │└grep -i factotum
> But I still got the same error from factotum when I try to use the certificates using tlssrv :-(
> What I'm missing? How to debug the problem?
> Any help very appreciated :)
> Many thanks in advance.
> Iban.

9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Te82df98419e38504-M8e647fed602d71bb73a3cfb7
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

  reply	other threads:[~2023-09-13 19:18 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-13 18:33 Iban Nieto
2023-09-13 19:17 ` igor [this message]
2023-09-13 21:54 ` Skip Tavakkolian
2023-09-14 16:49   ` Iban Nieto
2023-09-14 20:51     ` ori
2023-09-29  8:02       ` Iban Nieto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4663D4643733A59E1A6CCF760BE268A3@9lab.org \
    --to=igor@9lab.org \
    --cc=9fans@9fans.net \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).