From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 26528 invoked from network); 25 Oct 2021 09:07:32 -0000 Received: from 4ess.inri.net (216.126.196.42) by inbox.vuxu.org with ESMTPUTF8; 25 Oct 2021 09:07:32 -0000 Received: from mimir.eigenstate.org ([206.124.132.107]) by 4ess; Sun Oct 24 23:15:02 -0400 2021 Received: from abbatoir.myfiosgateway.com (pool-74-108-56-225.nycmny.fios.verizon.net [74.108.56.225]) by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id b34b5b4e (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO) for <9front@9front.org>; Sun, 24 Oct 2021 20:14:22 -0700 (PDT) Message-ID: <5E2BCD03A6BFAC68F5CDF6BEA1DECB19@eigenstate.org> To: 9front@9front.org Date: Sun, 24 Oct 2021 23:14:21 -0400 From: ori@eigenstate.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: asynchronous scale-out injection locator Subject: Re: [9front] acmed bug fixes and external challenge script Reply-To: 9front@9front.org Precedence: bulk Quoth cinap_lenrek@felloff.net: > ok, got my hands dirty with honest acmed. > > dnschallenge was not working for me because apparently > they require a new cca record for the domain in question. > > i'v just pushed a fix for ndb/dns so you can specify > one in ndb like: > > cca=letsencrypt.org > > the tag= and flags= attributes are optional and > default to tag="issue" and flags=0. > > next problem is the bullshit with having to pass a domain > manually to achmed when using dns method. this is unneccesary > as the csr already comtains the domains and the protocol > gives you which domain (identifier) a challenge is for. > > we just have to use the information (and verify it is > actually listed in the csr as you cant trust the honest > acme server). > > and last, my setup is a bit more complicated and just > refreshing /net/dns is not the right thing for me, > so i need a bit of a script that helps with this. > > so acmed now allows to use a script command passed > with the -e flag which it runs passing four arguments: > > - challenge type > - identifier (domain) > - token > - auth response > > with that, i can do the appropriate thing depending > on challenge type and domain. > > the rest is just fixing error paths and filedescriptor > leaks. > > patch: http://okturing.com/src/12325/body > looks great, thanks!