From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 18146 invoked from network); 25 Oct 2021 02:32:40 -0000 Received: from 4ess.inri.net (216.126.196.42) by inbox.vuxu.org with ESMTPUTF8; 25 Oct 2021 02:32:40 -0000 Received: from duke.felloff.net ([216.126.196.34]) by 4ess; Sun Oct 24 19:45:15 -0400 2021 Message-ID: Date: Mon, 25 Oct 2021 01:45:03 +0200 From: cinap_lenrek@felloff.net To: 9front@9front.org MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: replication-oriented SOAP over ActivityPub grid firewall Subject: [9front] acmed bug fixes and external challenge script Reply-To: 9front@9front.org Precedence: bulk ok, got my hands dirty with honest acmed. dnschallenge was not working for me because apparently they require a new cca record for the domain in question. i'v just pushed a fix for ndb/dns so you can specify one in ndb like: cca=letsencrypt.org the tag= and flags= attributes are optional and default to tag="issue" and flags=0. next problem is the bullshit with having to pass a domain manually to achmed when using dns method. this is unneccesary as the csr already comtains the domains and the protocol gives you which domain (identifier) a challenge is for. we just have to use the information (and verify it is actually listed in the csr as you cant trust the honest acme server). and last, my setup is a bit more complicated and just refreshing /net/dns is not the right thing for me, so i need a bit of a script that helps with this. so acmed now allows to use a script command passed with the -e flag which it runs passing four arguments: - challenge type - identifier (domain) - token - auth response with that, i can do the appropriate thing depending on challenge type and domain. the rest is just fixing error paths and filedescriptor leaks. patch: http://okturing.com/src/12325/body -- cinap