From: ori@eigenstate.org
To: 9front@9front.org
Subject: Re: [9front] wildcard in auth/acmed
Date: Mon, 15 Jan 2024 12:02:39 -0500 [thread overview]
Message-ID: <E8DF00A24335289ECDB5A610ADB1EAA7@eigenstate.org> (raw)
In-Reply-To: <935781D6F8971CD305A289DD1822281C@driusan.net>
I'm confused about why a hybrid challenge type is needed; my
read of the RFC is that we should be using DNS challenges if
there's a wildcard domain name. To my knowlege, wildcards
should already work (though I haven't tested in a while).
As a side note, you can create one cert that covers multiple
domains. For example:
auth/rsa2csr 'CN=foo.example.com,bar.example.com,test.ai' $key>$csr
should work just fine for any of those domains. It doesn't
even need to be the same 'base' URL; This is how we get a
valid cert on both https://shithub.us and
https://only9fans.com; both domains serve the came cert,
with CN=shithub.us,only9fans.com
Quoth Dave MacFarlane <driusan@driusan.net>:
> I was trying to use a Let's Encrypt certificate to host a subdomain,
> and the only way I could figure out how to do that was a wildcard certificate
> because !/bin/service/tcp443 takes the certificate as an argument before
> rc-httpd knows what domain it's for.
>
> A wildcard certificate for *.example.com doesn't cover example.com
> with no prefix, so I had to add it as a subject alternative name, but Let's Encrypt
> seems to ignore the -t dns and send an http-01 challenge for the non-wildcard
> portion and a dns-01 challenge for the wildcard.
>
> I added a "hybrid" type to auth/acmed which determines whether to use dnschallenge
> or httpchallenge based on the challenge, but isn't compatible with -o since dnschallenge
> and httpchallenge need different formats.
>
> With this, I was able to register a certificate request I created by:
>
> auth/rsa2csr 'CN=*.example.com,example.com' $certkey>$csr
> auth/acmed -t hybrid $username $acmeuser $csr >$crt
>
> diff 9c2e8e2b13b0d01b7adf88b61af6edfbddd872c1 uncommitted
> --- a/sys/src/cmd/auth/acmed.c
> +++ b/sys/src/cmd/auth/acmed.c
> @@ -633,6 +633,18 @@
> }
>
> static int
> +hybridchallenge(char *ty, char *dom, char *tok, int *matched)
> +{
> + if (strcmp(ty, "http-01") == 0){
> + challengeout = "/usr/web/.well-known/acme-challenge";
> + return httpchallenge(ty, dom, tok, matched);
> + } else if (strcmp(ty, "dns-01") == 0){
> + challengeout = "/lib/ndb/dnschallenge";
> + return dnschallenge(ty, dom, tok, matched);
> + }
> + return -1;
> +}
> +static int
> dochallenges(char *dom[], int ndom, JSON *order)
> {
> JSON *chals, *j, *cl, *id, *wc;
> @@ -910,7 +922,13 @@
> }else if(strcmp(ct, "dns") == 0){
> challengeout = (co != nil) ? co : "/lib/ndb/dnschallenge";
> challengefn = dnschallenge;
> - }else {
> + }else if (strcmp(ct, "hybrid") == 0){
> + if (co != nil) {
> + sysfatal("-o not compatible with hybrid challenge");
> + }
> + challengefn = hybridchallenge;
> +
> + } else {
> sysfatal("unknown challenge type '%s'", ct);
> }
next prev parent reply other threads:[~2024-01-15 17:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-15 14:36 Dave MacFarlane
2024-01-15 17:02 ` ori [this message]
2024-01-15 17:20 ` Dave MacFarlane
[not found] <2CEDDEA2213DC4D744EAF757A28E45EC@driusan.net>
2024-01-15 17:38 ` ori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E8DF00A24335289ECDB5A610ADB1EAA7@eigenstate.org \
--to=ori@eigenstate.org \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).