Cool, I'm glad it's working for you. What do you think about the CL though? Does it make things easier/clearer?
It might be possible to make things work with Caddy listening on https and camlistored behind doing only http, but I feel that's asking for trouble. And I don't think that's a priority, so until someone convinces me their setup requires them to do that, I'm probably not gonna think about it. On 30 May 2016 at 21:26, Gulácsi Tamás <[email protected]> wrote: > Hmm.. I've never thought about it before, but symlinking the > .caddy/sites/camli.gthomas.eu/*.{key,crt} to their tls.{key,crt} pairs just > works! > > TL;DR; now it works, if I allow everything to use HTTPS with the correct > letsencrypt certificates. > > > But publisher says > > PUBLISHER: 2016/05/30 20:56:16 Starting publisher version > 2016-05-29-7b9b9d5; Go go1.6.2 (linux/amd64) > 2016/05/30 20:56:16 Starting regular periodic import for picasa importer > account, sha1-d9452176e1f13387052dc5951ad80a3776901a93 > PUBLISHER: 2016/05/30 20:56:16 Starting to listen on https://127.0.0.1:41599 > 2016/05/30 20:56:16 Available on https://camli.gthomas.eu/ui/ > 2016/05/30 20:56:16 http: TLS handshake error from 127.0.0.1:46730: EOF > > Either with tip or with cl-6646. Maybe Camlistore proxies for the publisher > app, but that app serves an unknown cert? > > > gthomas@tequila:~$ curl -k -v https://localhost:41613 > * Rebuilt URL to: https://localhost:41613/ > * Trying ::1... > * connect to ::1 port 41613 failed: Connection refused > * Trying 127.0.0.1... > * Connected to localhost (127.0.0.1) port 41613 (#0) > * found 175 certificates in /etc/ssl/certs/ca-certificates.crt > * found 800 certificates in /etc/ssl/certs > * ALPN, offering h2 > * ALPN, offering http/1.1 > * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 > * server certificate verification SKIPPED > * server certificate status verification SKIPPED > * common name: camli.gthomas.eu (does not match 'localhost') > * server certificate expiration date FAILED > * server certificate activation date OK > * certificate public key: RSA > * certificate version: #3 > * subject: CN=camli.gthomas.eu > * start date: Sat, 05 Dec 2015 19:32:00 GMT > * expire date: Fri, 04 Mar 2016 19:32:00 GMT > * issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1 > * compression: NULL > * ALPN, server accepted to use h2 > * Using HTTP2, server supports multi-use > * Connection state changed (HTTP/2 confirmed) > * TCP_NODELAY set > * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: > len=0 > * Using Stream ID: 1 (easy handle 0x55b937028700) >> GET / HTTP/1.1 >> Host: localhost:41613 >> User-Agent: curl/7.47.0 >> Accept: */* >> > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! > < HTTP/2.0 200 > < content-type:text/html; charset=utf-8 > < date:Mon, 30 May 2016 19:12:14 GMT > < > > This is where I learnt that I need to use the proper letsencrypt certs - as > caddy is running as www-data, its under that's home, /var/www. > > After fixing the permissions, everything works - both with cl-6646, and tip! > > Thanks Mathieu! > > > > Mathieu Lonjaret <[email protected]> ezt írta (időpont: 2016. máj. > 30., H, 19:39): >> >> It looks like your camlistored is not using your let's encrypt cert, >> but an auto-gen one instead, isn't it? If you don't specify the cert >> to use with httpsCert and httpsKey in the server config, it will use >> the ones found at .config/camlistore/tls.[crt|key]. So I think you >> need to fix that first. >> >> Then, to answer your question about the config, I've just tried with a >> config like that: >> >> { >> "auth": "userpass:foo:bar", >> "listen": ":3179", >> "baseURL": "https://camli.gthomas.eu:3179";, >> "https": true, >> "identity": "BF117793", >> "identitySecretRing": "/home/mpl/.config/camlistore/identity-secring.gpg", >> "blobPath": "/home/mpl/var/camlistore/blobs", >> "packRelated": true, >> "levelDB": "/home/mpl/var/camlistore/index.leveldb", >> "publish": { >> "/pics/": { >> "camliRoot": "picsRoot", >> "goTemplate": "gallery.html" >> } >> }, >> "dbNames": null >> } >> >> and it looks like everything is working for me. Except I'm not hitting >> a Caddy front-end first of course. I can try to setup an equivalent >> proxy if you think the Caddy part is still making a difference. >> >> >> >> On 27 May 2016 at 20:53, Gulácsi Tamás <[email protected]> wrote: >> > It's been Caddy, as at that time only she offered no fuss automatic >> > Let's >> > Encrypt certs. >> > I see now camlistored supports it, too. >> > I've transformed my config to: >> > Caddy listens on https://camli.gthomas.eu, forwards the connection to >> > https://127.0.0.1:3179, where camlistored listens. >> > >> > But I get >> > PUBLISHER: 2016/05/27 20:51:26 Starting publisher version >> > 2016-05-23-8d4f18e; Go go1.6.2 (linux/amd64) >> > PUBLISHER: 2016/05/27 20:51:26 Starting to listen on >> > https://127.0.0.1:33699 >> > 2016/05/27 20:51:26 Available on https://camli.gthomas.eu/ui/ >> > 2016/05/27 20:51:26 http: TLS handshake error from 127.0.0.1:50550: EOF >> > 2016/05/27 20:51:30 http: proxy error: x509: certificate signed by >> > unknown >> > authority >> > 2016/05/27 20:51:30 http: TLS handshake error from 127.0.0.1:50556: >> > remote >> > error: bad certificate >> > >> > even with 6646/2. >> > >> > What kind of config works? >> > >> > >> > Mathieu Lonjaret <[email protected]> ezt írta (időpont: 2016. >> > máj. >> > 27., P, 15:47): >> >> >> >> I've been making changes so that the app should work by itself (i.e. >> >> when getting requests directly, not proxied through camlistored), but >> >> let's stay with the usual case for now, i.e. camlistored gets the >> >> requests and its app handler proxies them to the publisher. So yes, >> >> let's keep your Caddy proxying as it is. >> >> >> >> Next question: if Caddy is listening on TLS, why aren't you doing the >> >> same thing for camlistored? Why do you want unencrypted traffic >> >> between Caddy and Camlistore? >> >> >> >> On 27 May 2016 at 15:30, Gulácsi Tamás <[email protected]> wrote: >> >> > Yes. >> >> > Caddy is listening on 0.0.0.0:443, forwarding anything for >> >> > https://camli.gthomas.eu:443/ to http://localhost:3179. >> >> > So Camlistored is listening on http://127.0.0.1:3179. >> >> > >> >> > I can make Caddy proxy https://camli.gthomas.eu/pics/ to somewhere >> >> > else, >> >> > but >> >> > now it goes to camlistored, without modification. >> >> > >> >> > Mathieu Lonjaret <[email protected]> ezt írta (időpont: >> >> > 2016. >> >> > máj. >> >> > 27., P, 15:09): >> >> >> >> >> >> Alright, so let's discuss your setup so I can try to reproduce it >> >> >> please. >> >> >> >> >> >> Is Caddy the software facing the outside world? And it is listening >> >> >> on >> >> >> https://camli.gthomas.eu:443 ? >> >> >> And do I understand correctly that the end goal for you is to have >> >> >> the >> >> >> publisher displayed when someone hits https://camli.gthomas.eu/pics/ >> >> >> ? >> >> >> How do you make Caddy proxy the relevant requests to your Camlistore >> >> >> instance? >> >> >> >> >> >> >> >> >> On 25 May 2016 at 01:46, Mathieu Lonjaret >> >> >> <[email protected]> >> >> >> wrote: >> >> >> > Hey Tamás, >> >> >> > >> >> >> > Could you please let me know if >> >> >> > https://camlistore-review.googlesource.com/6646 makes it easier >> >> >> > for >> >> >> > you to run the publisher with your setup? >> >> >> > Note that in the high-level config for the publisher, baseURL is >> >> >> > now >> >> >> > backendURL, and that you can now specify "listen" too. >> >> >> > >> >> >> > thanks, >> >> >> > Mathieu >> >> >> > >> >> >> > >> >> >> > On 13 May 2016 at 13:21, Gulácsi Tamás <[email protected]> wrote: >> >> >> >> Thanks! >> >> >> >> Changed. >> >> >> >> >> >> >> >> Adrian Tritschler <[email protected]> ezt írta >> >> >> >> (időpont: >> >> >> >> 2016. >> >> >> >> máj. 13., P, 13:15): >> >> >> >>> >> >> >> >>> I'm not sure if you intended it, but you've posted the URL, >> >> >> >>> login >> >> >> >>> and >> >> >> >>> password of your camlistore. You may wish to change the >> >> >> >>> password. >> >> >> >>> >> >> >> >>> Adrian >> >> >> >>> >> >> >> >>> >> >> >> >>> On Monday, 9 May 2016 15:12:50 UTC+10, Tamás Gulácsi wrote: >> >> >> >>>> >> >> >> >>>> This is what I got in camlistored log for >> >> >> >>>> >> >> >> >>>> gthomas@tequila:~$ cat .config/camlistore/server-config.json >> >> >> >>>> { >> >> >> >>>> "listen": "0.0.0.0:3179", >> >> >> >>>> "baseURL": "https://camli.gthomas.eu";, >> >> >> >>>> "shareHandler": true, >> >> >> >>>> "https": false, >> >> >> >>>> "httpsCert": >> >> >> >>>> "/home/gthomas/.config/camlistore/camli.gthomas.eu.crt", >> >> >> >>>> "httpsKey": >> >> >> >>>> "/home/gthomas/.config/camlistore/camli.gthomas.eu.key", >> >> >> >>>> "auth": "userpass:gthomas:majdhafagy:+localhost", >> >> >> >>>> "identity": "974EA38B", >> >> >> >>>> "identitySecretRing": >> >> >> >>>> "/home/gthomas/.config/camlistore/identity-secring.gpg", >> >> >> >>>> "levelDB": >> >> >> >>>> "/home/gthomas/var/camlistore/camli-index.leveldb", >> >> >> >>>> "blobPath": "/home/gthomas/var/camlistore/packs", >> >> >> >>>> "packBlobs": true, >> >> >> >>>> "runIndex": true, >> >> >> >>>> "copyIndexToMemory": true, >> >> >> >>>> "mysql": "", >> >> >> >>>> "mongo": "", >> >> >> >>>> "postgres": "", >> >> >> >>>> "sqlite": "", >> >> >> >>>> "s3": "", >> >> >> >>>> "replicateTo": [], >> >> >> >>>> "publish": { >> >> >> >>>> "/pics/": { >> >> >> >>>> "camliRoot": "pics", >> >> >> >>>> "cacheRoot": >> >> >> >>>> "/home/gthomas/var/camlistore/blobs/cache", >> >> >> >>>> "goTemplate": "gallery.html" >> >> >> >>>> } >> >> >> >>>> } >> >> >> >>>> } >> >> >> >>>> >> >> >> >>>> gthomas@tequila:~$ camget >> >> >> >>>> sha1-de682600ddf64620b322971c94e7911bebe4865b >> >> >> >>>> {"camliVersion": 1, >> >> >> >>>> "camliSigner": >> >> >> >>>> "sha1-01c5e458c48552abac802d4f8b52b093efbb2caa", >> >> >> >>>> "camliType": "permanode", >> >> >> >>>> "key": "pics" >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> ,"camliSig":"wsBcBAABCAAQBQJXE4QgCRAdaMP0l06jiwAAG0gIAIZlrpoWvCFnjptlprCE2QnlTma+R63G/2PLKlY5oZPC7p/yBQp+6ESBN5le3ohhDvp1TMWcuq1bFDushTYqdqparu6ZFGgf0NKKXaO47PYbPdDDUJcuZQ3dsCWguXcbT0Vaik297sQirakGUZ+TRisveqiWdswAx3OYFq1YpxQG542uF70RK6lHPO3si4mf5l30A6KNNc28W0/lHfSHteKNZxn1sFXw2nbRPF6JdXXq8YXXt28mOetcqXj9XhBfZbP0zrMEZ2NPOljIzaUSGCmAb2Xu/oTix5w7j/Zg7C+dBJ9JElXGfmYoTZcMpjw4UqS6CGhdjHVcgB6nX5elKJE==4waQ"} >> >> >> >>>> >> >> >> >>>> I get same error if I change the "camliRoot" to >> >> >> >>>> "sha1-de682600ddf64620b322971c94e7911bebe4865b", so now I don't >> >> >> >>>> know >> >> >> >>>> what to >> >> >> >>>> do. >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> What kind of permanode does publish need for its root? >> >> >> >>>> Why is that "mypics" (the key) in the example config? >> >> >> >>>> Why doesn't this work? >> >> >> >>>> >> >> >> >>>> Thanks, >> >> >> >>>> Tamás Gulácsi >> >> >> >>>> >> >> >> >>> -- >> >> >> >>> You received this message because you are subscribed to a topic >> >> >> >>> in >> >> >> >>> the >> >> >> >>> Google Groups "Camlistore" group. >> >> >> >>> To unsubscribe from this topic, visit >> >> >> >>> >> >> >> >>> >> >> >> >>> https://groups.google.com/d/topic/camlistore/bQlWEjy0i7o/unsubscribe. >> >> >> >>> To unsubscribe from this group and all its topics, send an email >> >> >> >>> to >> >> >> >>> [email protected]. >> >> >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> -- >> >> >> >> You received this message because you are subscribed to the >> >> >> >> Google >> >> >> >> Groups >> >> >> >> "Camlistore" group. >> >> >> >> To unsubscribe from this group and stop receiving emails from it, >> >> >> >> send >> >> >> >> an >> >> >> >> email to [email protected]. >> >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> >> You received this message because you are subscribed to a topic in >> >> >> the >> >> >> Google Groups "Camlistore" group. >> >> >> To unsubscribe from this topic, visit >> >> >> >> >> >> https://groups.google.com/d/topic/camlistore/bQlWEjy0i7o/unsubscribe. >> >> >> To unsubscribe from this group and all its topics, send an email to >> >> >> [email protected]. >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "Camlistore" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "Camlistore" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/camlistore/bQlWEjy0i7o/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Camlistore" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Camlistore" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/camlistore/bQlWEjy0i7o/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Camlistore" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Camlistore" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
