On 13 December 2016 at 00:12, Adrian Tritschler <[email protected] > wrote:
> Matthieu, > > Aargh! Thank you. The glory of a second set of eyes. Perhaps the config > parser needs to spit out "unrecognised option ..." > > So to use letsencrypt it looks as though I'll need to use port 443, which > requires running camlistore as root (cf port 3179 and running it as an > ordinary account). It also surprised me as I'm doing this remotely at the > moment and I didn't think I had 443 redirected from my ADSL box back to the > linux system. > No. I have to look at some details of autocert again to remember how it works, but camlistored itself does not have to listen on 443, and it certainly does not have to run as root. But yes, I think you do need the port to be NATed properly. All fixed now, or at least understood. > > Adrian > > On Tuesday, 13 December 2016 09:56:33 UTC+11, mpl wrote: >> >> you have a typo in the config, s/httpCert/httpsCert/ :-) >> >> >> On 12 December 2016 at 23:54, Adrian Tritschler <[email protected]> >> wrote: >> >>> Matthieu, >>> >>> Yes, I seem to be getting those errors when trying to use a self-signed >>> certificate. >>> >>> I've just regenerated the self-signed cert because the previous one had >>> expired (possibly adding to my confusion). >>> >>> The config file holds: >>> >>> "baseURL": "https://millpond.dyndns.org:3179/";, >>> "listen": ":3179", >>> "https": true, >>> "httpCert": "/home/ajft/.config/camlistore/cert.crt", >>> "httpKey": "/home/ajft/.config/camlistore/cert.key", >>> >>> The console log shows: >>> >>> 2016/12/13 09:37:52 Starting camlistored version 2016-12-09-bace8b0; Go >>> go1.7.3 (linux/amd64) >>> 2016/12/13 09:37:52 TLS enabled, with Let's Encrypt >>> 2016/12/13 09:37:52 Starting to listen on https://localhost:3179 >>> : >>> 2016/12/13 09:37:52 Available on https://millpond.dyndns.org:3179/ui/ >>> >>> Then attempting to connect from a browser gets me the "acme: identifier >>> authorization failed" >>> >>> Confirmed. Just ran the binary from camlistore-0.9 with the self-signed >>> cert config and it works correctly >>> >>> Adrian >>> >>> On Tuesday, 13 December 2016 09:09:58 UTC+11, mpl wrote: >>>> >>>> I was about to say that, while we figure this out, you should be able >>>> to go back to self-signed certs anyway. Then I've reread your message and >>>> realized that you seem to have that at the beginning anyway, so that would >>>> be a bug too. >>>> Do you confirm that you had some existing cert and key specified in >>>> your high-level config file, and that you were already getting the "acme: >>>> identifier authorization failed" message? >>>> >>>> >>>> On 12 December 2016 at 23:02, Adrian Tritschler <[email protected]> >>>> wrote: >>>> >>>>> >>>>> My config file already has (and has had for months): >>>>> >>>>> "baseURL": "https://millpond.dyndns.org:3179";, >>>>> "listen": ":3179", >>>>> >>>>> Which produces log messages: >>>>> >>>>> 2016/12/13 08:54:32 TLS enabled, with Let's Encrypt >>>>> 2016/12/13 08:54:32 Starting to listen on https://localhost:3179 >>>>> : >>>>> 2016/12/13 08:54:32 Available on https://millpond.dyndns.org:3179/ui/ >>>>> >>>>> Then the following error when I try and connect >>>>> 2016/12/13 08:54:45 http: TLS handshake error from >>>>> xxx.xxx.xxx.xxx:62004: acme: identifier authorization failed >>>>> >>>>> I've just tried with both >>>>> "baseURL": "https://millpond.dyndns.org:3179";, >>>>> "listen": ":3179", >>>>> >>>>> and >>>>> "baseURL": "https://millpond.dyndns.org:3179/";, >>>>> "listen": ":3179", >>>>> >>>>> With the same errors >>>>> >>>>> Adrian >>>>> >>>>> On Tuesday, 13 December 2016 01:53:50 UTC+11, mpl wrote: >>>>>> >>>>>> yeah, I should document that part better, sorry about that. >>>>>> >>>>>> camlistored should be able to figure out the fqdn that it will use >>>>>> for Let's Encrypt from either the "listen" config field, or the "baseURL" >>>>>> one. So, could you please try with: >>>>>> "baseURL": "https://millpond.dyndns.org:3179/"; >>>>>> in your config file? >>>>>> >>>>>> >>>>>> >>>>>> On 12 December 2016 at 05:02, Adrian Tritschler < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> I've been running a current build of camlistore on my home linux PC, >>>>>>> and accessing it remotely via a hostname configured in dynDns, this has >>>>>>> been working for some months using a self-signed certificated. >>>>>>> >>>>>>> Sometime in the last few days I've restarted the PC due to kernel >>>>>>> updates etc, and now I'm having ssl problems. >>>>>>> >>>>>>> With the references to my old self-signed cert. it won't run any >>>>>>> more, I get various errors depending on which browser I use: >>>>>>> >>>>>>> 2016/12/12 14:54:28 http: TLS handshake error from >>>>>>> 130.194.109.243:51940: acme: identifier authorization failed >>>>>>> >>>>>>> Removing the "httpCert" and "httpKey" entries in my config file and >>>>>>> restarting camlistored I get: >>>>>>> >>>>>>> 2016/12/12 14:41:45 Starting camlistored version 2016-12-09-bace8b0; >>>>>>> Go go1.7.3 (linux/amd64) >>>>>>> 2016/12/12 14:41:45 TLS enabled, with Let's Encrypt >>>>>>> 2016/12/12 14:41:45 Starting to listen on https://localhost:3179 >>>>>>> : >>>>>>> 2016/12/12 14:41:45 ui: serving Closure from embedded resources >>>>>>> 2016/12/12 14:41:45 Available on https://millpond.dyndns.org:31 >>>>>>> 79/ui/ >>>>>>> >>>>>>> But attempting to connect from an external web client I get errors >>>>>>> in the browser and on the camlistore console, once again: >>>>>>> >>>>>>> 2016/12/12 14:45:40 http: TLS handshake error from >>>>>>> XXX.XXX.XXX.XXX:51761: acme: identifier authorization failed >>>>>>> >>>>>>> I suspect that somewhere I've missed a step where I tell the config. >>>>>>> that the fqdn is millpond.dyndns.org, but I can't work out where. >>>>>>> >>>>>>> Adrian >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Camlistore" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Camlistore" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Camlistore" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "Camlistore" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Camlistore" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
