On Tuesday, 13 December 2016 10:29:38 UTC+11, mpl wrote: > > On 13 December 2016 at 00:12, Adrian Tritschler <[email protected] > <javascript:>> wrote: > >> Matthieu, >> >> Aargh! Thank you. The glory of a second set of eyes. Perhaps the >> config parser needs to spit out "unrecognised option ..." >> >> So to use letsencrypt it looks as though I'll need to use port 443, which >> requires running camlistore as root (cf port 3179 and running it as an >> ordinary account). It also surprised me as I'm doing this remotely at the >> moment and I didn't think I had 443 redirected from my ADSL box back to the >> linux system. >> > > No. I have to look at some details of autocert again to remember how it > works, but camlistored itself does not have to listen on 443, and it > certainly does not have to run as root. But yes, I think you do need the > port to be NATed properly. >
I think I'll have revisit what I'm running on the box and how the ports and NATs are done. At the moment I've just got a straight NAT from my ADSL box of 3179, 443 and 22 to the same ports on the linux box. thanks for your help, regardless! Adrian > All fixed now, or at least understood. >> >> Adrian >> >> On Tuesday, 13 December 2016 09:56:33 UTC+11, mpl wrote: >>> >>> you have a typo in the config, s/httpCert/httpsCert/ :-) >>> >>> >>> On 12 December 2016 at 23:54, Adrian Tritschler <[email protected]> >>> wrote: >>> >>>> Matthieu, >>>> >>>> Yes, I seem to be getting those errors when trying to use a self-signed >>>> certificate. >>>> >>>> I've just regenerated the self-signed cert because the previous one had >>>> expired (possibly adding to my confusion). >>>> >>>> The config file holds: >>>> >>>> "baseURL": "https://millpond.dyndns.org:3179/";, >>>> "listen": ":3179", >>>> "https": true, >>>> "httpCert": "/home/ajft/.config/camlistore/cert.crt", >>>> "httpKey": "/home/ajft/.config/camlistore/cert.key", >>>> >>>> The console log shows: >>>> >>>> 2016/12/13 09:37:52 Starting camlistored version 2016-12-09-bace8b0; Go >>>> go1.7.3 (linux/amd64) >>>> 2016/12/13 09:37:52 TLS enabled, with Let's Encrypt >>>> 2016/12/13 09:37:52 Starting to listen on https://localhost:3179 >>>> : >>>> 2016/12/13 09:37:52 Available on https://millpond.dyndns.org:3179/ui/ >>>> >>>> Then attempting to connect from a browser gets me the "acme: identifier >>>> authorization failed" >>>> >>>> Confirmed. Just ran the binary from camlistore-0.9 with the >>>> self-signed cert config and it works correctly >>>> >>>> Adrian >>>> >>>> On Tuesday, 13 December 2016 09:09:58 UTC+11, mpl wrote: >>>>> >>>>> I was about to say that, while we figure this out, you should be able >>>>> to go back to self-signed certs anyway. Then I've reread your message and >>>>> realized that you seem to have that at the beginning anyway, so that >>>>> would >>>>> be a bug too. >>>>> Do you confirm that you had some existing cert and key specified in >>>>> your high-level config file, and that you were already getting the "acme: >>>>> identifier authorization failed" message? >>>>> >>>>> >>>>> On 12 December 2016 at 23:02, Adrian Tritschler <[email protected] >>>>> > wrote: >>>>> >>>>>> >>>>>> My config file already has (and has had for months): >>>>>> >>>>>> "baseURL": "https://millpond.dyndns.org:3179";, >>>>>> "listen": ":3179", >>>>>> >>>>>> Which produces log messages: >>>>>> >>>>>> 2016/12/13 08:54:32 TLS enabled, with Let's Encrypt >>>>>> 2016/12/13 08:54:32 Starting to listen on https://localhost:3179 >>>>>> : >>>>>> 2016/12/13 08:54:32 Available on https://millpond.dyndns.org:3179/ui/ >>>>>> >>>>>> Then the following error when I try and connect >>>>>> 2016/12/13 08:54:45 http: TLS handshake error from >>>>>> xxx.xxx.xxx.xxx:62004: acme: identifier authorization failed >>>>>> >>>>>> I've just tried with both >>>>>> "baseURL": "https://millpond.dyndns.org:3179";, >>>>>> "listen": ":3179", >>>>>> >>>>>> and >>>>>> "baseURL": "https://millpond.dyndns.org:3179/";, >>>>>> "listen": ":3179", >>>>>> >>>>>> With the same errors >>>>>> >>>>>> Adrian >>>>>> >>>>>> On Tuesday, 13 December 2016 01:53:50 UTC+11, mpl wrote: >>>>>>> >>>>>>> yeah, I should document that part better, sorry about that. >>>>>>> >>>>>>> camlistored should be able to figure out the fqdn that it will use >>>>>>> for Let's Encrypt from either the "listen" config field, or the >>>>>>> "baseURL" >>>>>>> one. So, could you please try with: >>>>>>> "baseURL": "https://millpond.dyndns.org:3179/"; >>>>>>> in your config file? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 12 December 2016 at 05:02, Adrian Tritschler < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> I've been running a current build of camlistore on my home linux >>>>>>>> PC, and accessing it remotely via a hostname configured in dynDns, >>>>>>>> this has >>>>>>>> been working for some months using a self-signed certificated. >>>>>>>> >>>>>>>> Sometime in the last few days I've restarted the PC due to kernel >>>>>>>> updates etc, and now I'm having ssl problems. >>>>>>>> >>>>>>>> With the references to my old self-signed cert. it won't run any >>>>>>>> more, I get various errors depending on which browser I use: >>>>>>>> >>>>>>>> 2016/12/12 14:54:28 http: TLS handshake error from >>>>>>>> 130.194.109.243:51940: acme: identifier authorization failed >>>>>>>> >>>>>>>> Removing the "httpCert" and "httpKey" entries in my config file and >>>>>>>> restarting camlistored I get: >>>>>>>> >>>>>>>> 2016/12/12 14:41:45 Starting camlistored version >>>>>>>> 2016-12-09-bace8b0; Go go1.7.3 (linux/amd64) >>>>>>>> 2016/12/12 14:41:45 TLS enabled, with Let's Encrypt >>>>>>>> 2016/12/12 14:41:45 Starting to listen on https://localhost:3179 >>>>>>>> : >>>>>>>> 2016/12/12 14:41:45 ui: serving Closure from embedded resources >>>>>>>> 2016/12/12 14:41:45 Available on >>>>>>>> https://millpond.dyndns.org:3179/ui/ >>>>>>>> >>>>>>>> But attempting to connect from an external web client I get errors >>>>>>>> in the browser and on the camlistore console, once again: >>>>>>>> >>>>>>>> 2016/12/12 14:45:40 http: TLS handshake error from >>>>>>>> XXX.XXX.XXX.XXX:51761: acme: identifier authorization failed >>>>>>>> >>>>>>>> I suspect that somewhere I've missed a step where I tell the >>>>>>>> config. that the fqdn is millpond.dyndns.org, but I can't work out >>>>>>>> where. >>>>>>>> >>>>>>>> Adrian >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "Camlistore" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Camlistore" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Camlistore" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Camlistore" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Camlistore" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
