Alright, I was wrong before, sorry. I don't understand how I was able to make it work on port 3179, given that 1) Let's Encrypt's VA indeed does always use the same port (443) to contact the client (us) for the TLS-SNI challenge. (va.tlsPort in github.com/letsencrypt/boulder/va/va.go) 2) autocert does not do any listening, so it does rely on the caller's (camlistored) listener. Which means camlistored must indeed listen on 443 (or your NAT must do the necessary work).
There probably was some caching going on, but I'm pretty sure I had deleted my ~/.config/camlistore/letsencrypt.cache/my.host.name. Maybe deleting the acme_account.key is necessary to reforce a verification (TLS-SNI challenge), which is what I did to make sure again that I could not obtain a cert if on 3179. I'll update the docs tomorrow. On 13 December 2016 at 00:54, Adrian Tritschler <[email protected] > wrote: > > > On Tuesday, 13 December 2016 10:29:38 UTC+11, mpl wrote: >> >> On 13 December 2016 at 00:12, Adrian Tritschler <[email protected]> >> wrote: >> >>> Matthieu, >>> >>> Aargh! Thank you. The glory of a second set of eyes. Perhaps the >>> config parser needs to spit out "unrecognised option ..." >>> >>> So to use letsencrypt it looks as though I'll need to use port 443, >>> which requires running camlistore as root (cf port 3179 and running it as >>> an ordinary account). It also surprised me as I'm doing this remotely at >>> the moment and I didn't think I had 443 redirected from my ADSL box back to >>> the linux system. >>> >> >> No. I have to look at some details of autocert again to remember how it >> works, but camlistored itself does not have to listen on 443, and it >> certainly does not have to run as root. But yes, I think you do need the >> port to be NATed properly. >> > > > I think I'll have revisit what I'm running on the box and how the ports > and NATs are done. At the moment I've just got a straight NAT from my ADSL > box of 3179, 443 and 22 to the same ports on the linux box. > > thanks for your help, regardless! > > Adrian > > > >> All fixed now, or at least understood. >>> >>> Adrian >>> >>> On Tuesday, 13 December 2016 09:56:33 UTC+11, mpl wrote: >>>> >>>> you have a typo in the config, s/httpCert/httpsCert/ :-) >>>> >>>> >>>> On 12 December 2016 at 23:54, Adrian Tritschler <[email protected]> >>>> wrote: >>>> >>>>> Matthieu, >>>>> >>>>> Yes, I seem to be getting those errors when trying to use a >>>>> self-signed certificate. >>>>> >>>>> I've just regenerated the self-signed cert because the previous one >>>>> had expired (possibly adding to my confusion). >>>>> >>>>> The config file holds: >>>>> >>>>> "baseURL": "https://millpond.dyndns.org:3179/";, >>>>> "listen": ":3179", >>>>> "https": true, >>>>> "httpCert": "/home/ajft/.config/camlistore/cert.crt", >>>>> "httpKey": "/home/ajft/.config/camlistore/cert.key", >>>>> >>>>> The console log shows: >>>>> >>>>> 2016/12/13 09:37:52 Starting camlistored version 2016-12-09-bace8b0; >>>>> Go go1.7.3 (linux/amd64) >>>>> 2016/12/13 09:37:52 TLS enabled, with Let's Encrypt >>>>> 2016/12/13 09:37:52 Starting to listen on https://localhost:3179 >>>>> : >>>>> 2016/12/13 09:37:52 Available on https://millpond.dyndns.org:3179/ui/ >>>>> >>>>> Then attempting to connect from a browser gets me the "acme: >>>>> identifier authorization failed" >>>>> >>>>> Confirmed. Just ran the binary from camlistore-0.9 with the >>>>> self-signed cert config and it works correctly >>>>> >>>>> Adrian >>>>> >>>>> On Tuesday, 13 December 2016 09:09:58 UTC+11, mpl wrote: >>>>>> >>>>>> I was about to say that, while we figure this out, you should be able >>>>>> to go back to self-signed certs anyway. Then I've reread your message and >>>>>> realized that you seem to have that at the beginning anyway, so that >>>>>> would >>>>>> be a bug too. >>>>>> Do you confirm that you had some existing cert and key specified in >>>>>> your high-level config file, and that you were already getting the "acme: >>>>>> identifier authorization failed" message? >>>>>> >>>>>> >>>>>> On 12 December 2016 at 23:02, Adrian Tritschler < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> >>>>>>> My config file already has (and has had for months): >>>>>>> >>>>>>> "baseURL": "https://millpond.dyndns.org:3179";, >>>>>>> "listen": ":3179", >>>>>>> >>>>>>> Which produces log messages: >>>>>>> >>>>>>> 2016/12/13 08:54:32 TLS enabled, with Let's Encrypt >>>>>>> 2016/12/13 08:54:32 Starting to listen on https://localhost:3179 >>>>>>> : >>>>>>> 2016/12/13 08:54:32 Available on https://millpond.dyndns.org:31 >>>>>>> 79/ui/ >>>>>>> >>>>>>> Then the following error when I try and connect >>>>>>> 2016/12/13 08:54:45 http: TLS handshake error from >>>>>>> xxx.xxx.xxx.xxx:62004: acme: identifier authorization failed >>>>>>> >>>>>>> I've just tried with both >>>>>>> "baseURL": "https://millpond.dyndns.org:3179";, >>>>>>> "listen": ":3179", >>>>>>> >>>>>>> and >>>>>>> "baseURL": "https://millpond.dyndns.org:3179/";, >>>>>>> "listen": ":3179", >>>>>>> >>>>>>> With the same errors >>>>>>> >>>>>>> Adrian >>>>>>> >>>>>>> On Tuesday, 13 December 2016 01:53:50 UTC+11, mpl wrote: >>>>>>>> >>>>>>>> yeah, I should document that part better, sorry about that. >>>>>>>> >>>>>>>> camlistored should be able to figure out the fqdn that it will use >>>>>>>> for Let's Encrypt from either the "listen" config field, or the >>>>>>>> "baseURL" >>>>>>>> one. So, could you please try with: >>>>>>>> "baseURL": "https://millpond.dyndns.org:3179/"; >>>>>>>> in your config file? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 12 December 2016 at 05:02, Adrian Tritschler < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> I've been running a current build of camlistore on my home linux >>>>>>>>> PC, and accessing it remotely via a hostname configured in dynDns, >>>>>>>>> this has >>>>>>>>> been working for some months using a self-signed certificated. >>>>>>>>> >>>>>>>>> Sometime in the last few days I've restarted the PC due to kernel >>>>>>>>> updates etc, and now I'm having ssl problems. >>>>>>>>> >>>>>>>>> With the references to my old self-signed cert. it won't run any >>>>>>>>> more, I get various errors depending on which browser I use: >>>>>>>>> >>>>>>>>> 2016/12/12 14:54:28 http: TLS handshake error from >>>>>>>>> 130.194.109.243:51940: acme: identifier authorization failed >>>>>>>>> >>>>>>>>> Removing the "httpCert" and "httpKey" entries in my config file >>>>>>>>> and restarting camlistored I get: >>>>>>>>> >>>>>>>>> 2016/12/12 14:41:45 Starting camlistored version >>>>>>>>> 2016-12-09-bace8b0; Go go1.7.3 (linux/amd64) >>>>>>>>> 2016/12/12 14:41:45 TLS enabled, with Let's Encrypt >>>>>>>>> 2016/12/12 14:41:45 Starting to listen on https://localhost:3179 >>>>>>>>> : >>>>>>>>> 2016/12/12 14:41:45 ui: serving Closure from embedded resources >>>>>>>>> 2016/12/12 14:41:45 Available on https://millpond.dyndns.org:31 >>>>>>>>> 79/ui/ >>>>>>>>> >>>>>>>>> But attempting to connect from an external web client I get errors >>>>>>>>> in the browser and on the camlistore console, once again: >>>>>>>>> >>>>>>>>> 2016/12/12 14:45:40 http: TLS handshake error from >>>>>>>>> XXX.XXX.XXX.XXX:51761: acme: identifier authorization failed >>>>>>>>> >>>>>>>>> I suspect that somewhere I've missed a step where I tell the >>>>>>>>> config. that the fqdn is millpond.dyndns.org, but I can't work >>>>>>>>> out where. >>>>>>>>> >>>>>>>>> Adrian >>>>>>>>> >>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "Camlistore" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to [email protected]. >>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Camlistore" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Camlistore" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Camlistore" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "Camlistore" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Camlistore" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
