https://camlistore-review.googlesource.com/8986
On 13 December 2016 at 02:26, Mathieu Lonjaret <[email protected]> wrote: > As a corollary though, it is worth noting that one only actually needs to > listen on 443 for getting the cert. One could then revert their config to > another port. But that's looking for trouble knocking at your door (every 3 > months I suppose). > > > On 13 December 2016 at 02:22, Mathieu Lonjaret <[email protected] > > wrote: > >> Alright, I was wrong before, sorry. >> >> I don't understand how I was able to make it work on port 3179, given that >> 1) Let's Encrypt's VA indeed does always use the same port (443) to >> contact the client (us) for the TLS-SNI challenge. (va.tlsPort in >> github.com/letsencrypt/boulder/va/va.go) >> 2) autocert does not do any listening, so it does rely on the caller's >> (camlistored) listener. >> Which means camlistored must indeed listen on 443 (or your NAT must do >> the necessary work). >> >> There probably was some caching going on, but I'm pretty sure I had >> deleted my ~/.config/camlistore/letsencrypt.cache/my.host.name. Maybe >> deleting the acme_account.key is necessary to reforce a verification >> (TLS-SNI challenge), which is what I did to make sure again that I could >> not obtain a cert if on 3179. >> >> I'll update the docs tomorrow. >> >> >> >> On 13 December 2016 at 00:54, Adrian Tritschler < >> [email protected]> wrote: >> >>> >>> >>> On Tuesday, 13 December 2016 10:29:38 UTC+11, mpl wrote: >>>> >>>> On 13 December 2016 at 00:12, Adrian Tritschler <[email protected]> >>>> wrote: >>>> >>>>> Matthieu, >>>>> >>>>> Aargh! Thank you. The glory of a second set of eyes. Perhaps the >>>>> config parser needs to spit out "unrecognised option ..." >>>>> >>>>> So to use letsencrypt it looks as though I'll need to use port 443, >>>>> which requires running camlistore as root (cf port 3179 and running it as >>>>> an ordinary account). It also surprised me as I'm doing this remotely at >>>>> the moment and I didn't think I had 443 redirected from my ADSL box back >>>>> to >>>>> the linux system. >>>>> >>>> >>>> No. I have to look at some details of autocert again to remember how it >>>> works, but camlistored itself does not have to listen on 443, and it >>>> certainly does not have to run as root. But yes, I think you do need the >>>> port to be NATed properly. >>>> >>> >>> >>> I think I'll have revisit what I'm running on the box and how the ports >>> and NATs are done. At the moment I've just got a straight NAT from my ADSL >>> box of 3179, 443 and 22 to the same ports on the linux box. >>> >>> thanks for your help, regardless! >>> >>> Adrian >>> >>> >>> >>>> All fixed now, or at least understood. >>>>> >>>>> Adrian >>>>> >>>>> On Tuesday, 13 December 2016 09:56:33 UTC+11, mpl wrote: >>>>>> >>>>>> you have a typo in the config, s/httpCert/httpsCert/ :-) >>>>>> >>>>>> >>>>>> On 12 December 2016 at 23:54, Adrian Tritschler < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Matthieu, >>>>>>> >>>>>>> Yes, I seem to be getting those errors when trying to use a >>>>>>> self-signed certificate. >>>>>>> >>>>>>> I've just regenerated the self-signed cert because the previous one >>>>>>> had expired (possibly adding to my confusion). >>>>>>> >>>>>>> The config file holds: >>>>>>> >>>>>>> "baseURL": "https://millpond.dyndns.org:3179/";, >>>>>>> "listen": ":3179", >>>>>>> "https": true, >>>>>>> "httpCert": "/home/ajft/.config/camlistore/cert.crt", >>>>>>> "httpKey": "/home/ajft/.config/camlistore/cert.key", >>>>>>> >>>>>>> The console log shows: >>>>>>> >>>>>>> 2016/12/13 09:37:52 Starting camlistored version 2016-12-09-bace8b0; >>>>>>> Go go1.7.3 (linux/amd64) >>>>>>> 2016/12/13 09:37:52 TLS enabled, with Let's Encrypt >>>>>>> 2016/12/13 09:37:52 Starting to listen on https://localhost:3179 >>>>>>> : >>>>>>> 2016/12/13 09:37:52 Available on https://millpond.dyndns.org:31 >>>>>>> 79/ui/ >>>>>>> >>>>>>> Then attempting to connect from a browser gets me the "acme: >>>>>>> identifier authorization failed" >>>>>>> >>>>>>> Confirmed. Just ran the binary from camlistore-0.9 with the >>>>>>> self-signed cert config and it works correctly >>>>>>> >>>>>>> Adrian >>>>>>> >>>>>>> On Tuesday, 13 December 2016 09:09:58 UTC+11, mpl wrote: >>>>>>>> >>>>>>>> I was about to say that, while we figure this out, you should be >>>>>>>> able to go back to self-signed certs anyway. Then I've reread your >>>>>>>> message >>>>>>>> and realized that you seem to have that at the beginning anyway, so >>>>>>>> that >>>>>>>> would be a bug too. >>>>>>>> Do you confirm that you had some existing cert and key specified in >>>>>>>> your high-level config file, and that you were already getting the >>>>>>>> "acme: >>>>>>>> identifier authorization failed" message? >>>>>>>> >>>>>>>> >>>>>>>> On 12 December 2016 at 23:02, Adrian Tritschler < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> My config file already has (and has had for months): >>>>>>>>> >>>>>>>>> "baseURL": "https://millpond.dyndns.org:3179";, >>>>>>>>> "listen": ":3179", >>>>>>>>> >>>>>>>>> Which produces log messages: >>>>>>>>> >>>>>>>>> 2016/12/13 08:54:32 TLS enabled, with Let's Encrypt >>>>>>>>> 2016/12/13 08:54:32 Starting to listen on https://localhost:3179 >>>>>>>>> : >>>>>>>>> 2016/12/13 08:54:32 Available on https://millpond.dyndns.org:31 >>>>>>>>> 79/ui/ >>>>>>>>> >>>>>>>>> Then the following error when I try and connect >>>>>>>>> 2016/12/13 08:54:45 http: TLS handshake error from >>>>>>>>> xxx.xxx.xxx.xxx:62004: acme: identifier authorization failed >>>>>>>>> >>>>>>>>> I've just tried with both >>>>>>>>> "baseURL": "https://millpond.dyndns.org:3179";, >>>>>>>>> "listen": ":3179", >>>>>>>>> >>>>>>>>> and >>>>>>>>> "baseURL": "https://millpond.dyndns.org:3179/";, >>>>>>>>> "listen": ":3179", >>>>>>>>> >>>>>>>>> With the same errors >>>>>>>>> >>>>>>>>> Adrian >>>>>>>>> >>>>>>>>> On Tuesday, 13 December 2016 01:53:50 UTC+11, mpl wrote: >>>>>>>>>> >>>>>>>>>> yeah, I should document that part better, sorry about that. >>>>>>>>>> >>>>>>>>>> camlistored should be able to figure out the fqdn that it will >>>>>>>>>> use for Let's Encrypt from either the "listen" config field, or the >>>>>>>>>> "baseURL" one. So, could you please try with: >>>>>>>>>> "baseURL": "https://millpond.dyndns.org:3179/"; >>>>>>>>>> in your config file? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 12 December 2016 at 05:02, Adrian Tritschler < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> I've been running a current build of camlistore on my home linux >>>>>>>>>>> PC, and accessing it remotely via a hostname configured in dynDns, >>>>>>>>>>> this has >>>>>>>>>>> been working for some months using a self-signed certificated. >>>>>>>>>>> >>>>>>>>>>> Sometime in the last few days I've restarted the PC due to >>>>>>>>>>> kernel updates etc, and now I'm having ssl problems. >>>>>>>>>>> >>>>>>>>>>> With the references to my old self-signed cert. it won't run any >>>>>>>>>>> more, I get various errors depending on which browser I use: >>>>>>>>>>> >>>>>>>>>>> 2016/12/12 14:54:28 http: TLS handshake error from >>>>>>>>>>> 130.194.109.243:51940: acme: identifier authorization failed >>>>>>>>>>> >>>>>>>>>>> Removing the "httpCert" and "httpKey" entries in my config file >>>>>>>>>>> and restarting camlistored I get: >>>>>>>>>>> >>>>>>>>>>> 2016/12/12 14:41:45 Starting camlistored version >>>>>>>>>>> 2016-12-09-bace8b0; Go go1.7.3 (linux/amd64) >>>>>>>>>>> 2016/12/12 14:41:45 TLS enabled, with Let's Encrypt >>>>>>>>>>> 2016/12/12 14:41:45 Starting to listen on https://localhost:3179 >>>>>>>>>>> : >>>>>>>>>>> 2016/12/12 14:41:45 ui: serving Closure from embedded resources >>>>>>>>>>> 2016/12/12 14:41:45 Available on https://millpond.dyndns.org:31 >>>>>>>>>>> 79/ui/ >>>>>>>>>>> >>>>>>>>>>> But attempting to connect from an external web client I get >>>>>>>>>>> errors in the browser and on the camlistore console, once again: >>>>>>>>>>> >>>>>>>>>>> 2016/12/12 14:45:40 http: TLS handshake error from >>>>>>>>>>> XXX.XXX.XXX.XXX:51761: acme: identifier authorization failed >>>>>>>>>>> >>>>>>>>>>> I suspect that somewhere I've missed a step where I tell the >>>>>>>>>>> config. that the fqdn is millpond.dyndns.org, but I can't work >>>>>>>>>>> out where. >>>>>>>>>>> >>>>>>>>>>> Adrian >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>> Google Groups "Camlistore" group. >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "Camlistore" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to [email protected]. >>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Camlistore" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Camlistore" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Camlistore" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- You received this message because you are subscribed to the Google Groups "Camlistore" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
