On Fri, Jun 02, 2017 at 08:38:50PM -0700, Dillon Jay Pena wrote: > I'm not understanding why I'm getting a relayd error. Thanks in advance. > > According to > http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/relayd.conf.5#listen_on, > I just need address.crt and private/address.key to use tls with > relayd, which you can see I do below. > So why am I getting the relayd error "cannot load certificates for relay www"? > > I have included how I got the key and crt files from acme-client/lets > encrypt in case it's relevant. > > > $ uname -prsv > OpenBSD 6.1 GENERIC#88 amd64 > > $ cat /etc/acme-client.conf > # > # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $ > # > authority letsencrypt { > agreement url > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" > api url "https://acme-v01.api.letsencrypt.org/directory" > account key "/etc/acme/letsencrypt-privkey.pem" > } > > authority letsencrypt-staging { > agreement url > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" > api url "https://acme-staging.api.letsencrypt.org/directory" > account key "/etc/acme/letsencrypt-staging-privkey.pem" > } > > domain thelang.space { > alternative names { mail.thelang.space www.thelang.space } > domain key "/etc/ssl/private/thelang.space.key" > domain certificate "/etc/ssl/thelang.space.crt" > domain full chain certificate "/etc/ssl/thelang.space.fullchain.pem" > sign with letsencrypt > challengedir "/var/www/htdocs/.well-known/acme-challenge" > } > > $ doas acme-client -vAD thelang.space > acme-client: /etc/ssl/private/thelang.space.key: domain key exists > (not creating) > acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists > (not creating) > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories > acme-client: acme-v01.api.letsencrypt.org: DNS: 104.68.109.156 > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: > req-auth: thelang.space > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: > req-auth: mail.thelang.space > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: > req-auth: www.thelang.space > acme-client: > /var/www/htdocs/.well-known/acme-challenge/hALHIbtLAX4k274bN4AFBV0W-T08pKTqD6lBw0-CplM: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083: > challenge > acme-client: > /var/www/htdocs/.well-known/acme-challenge/SMwY0p1ma9ZDQrlyM6h9BbZkEnMCKx2lW69__zcmCgI: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087: > challenge > acme-client: > /var/www/htdocs/.well-known/acme-challenge/wu3Zhef8NA8b9wmxHeMjXBZCg3EKGHgnM30Tx_qn1Ws: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092: > challenge > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083: > status > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087: > status > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092: > status > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate > acme-client: http://cert.int-x3.letsencrypt.org/: full chain > acme-client: cert.int-x3.letsencrypt.org: DNS: 165.254.42.42 > acme-client: /etc/ssl/thelang.space.crt: created > acme-client: /etc/ssl/thelang.space.fullchain.pem: created > > $ cat /etc/relayd.conf > table <httpd> { 127.0.0.1 } > > relay www { > listen on thelang.space port 443 tls > > forward to <httpd> check tcp port 8080 > } > > $ doas relayd -d > startup > /etc/relayd.conf:7: cannot load certificates for relay www > no actions, nothing to do > hce exiting, pid 2324 > pfe exiting, pid 21204 > ca exiting, pid 18722 > ca exiting, pid 45718 > ca exiting, pid 79639 > relay exiting, pid 31292 > relay exiting, pid 32940 > relay exiting, pid 75225 > > $ ls /etc/ssl/thelang.space.crt > /etc/ssl/thelang.space.crt > $ doas ls /etc/ssl/private/thelang.space.key > /etc/ssl/private/thelang.space.key > > - Dillon >
Hey, ktrace is also useful help here. # ktrace relayd -d -v # kdump ... I've had a similar thing to debug listening on IPV6 interface(s). Hope this helps you, -- Kind regards, Hiltjo