Am Thu, 15 Mar 2018 11:01:42 +0100
schrieb Markus Rosjat <[email protected]>:
> Hi there,
>
> Im kinda confused right now about it. I have a OpenBSD 6.1 running a
> simple httpd.conf with a definition for a http server and a https
> server so far so good, I figured I need to have a http server so
> acme-client can talk to let's encrypt an issue certificate requests
> also no big problem but now it get confusing. I tried to automate the
> certificate renew and as far as I understand the docs httpd.conf get
> evaluated to to bottom with first matching rule found.
Really?
I had a quick browse through httpd´s manualpages but I didn´t found
this.
> So this would mean a definition like:
>
> $ext_addr ="*" # its just one nic with one external ip on that vm
>
> server "mydomain.tld" {
> listen on $ext_addr port http
>
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> root strip 2
> directory no auto index
> }
>
> block return 302 "https://$HTTP_HOST$REQUEST_URI";
> }
>
> should enable acme-client to renew certificates but redirect other
> traffic to the https server.
in httpd.conf(5) it´s said that the 'block' statement closes the
connection.
> Well it doesn't !
That´s right
> So I need to comment out the block request to renew the
> certificate. (...)
???
> some script that loads a different conf file just for the renew and
> when the certificate is obtained just load the normal httpd.conf and
> restart httpd. I was playing arround and stumbled over the fact that
> acme-client suddenly can renew certificates (...)
Without wanting to offend you but please let me suggest to
re-think what you want to achieve.
Why do you ask lets encypt to sign a cert for a server which
listens on http?? and furthermore this server does nothing than
redirect?
What problem do you want to solve?
> httpd in the first place o.O Thats just wrong since there isn't
> support that does dns-01 challenges right? I stoped httpd to checked
> the site wasn't reachable and did a
>
> acme-client -vvF mydomain.tld
>
> it gave me a new certificate from let's encrypt ...
>
>
> anyway can someone who has the insight please tell me whats goin on
> here and maybe post a config example that works for a basic https
> redirect? Or is it really the case that I need to load a config that
> hasn't a blok return statement in the http server definition?
>
> One last note, I did a syspatch today and don't know if this changed
> something in the behaviour of the components involved.
>
> regards
>
