Re: Dehydrated setup

2016-11-08 Thread @lbutlr 
On Nov 8, 2016, at 7:25 AM, Dirk Engling  wrote:
> 
> WELLKNOWN="/usr/local/www/dehydrated/.well-known/acme-challenge"

Thank you, that solved it.

Processing covisp.net with alternative names: mail.covisp.net www.covisp.net
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for covisp.net...
 + Requesting challenge for mail.covisp.net...
 + Requesting challenge for www.covisp.net...
 + Responding to challenge for covisp.net...
 + Challenge is valid!
 + Responding to challenge for mail.covisp.net...
 + Challenge is valid!
 + Responding to challenge for www.covisp.net...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

Now… on to figuring out deploy and adding other domains and wee! :)

I’ll be back.



___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Dehydrated setup

2016-11-08 Thread @lbutlr 
> 
> On 08 Nov 2016, at 07:11, Dirk Engling  wrote:
> 
> On 08/11/2016 14:59, @lbutlr wrote:
> 
>> # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron'
>> # INFO: Using main config file /usr/local/etc/dehydrated/config
>> Processing covisp.net with alternative names: covisp.net www.covisp.net
>> + Signing domains...
>> + Generating private key...
>> + Generating signing request...
>> + Requesting challenge for covisp.net...
>> + Requesting challenge for covisp.net...
>> + Requesting challenge for www.covisp.net...
>> + Responding to challenge for covisp.net...
>> ERROR: Challenge is invalid! (returned: invalid) (result: {
>> "type": "http-01",
>> "status": "invalid",
>> "error": {
>>   "type": "urn:acme:error:unauthorized",
>>   "detail": "Invalid response from 
>> http://covisp.net/.well-known/acme-challenge/t4DhXZyC
>> 
>> same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known"
> 
> It says unauthorized now. Could it be that your web server does not
> follow links by default?

It is possible, but I am pretty sure it did. It is apache 2.4 built from 
portmaster.

> Could you tell me, which webserver you're
> using? Then I can copy you a snippet for its config that should work.
> 
>> /usr/local/etc/dehydrated]# ls -lsR
>> total 40
>> 8 drwxrwx---  2 root  _dehydrated  512 Nov  8 04:34 .acme-challenges
>> 0 lrwxr-xr-x  1 root  _dehydrated   16 Nov  8 06:48 .well-known ->
> /www/.well-known
>> 8 drwxrwx---  3 root  _dehydrated  512 Nov  8 06:45 accounts
>> 8 drwxrwx---  3 root  _dehydrated  512 Oct 31 17:38 certs
>> 8 -rw-r--r--  1 root  _dehydrated  141 Nov  8 06:56 config
>> 8 -rw-r--r--  1 root  _dehydrated  129 Nov  8 06:54 domains.txt
> 
> Also I would suggest setting
> 
> BASEDIR=/var/dehydrated

Do you mean create that directory?

> in your config and make /usr/local/etc/dehydrated/ belong to root.

It does belong to root.

# ls -lsd /usr/local/etc/dehydrated 
8 drwxrwx--x  5 root  _dehydrated  512 Nov  8 06:56 /usr/local/etc/dehydrated

> Currently your privlege separation does not yield much, as the
> _dehydrated can write /usr/local/etc/dehydrated and could possibly
> overwrite your deploy.sh script, if you chose to provide one for use
> with periodic.

> 
> You would just need to move the accounts and certs directory and
> domains.txt to /var/dehydrated, give this directory to _dehdrated and
> leave permissions on /usr/local/etc/dehydrated/ as they are (this saves
> you A LOT of trouble when updating the package).

I can certainly do that, though I think it would be better to do it once I get 
something of some sort actually working, yes?
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Dehydrated setup

2016-11-08 Thread Dirk Engling 
On 08/11/2016 15:16, @lbutlr wrote:

> It is possible, but I am pretty sure it did. It is apache 2.4 built
from portmaster.
>
>> Could you tell me, which webserver you're
>> using? Then I can copy you a snippet for its config that should work.

With apache I changed

WELLKNOWN="/usr/local/www/dehydrated/.well-known/acme-challenge"

created both directories and had apache use /usr/local/www/dehydrated
for non-tls connections. Your mileage may vary, so you might need to
have WELLKNOWN point to /usr/local/www/.well-known/acme-challenge and
make this directory belong to _dehydrated and be world readable.

>> Also I would suggest setting
>>
>> BASEDIR=/var/dehydrated
>
> Do you mean create that directory?

Yes. Actually in a perfect world the package would have done that for
you, but port's maintainers have been busy getting the transition from
the name letsencrypt.sh to dehydrated right.

>> in your config and make /usr/local/etc/dehydrated/ belong to root.
>
> It does belong to root.
>
> # ls -lsd /usr/local/etc/dehydrated
> 8 drwxrwx--x  5 root  _dehydrated  512 Nov  8 06:56
/usr/local/etc/dehydrated

But group has +w, so it can just delete files and write them anew. See,
complex permission models always leave you head scratching if you really
thought of everything.

> I can certainly do that, though I think it would be better to do it
> once I get something of some sort actually working, yes?

Sure ;) But its not worth it to get something running that you need to
change afterwards.

  erdgeist
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Dehydrated setup

2016-11-08 Thread Dirk Engling 
On 08/11/2016 14:59, @lbutlr wrote:

> # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron'
> # INFO: Using main config file /usr/local/etc/dehydrated/config
> Processing covisp.net with alternative names: covisp.net www.covisp.net
>  + Signing domains...
>  + Generating private key...
>  + Generating signing request...
>  + Requesting challenge for covisp.net...
>  + Requesting challenge for covisp.net...
>  + Requesting challenge for www.covisp.net...
>  + Responding to challenge for covisp.net...
> ERROR: Challenge is invalid! (returned: invalid) (result: {
>   "type": "http-01",
>   "status": "invalid",
>   "error": {
> "type": "urn:acme:error:unauthorized",
> "detail": "Invalid response from 
> http://covisp.net/.well-known/acme-challenge/t4DhXZyC
> 
> same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known"

It says unauthorized now. Could it be that your web server does not
follow links by default? Could you tell me, which webserver you're
using? Then I can copy you a snippet for its config that should work.

> /usr/local/etc/dehydrated]# ls -lsR
> total 40
> 8 drwxrwx---  2 root  _dehydrated  512 Nov  8 04:34 .acme-challenges
> 0 lrwxr-xr-x  1 root  _dehydrated   16 Nov  8 06:48 .well-known ->
/www/.well-known
> 8 drwxrwx---  3 root  _dehydrated  512 Nov  8 06:45 accounts
> 8 drwxrwx---  3 root  _dehydrated  512 Oct 31 17:38 certs
> 8 -rw-r--r--  1 root  _dehydrated  141 Nov  8 06:56 config
> 8 -rw-r--r--  1 root  _dehydrated  129 Nov  8 06:54 domains.txt

Also I would suggest setting

BASEDIR=/var/dehydrated

in your config and make /usr/local/etc/dehydrated/ belong to root.
Currently your privlege separation does not yield much, as the
_dehydrated can write /usr/local/etc/dehydrated and could possibly
overwrite your deploy.sh script, if you chose to provide one for use
with periodic.

You would just need to move the accounts and certs directory and
domains.txt to /var/dehydrated, give this directory to _dehdrated and
leave permissions on /usr/local/etc/dehydrated/ as they are (this saves
you A LOT of trouble when updating the package).

  erdgeist
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Dehydrated setup

2016-11-08 Thread @lbutlr 

> On 08 Nov 2016, at 06:42, Dirk Engling  wrote:
> 
> On 08/11/2016 13:48, Lewis Butler wrote:
> 
>> the http error log just shows the file that is trying to be accessed is not 
>> there:
>> 
>> [client 66.133.109.36:50250] AH00128: File does not exist: 
>> /usr/local/www/.well-known/acme-challenge/bXxlfu… 
>> 
>> Certs are being created in /usr/local/etc/dehydrated/certs each time I try 
>> to run the script.
> 
> What does your /usr/local/etc/dehydrated/config say about the WELLKNOWN
> variable? Shouldn't that point to /usr/local/www/dehydrated?

I thought it was supposed to point to the webroot. Will try setting it to 
dehydrated.

WELLKNOWN="/usr/local/www/.well-known/“

changed to

WELLKNOWN="/usr/local/etc/dehydrated"

# su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron'
# INFO: Using main config file /usr/local/etc/dehydrated/config
Processing covisp.net with alternative names: covisp.net www.covisp.net
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for covisp.net...
 + Requesting challenge for covisp.net...
 + Requesting challenge for www.covisp.net...
 + Responding to challenge for covisp.net...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
"type": "urn:acme:error:unauthorized",
"detail": "Invalid response from 
http://covisp.net/.well-known/acme-challenge/t4DhXZyC

same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known"

/usr/local/etc/dehydrated]# ls -lsR
total 40
8 drwxrwx---  2 root  _dehydrated  512 Nov  8 04:34 .acme-challenges
0 lrwxr-xr-x  1 root  _dehydrated   16 Nov  8 06:48 .well-known -> 
/www/.well-known
8 drwxrwx---  3 root  _dehydrated  512 Nov  8 06:45 accounts
8 drwxrwx---  3 root  _dehydrated  512 Oct 31 17:38 certs
8 -rw-r--r--  1 root  _dehydrated  141 Nov  8 06:56 config
8 -rw-r--r--  1 root  _dehydrated  129 Nov  8 06:54 domains.txt

./.acme-challenges:
total 0

./accounts:
total 8
8 drwx--  2 _dehydrated  _dehydrated  512 Nov  8 06:45 
aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo

./accounts/aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo:
total 16
8 -rw---  1 _dehydrated  _dehydrated  3243 Nov  8 06:45 account_key.pem
8 -rw---  1 _dehydrated  _dehydrated   960 Nov  8 06:45 
registration_info.json

./certs:
total 8
8 drwxrwx---  2 root  _dehydrated  1536 Nov  8 06:56 covisp.net

./certs/covisp.net:
total 256
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 04:44 cert-1478605489.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 04:44 cert-1478605489.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 05:13 cert-1478607211.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 05:13 cert-1478607211.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 05:15 cert-1478607331.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 05:15 cert-1478607331.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 05:17 cert-1478607471.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 05:17 cert-1478607471.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 05:21 cert-1478607699.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 05:21 cert-1478607699.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 05:35 cert-1478608499.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 05:35 cert-1478608499.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 05:37 cert-1478608627.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 05:37 cert-1478608627.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 05:39 cert-1478608727.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 05:39 cert-1478608727.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 05:40 cert-1478608812.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 05:40 cert-1478608812.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 06:45 cert-1478612746.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 06:45 cert-1478612746.pem
8 -rw---  1 _dehydrated  _dehydrated  1728 Nov  8 06:49 cert-1478612933.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 06:49 cert-1478612933.pem
8 -rw---  1 _dehydrated  _dehydrated  1756 Nov  8 06:51 cert-1478613091.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 06:51 cert-1478613091.pem
8 -rw---  1 _dehydrated  _dehydrated  1756 Nov  8 06:53 cert-1478613186.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 06:53 cert-1478613186.pem
8 -rw---  1 _dehydrated  _dehydrated  1679 Nov  8 06:54 cert-1478613262.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 06:54 cert-1478613262.pem
8 -rw---  1 _dehydrated  _dehydrated  1679 Nov  8 06:55 cert-1478613335.csr
0 -rw---  1 _dehydrated  _dehydrated 0 Nov  8 06:55 cert-1478613335.pem
8 -rw---  1 _dehydrated  _dehydrated  1679 Nov  8 06:56 cert-1478613402.csr
0

Re: Dehydrated setup

2016-11-08 Thread Dirk Engling 
On 08/11/2016 13:48, Lewis Butler wrote:

> the http error log just shows the file that is trying to be accessed is not 
> there:
> 
> [client 66.133.109.36:50250] AH00128: File does not exist: 
> /usr/local/www/.well-known/acme-challenge/bXxlfu… 
> 
> Certs are being created in /usr/local/etc/dehydrated/certs each time I try to 
> run the script.

What does your /usr/local/etc/dehydrated/config say about the WELLKNOWN
variable? Shouldn't that point to /usr/local/www/dehydrated? Your
webroot seems to point to /usr/local/www/ instead.

  erdgeist
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Dehydrated

2016-09-25 Thread JosC 

In een bericht van 19-9-2016 13:58:


Btw, can someone tell me what the logic is between the new name
dehydrated and its functionality (domain certification)? Don't see it
yet :-)


Thanks for explaining.

./Jos

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Dehydrated

2016-09-24 Thread Dirk Engling 
On 19/09/2016 15:10, Mark Martinec wrote:

> It seems to allude to instant drinks (dehydrated): just add water and
> it does all the rest by magic - you obtain a ready drink / a valid
> certificate.

It's a pun on the ACME protocol it implements. ACME dehydrated rocks,
just add water.

  erdgeist
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Dehydrated

2016-09-19 Thread Mark Martinec 

On 2016-09-19 13:58, JosC wrote:

Btw, can someone tell me what the logic is between the new name
dehydrated and its functionality (domain certification)? Don't see it
yet :-)


It seems to allude to instant drinks (dehydrated): just add water and it 
does

all the rest by magic - you obtain a ready drink / a valid certificate.
So in this sense: it does all the necessary steps in obtaining or 
renewing a

certificate, no need to bother with details.

  Mark
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: Dehydrated

2016-09-19 Thread JosC 

In een bericht van 17-9-2016 1:38:


After switching from letsencrypt to dehydrated, the upgrade to the
latest port version keeps appearing when running


Is solved - for some reason letsencrypts was still installed although it 
didn't show in my pkg list. After deinstalling it an re-installing 
dehydrated, it all works fine now.


Btw, can someone tell me what the logic is between the new name 
dehydrated and its functionality (domain certification)? Don't see it 
yet :-)


Best regards,
Jos Chrispijn

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"