Re: no registration exists matching provided key

2017-12-19 Thread Kihaguru Gathura 
OpenBSD 6.2.

precisely as summarised by Scott, however to overcome some pitfalls, full
details to get TLS working for your domain www.example.com as follows.

1. Configure httpd.conf to work with your domain example.com as follows:

 # vi /etc/httpd.conf
# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49
ajacoutot Exp $

#
# Macros
#
ext_addr="*"

#
# Global Options
#
# prefork 3

#
# Servers
#
# A minimal default server
server "default" {
listen on $ext_addr port 80
}

# A minimal www.example.com  server
server "www.example.com" {
alias "example.com"
listen on $ext_addr port 80
root "/htdocs/www.example.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
directory no auto index
}
}

# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}

 2. Create root folder for the domain and start httpd server to effect
changes:

# mkdir /var/www/htdocs/www.example.com
# vi /etc/rc.conf.local
  httpd_flags=
# rcctl enable httpd
# rcctl start httpd
httpd(ok)

3. Configure acme-client for your domain www.example.com domain:

# vi /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22
11:14:14 benno Exp $
#
authority letsencrypt {
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf;
api url "
https://acme-v01.api.letsencrypt.org/directory;
account key
"/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf;
api url "
https://acme-staging.api.letsencrypt.org/directory;
account key
"/etc/acme/letsencrypt-staging-privkey.pem"
}

domain www.example.com {
   alternative names { example.com }
   domain key "/etc/ssl/private/example.com.key"
   domain certificate "/etc/ssl/example.com.crt"
   domain full chain certificate
"/etc/ssl/example.com.fullchain.pem"
   sign with letsencrypt
}

4. Attempt to get the certificates:

#acme-client -vvAD www.example.com
..
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: bad HTTP:
400
acme-client: transfer buffer: [{ "type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://lecuments/LE-SA
-v1.2-November-15-2017.pdf]", "status": 400 }] (267 bytes)
acme-client: bad exit: netproc(71944): 1

5. The agreement URL needs to be updated(replaced) with the one provided in
the error message above:

# vi /etc/acme-client.conf
#
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22
11:14:14 benno Exp $
#
authority letsencrypt {
# agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf;
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;
api url "
https://acme-v01.api.letsencrypt.org/directory;
account key
"/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
# agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf;
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;

rdomain/rtable

2017-12-19 Thread Paul B. Henson 
I've got a box with an LTE cellular modem in it whose purpose is to provide
a backup connection to the Internet if the hardwire service goes down. It's
running OSPF to connect to the rest of the network, and the only time any
traffic should go over the cellular link (which is slower and bandwidth
capped) is if the hardwire interconnection is down, including ideally
traffic generated from the system itself.

I have that part working, by adding in a local static default route to the
cellular gateway with less priority than the OSPF default route. However,
for testing purposes, I'd like to be able to poke out the cellular link on
an as-needed basis without having to switch the entire box over to using it.
Virtual routing tables looked perfect for this purpose, as I could just
spawn a single process with a different default route, we do something
similar with network name spaces under Linux.

However, I can't quite get it to work. What I'd really like is to be able to
make a copy of the current system routing table, then change one thing about
it. However, a new rdomain shows up with no routes or interfaces in the
routing table. I can add the new default route pointing out the cellular
link, and get traffic to go out there. But I haven't sorted out how to make
all the traffic for my internal network still go through the internal link
rather than get sent out the default route. While ideally all the OSPF
routes would propagate to the other routing domain I tried just adding a
static to the /16 for our internal address space:

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default24.x.x.x  UGS06 - 8 umb0
10.0/1610.128.0.21UGS00 - 8 em0

That doesn't work; the documentation says you need to get pf to pass packets
across routing domains. However, it says:

rtable number
Used to select an alternate routing table for the routing lookup.
Only effective before the route lookup happened, i.e. when
filtering inbound.

Unfortunately, for traffic originating from the system itself, there isn't
really an "inbound" interface? So I'm not sure what pf rule would make this
work. Is it just not possible, or am I missing something?

Thanks much.

Re: bug tracking system for OpenBSD

2017-12-19 Thread Kai Wetlesen 

> On Dec 19, 2017, at 14:54, Ted Unangst  wrote:
> 
> Kai Wetlesen wrote:
 you don't have to announce your bug database the first day you set it up. 
 in
 fact, it's better not to. but in a few months time, when somebody 
 inevitably
 asks misc how do i contribute, where's the todo list, you'll have this 
 handy
 list of unresolved bugs to point them at.
> 
>> There are many decisions that would need to be made that will piss somebody
>> off. Decisions like what software/platform to use, where to host the thing, 
>> and
>> how much the tool should integrate into existing bug reporting mechanisms
>> (right now just fancy emailing).
>> 
>> To answer your tactful question Theo, I personally haven’t done anything 
>> because
>> I do not have your blessing nor of someone who can say “yes just effing do 
>> it". But,
>> if you would be willing to give me free reign it will be done.
> 
> Imagine if you'd followed my suggestion and spent the last six months curating
> a bug database. Then today you could have sent us a link to it and everybody
> would see how useful it is. Now we have to wait another six months.

Put bluntly, I was busy with completing my bachelors degree which was far
more important. You would have waited six months regardless. Now that it’s 
done and out of the way I’ll happily take your advice.

Re: no registration exists matching provided key

2017-12-19 Thread Scott Nicholas 
On Tue, Dec 19, 2017 at 3:26 AM, ?? ??  wrote:
> Hello, I am very new to all these things, and wanted to have ssl for my own 
> server (Openbsd6.2, Openbsd httpd, Openbsd acme-client), which will be my 
> first ssl, other than previous self-signed one.
>
> Previously, to create a website, I followed some blog posts and created 
> self-signed ssl 
> (http://thecyberrecce.net/2017/01/15/secure-webservers-with-openbsd-6-0-setting-up-httpd-mariadb-and-php/),
>  and as the site was somehow ready so I wanted to have the Letsencrypt ssl on 
> the site, replacing the existing self-signed one.
> After reading man pages, documentations, and blog posts, (but I don't 
> understand much really) I did just almost the same as others stated in their 
> blogs (httpd.conf, acme-client.conf and then the command), using "acme-client 
> -vvAD example.com" command. But I got an error ("provided agreement URL 
> doesn't match" or similar), and then tried several times again while making  
> changes (e.g deleting self-signed crt, etc...)
> but I still get an error: "no registration exists matching provided key".
>
> Could anyone help me know what the error means or give any advice to me?

I just had this happen. acme-client saved an account key but since the
TOS needed updated, the account wasn't created. I imagine you updated
the agreement url? This is the new one:

agreement url 
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf;

Delete your account key so it makes a new one. It's in the location below:

account key "/etc/acme/letsencrypt-privkey.pem"

then run acme-client again.

> Also this is my second time writing to a "mailing list", and at the first 
> time I couln't send a reply to say thank you to the reply that sent to me as 
> I don't know how to reply. So I'd be really grateful for kindly letting me 
> know that as well.
>
> Would really appreciate any help.
>
>

Re: "fuse: unknown option gid=1000" with sshfs

2017-12-19 Thread Helg Bredow 
This is fixed in the latest snapshot. Before this commit, even if gid or uid 
options were recognised, they would not have had an effect.


Please let me know if you find any other bugs - there are many :)


From: azarus 
Sent: Monday, 18 December 2017 8:11:52 PM
To: misc@openbsd.org
Cc: h...@openbsd.org
Subject: "fuse: unknown option gid=1000" with sshfs

Hi, list!

Since OpenBSD 6.0 removed the ability to mount filesystems as user, I've
been having issues getting directories mounted with sysutils/sshfs-fuse
to be accessible by users. I've tried setting

> -o uid=,gid=

when I mount the directory with this complete command line:

> doas sshfs -o uid=,gid= user@server:/dir /mnt

only to get this back:

> fuse: unknown option uid=1000

respectively, when gid is the first option:

> fuse: unknown option gid=1000

I've seen some recent changes regarding libfuse in the source tree, for
example this one:
https://marc.info/?l=openbsd-cvs=151299546729095=2
which would affect me, as I'm running -current:

OpenBSD 6.2-current (GENERIC.MP) #296: Sun Dec 17 16:43:20 MST 2017

Help would be greatly appreciated.

--
azarus
email: aza...@posteo.net
xmpp:  aza...@azarus.ch
PGP:   3A79D6CFD2567CF9

Re: bug tracking system for OpenBSD

2017-12-19 Thread Ted Unangst 
Kai Wetlesen wrote:
> > > you don't have to announce your bug database the first day you set it up. 
> > > in
> > > fact, it's better not to. but in a few months time, when somebody 
> > > inevitably
> > > asks misc how do i contribute, where's the todo list, you'll have this 
> > > handy
> > > list of unresolved bugs to point them at.

> There are many decisions that would need to be made that will piss somebody
> off. Decisions like what software/platform to use, where to host the thing, 
> and
> how much the tool should integrate into existing bug reporting mechanisms
> (right now just fancy emailing).
> 
> To answer your tactful question Theo, I personally haven’t done anything 
> because
> I do not have your blessing nor of someone who can say “yes just effing do 
> it". But,
> if you would be willing to give me free reign it will be done.

Imagine if you'd followed my suggestion and spent the last six months curating
a bug database. Then today you could have sent us a link to it and everybody
would see how useful it is. Now we have to wait another six months.

Re: bug tracking system for OpenBSD

2017-12-19 Thread Allan Streib 
Kai Wetlesen  writes:

> There are many decisions that would need to be made that will piss
> somebody off. Decisions like what software/platform to use, where to
> host the thing, and how much the tool should integrate into existing
> bug reporting mechanisms (right now just fancy emailing).

So it's a lot more work than it might first appear.

> To answer your tactful question Theo, I personally haven’t done
> anything because I do not have your blessing nor of someone who can
> say “yes just effing do it". But, if you would be willing to give me
> free reign it will be done.

You seem to be asking for endorsement of something you haven't done
yet. In my time on this list I've learned that's not how it works.

Allan

Re: how to properly rebuild or delete crypto softraid?

2017-12-19 Thread soko.tica 
Thank you for your input and sorry about the delay.

I realize now that my question was poorly documented and promise that I
will produce ddb report next time if the crash occurs.

Meanwhile, I have managed to safely remove the encrypted partition with
$doas bioctl -d sdX. That was all what I was trying to achieve at this
point.

I believe FAQ https://www.openbsd.org/faq/faq14.html#softraid would benefit
if such an explicit line about properly removing/destroying
encypted/"ordinary"RAID is added to it.

Many thanks, again

On Fri, Dec 15, 2017 at 10:30 AM, Stuart Henderson 
wrote:

> On 2017-12-13, soko.tica  wrote:
> > I have successfully built an encrypted bootable usb according to the
> > instructions https://www.openbsd.org/faq/faq14.html#softraidFDE
> >
> > After booting successfully several times, the device went to ddb after I
> > installed chrome without previously adding xfonts during the install.
> > Subsuequent attempts to boot were unsuccessfull.
> >
> > I have erased partitions by disklabel and fdisk and tried to repeat the
> > installation process. However, the encrypted raid device appeared and I
> was
> > able to unlock it by the same passphrase, so I ceased the installation.
> >
> > Is it possible to delete the crypto raid properly at this stage? Should I
> > tri to rebuild it?
> >
> > Any advice is appreciated.
> >
> > Thanks in advance.
> >
>
> You can use dd to write zeroes over the start of the device to overwrite
> the partition table and disklabel, I'm not surehow far you have to go
> but would expect "dd if=/dev/zero of=/dev/rsdXc bs=1m count=8" to do
> the trick (with the correct disk number here ^ obviously).
>
> No idea why it would have gone to ddb, your report is very lacking in
> information!
>
>
>

support update

2017-12-19 Thread Kihaguru Gathura 
0
C Kenya
P Nairobi
T Nairobi
Z P.O. Box 30164-00100
O PQscript
I
A Bishops Road
M pqscr...@gmail.com
U
B +254 706970697
X
N OpenBSD consulting. Speciality in web applications
development with OpenBSD-httpd web server, PostgreSQL DBMS, FastCGI
protocol and C programming language.

Roaming Laptop and slaacd

2017-12-19 Thread Marc Peters 
Hi Florian,

i am sending this email also directly to you, as you are the author of slaacd 
and companions.

When roaming with my Laptop between offices/home or just different IPv6 enabled 
networks, i have to delete the remaining IPv6 addresses from the previous 
network by hand to get it working again. Is it possible, to mark the addresses 
not included in solicitations when stateless autoconfiguration for an interface 
is enabled as deprecated addresses (like the kernel did before) to have them 
not used when the location changed in suspend?
Another question is, that i have the line "/usr/sbin/slaacctl send solicitation 
trunk0" in /etc/apm/resume but need to fire this command again to get addresses 
and routers when resuming my laptop. If you would like me to test some code for 
this, just let me know and i will happily do.

Cheers,
Marc

no registration exists matching provided key

2017-12-19 Thread ?? ?? 
Hello, I am very new to all these things, and wanted to have ssl for my own 
server (Openbsd6.2, Openbsd httpd, Openbsd acme-client), which will be my first 
ssl, other than previous self-signed one.

Previously, to create a website, I followed some blog posts and created 
self-signed ssl 
(http://thecyberrecce.net/2017/01/15/secure-webservers-with-openbsd-6-0-setting-up-httpd-mariadb-and-php/),
 and as the site was somehow ready so I wanted to have the Letsencrypt ssl on 
the site, replacing the existing self-signed one.
After reading man pages, documentations, and blog posts, (but I don't 
understand much really) I did just almost the same as others stated in their 
blogs (httpd.conf, acme-client.conf and then the command), using "acme-client 
-vvAD example.com" command. But I got an error ("provided agreement URL doesn't 
match" or similar), and then tried several times again while making  changes 
(e.g deleting self-signed crt, etc...)
but I still get an error: "no registration exists matching provided key".

Could anyone help me know what the error means or give any advice to me?

Also this is my second time writing to a "mailing list", and at the first time 
I couln't send a reply to say thank you to the reply that sent to me as I don't 
know how to reply. So I'd be really grateful for kindly letting me know that as 
well.

Would really appreciate any help.