Re: Dehydrated setup
On Nov 8, 2016, at 7:25 AM, Dirk Engling wrote: > > WELLKNOWN="/usr/local/www/dehydrated/.well-known/acme-challenge" Thank you, that solved it. Processing covisp.net with alternative names: mail.covisp.net www.covisp.net + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for covisp.net... + Requesting challenge for mail.covisp.net... + Requesting challenge for www.covisp.net... + Responding to challenge for covisp.net... + Challenge is valid! + Responding to challenge for mail.covisp.net... + Challenge is valid! + Responding to challenge for www.covisp.net... + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done! Now… on to figuring out deploy and adding other domains and wee! :) I’ll be back. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Dehydrated setup
> > On 08 Nov 2016, at 07:11, Dirk Engling wrote: > > On 08/11/2016 14:59, @lbutlr wrote: > >> # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron' >> # INFO: Using main config file /usr/local/etc/dehydrated/config >> Processing covisp.net with alternative names: covisp.net www.covisp.net >> + Signing domains... >> + Generating private key... >> + Generating signing request... >> + Requesting challenge for covisp.net... >> + Requesting challenge for covisp.net... >> + Requesting challenge for www.covisp.net... >> + Responding to challenge for covisp.net... >> ERROR: Challenge is invalid! (returned: invalid) (result: { >> "type": "http-01", >> "status": "invalid", >> "error": { >> "type": "urn:acme:error:unauthorized", >> "detail": "Invalid response from >> http://covisp.net/.well-known/acme-challenge/t4DhXZyC >> >> same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known" > > It says unauthorized now. Could it be that your web server does not > follow links by default? It is possible, but I am pretty sure it did. It is apache 2.4 built from portmaster. > Could you tell me, which webserver you're > using? Then I can copy you a snippet for its config that should work. > >> /usr/local/etc/dehydrated]# ls -lsR >> total 40 >> 8 drwxrwx--- 2 root _dehydrated 512 Nov 8 04:34 .acme-challenges >> 0 lrwxr-xr-x 1 root _dehydrated 16 Nov 8 06:48 .well-known -> > /www/.well-known >> 8 drwxrwx--- 3 root _dehydrated 512 Nov 8 06:45 accounts >> 8 drwxrwx--- 3 root _dehydrated 512 Oct 31 17:38 certs >> 8 -rw-r--r-- 1 root _dehydrated 141 Nov 8 06:56 config >> 8 -rw-r--r-- 1 root _dehydrated 129 Nov 8 06:54 domains.txt > > Also I would suggest setting > > BASEDIR=/var/dehydrated Do you mean create that directory? > in your config and make /usr/local/etc/dehydrated/ belong to root. It does belong to root. # ls -lsd /usr/local/etc/dehydrated 8 drwxrwx--x 5 root _dehydrated 512 Nov 8 06:56 /usr/local/etc/dehydrated > Currently your privlege separation does not yield much, as the > _dehydrated can write /usr/local/etc/dehydrated and could possibly > overwrite your deploy.sh script, if you chose to provide one for use > with periodic. > > You would just need to move the accounts and certs directory and > domains.txt to /var/dehydrated, give this directory to _dehdrated and > leave permissions on /usr/local/etc/dehydrated/ as they are (this saves > you A LOT of trouble when updating the package). I can certainly do that, though I think it would be better to do it once I get something of some sort actually working, yes? ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Dehydrated setup
On 08/11/2016 15:16, @lbutlr wrote: > It is possible, but I am pretty sure it did. It is apache 2.4 built from portmaster. > >> Could you tell me, which webserver you're >> using? Then I can copy you a snippet for its config that should work. With apache I changed WELLKNOWN="/usr/local/www/dehydrated/.well-known/acme-challenge" created both directories and had apache use /usr/local/www/dehydrated for non-tls connections. Your mileage may vary, so you might need to have WELLKNOWN point to /usr/local/www/.well-known/acme-challenge and make this directory belong to _dehydrated and be world readable. >> Also I would suggest setting >> >> BASEDIR=/var/dehydrated > > Do you mean create that directory? Yes. Actually in a perfect world the package would have done that for you, but port's maintainers have been busy getting the transition from the name letsencrypt.sh to dehydrated right. >> in your config and make /usr/local/etc/dehydrated/ belong to root. > > It does belong to root. > > # ls -lsd /usr/local/etc/dehydrated > 8 drwxrwx--x 5 root _dehydrated 512 Nov 8 06:56 /usr/local/etc/dehydrated But group has +w, so it can just delete files and write them anew. See, complex permission models always leave you head scratching if you really thought of everything. > I can certainly do that, though I think it would be better to do it > once I get something of some sort actually working, yes? Sure ;) But its not worth it to get something running that you need to change afterwards. erdgeist ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Dehydrated setup
On 08/11/2016 14:59, @lbutlr wrote: > # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron' > # INFO: Using main config file /usr/local/etc/dehydrated/config > Processing covisp.net with alternative names: covisp.net www.covisp.net > + Signing domains... > + Generating private key... > + Generating signing request... > + Requesting challenge for covisp.net... > + Requesting challenge for covisp.net... > + Requesting challenge for www.covisp.net... > + Responding to challenge for covisp.net... > ERROR: Challenge is invalid! (returned: invalid) (result: { > "type": "http-01", > "status": "invalid", > "error": { > "type": "urn:acme:error:unauthorized", > "detail": "Invalid response from > http://covisp.net/.well-known/acme-challenge/t4DhXZyC > > same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known" It says unauthorized now. Could it be that your web server does not follow links by default? Could you tell me, which webserver you're using? Then I can copy you a snippet for its config that should work. > /usr/local/etc/dehydrated]# ls -lsR > total 40 > 8 drwxrwx--- 2 root _dehydrated 512 Nov 8 04:34 .acme-challenges > 0 lrwxr-xr-x 1 root _dehydrated 16 Nov 8 06:48 .well-known -> /www/.well-known > 8 drwxrwx--- 3 root _dehydrated 512 Nov 8 06:45 accounts > 8 drwxrwx--- 3 root _dehydrated 512 Oct 31 17:38 certs > 8 -rw-r--r-- 1 root _dehydrated 141 Nov 8 06:56 config > 8 -rw-r--r-- 1 root _dehydrated 129 Nov 8 06:54 domains.txt Also I would suggest setting BASEDIR=/var/dehydrated in your config and make /usr/local/etc/dehydrated/ belong to root. Currently your privlege separation does not yield much, as the _dehydrated can write /usr/local/etc/dehydrated and could possibly overwrite your deploy.sh script, if you chose to provide one for use with periodic. You would just need to move the accounts and certs directory and domains.txt to /var/dehydrated, give this directory to _dehdrated and leave permissions on /usr/local/etc/dehydrated/ as they are (this saves you A LOT of trouble when updating the package). erdgeist ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Dehydrated setup
> On 08 Nov 2016, at 06:42, Dirk Engling wrote: > > On 08/11/2016 13:48, Lewis Butler wrote: > >> the http error log just shows the file that is trying to be accessed is not >> there: >> >> [client 66.133.109.36:50250] AH00128: File does not exist: >> /usr/local/www/.well-known/acme-challenge/bXxlfu… >> >> Certs are being created in /usr/local/etc/dehydrated/certs each time I try >> to run the script. > > What does your /usr/local/etc/dehydrated/config say about the WELLKNOWN > variable? Shouldn't that point to /usr/local/www/dehydrated? I thought it was supposed to point to the webroot. Will try setting it to dehydrated. WELLKNOWN="/usr/local/www/.well-known/“ changed to WELLKNOWN="/usr/local/etc/dehydrated" # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron' # INFO: Using main config file /usr/local/etc/dehydrated/config Processing covisp.net with alternative names: covisp.net www.covisp.net + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for covisp.net... + Requesting challenge for covisp.net... + Requesting challenge for www.covisp.net... + Responding to challenge for covisp.net... ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://covisp.net/.well-known/acme-challenge/t4DhXZyC same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known" /usr/local/etc/dehydrated]# ls -lsR total 40 8 drwxrwx--- 2 root _dehydrated 512 Nov 8 04:34 .acme-challenges 0 lrwxr-xr-x 1 root _dehydrated 16 Nov 8 06:48 .well-known -> /www/.well-known 8 drwxrwx--- 3 root _dehydrated 512 Nov 8 06:45 accounts 8 drwxrwx--- 3 root _dehydrated 512 Oct 31 17:38 certs 8 -rw-r--r-- 1 root _dehydrated 141 Nov 8 06:56 config 8 -rw-r--r-- 1 root _dehydrated 129 Nov 8 06:54 domains.txt ./.acme-challenges: total 0 ./accounts: total 8 8 drwx-- 2 _dehydrated _dehydrated 512 Nov 8 06:45 aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo ./accounts/aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo: total 16 8 -rw--- 1 _dehydrated _dehydrated 3243 Nov 8 06:45 account_key.pem 8 -rw--- 1 _dehydrated _dehydrated 960 Nov 8 06:45 registration_info.json ./certs: total 8 8 drwxrwx--- 2 root _dehydrated 1536 Nov 8 06:56 covisp.net ./certs/covisp.net: total 256 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 04:44 cert-1478605489.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 04:44 cert-1478605489.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 05:13 cert-1478607211.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 05:13 cert-1478607211.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 05:15 cert-1478607331.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 05:15 cert-1478607331.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 05:17 cert-1478607471.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 05:17 cert-1478607471.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 05:21 cert-1478607699.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 05:21 cert-1478607699.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 05:35 cert-1478608499.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 05:35 cert-1478608499.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 05:37 cert-1478608627.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 05:37 cert-1478608627.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 05:39 cert-1478608727.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 05:39 cert-1478608727.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 05:40 cert-1478608812.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 05:40 cert-1478608812.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 06:45 cert-1478612746.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 06:45 cert-1478612746.pem 8 -rw--- 1 _dehydrated _dehydrated 1728 Nov 8 06:49 cert-1478612933.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 06:49 cert-1478612933.pem 8 -rw--- 1 _dehydrated _dehydrated 1756 Nov 8 06:51 cert-1478613091.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 06:51 cert-1478613091.pem 8 -rw--- 1 _dehydrated _dehydrated 1756 Nov 8 06:53 cert-1478613186.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 06:53 cert-1478613186.pem 8 -rw--- 1 _dehydrated _dehydrated 1679 Nov 8 06:54 cert-1478613262.csr 0 -rw--- 1 _dehydrated _dehydrated 0 Nov 8 06:54 cert-1478613262.pem 8 -rw--- 1 _dehydrated _dehydrated 1679 Nov 8 06:55 cert-14786
Re: Dehydrated setup
On 08/11/2016 13:48, Lewis Butler wrote: > the http error log just shows the file that is trying to be accessed is not > there: > > [client 66.133.109.36:50250] AH00128: File does not exist: > /usr/local/www/.well-known/acme-challenge/bXxlfu… > > Certs are being created in /usr/local/etc/dehydrated/certs each time I try to > run the script. What does your /usr/local/etc/dehydrated/config say about the WELLKNOWN variable? Shouldn't that point to /usr/local/www/dehydrated? Your webroot seems to point to /usr/local/www/ instead. erdgeist ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Dehydrated setup
I’m having issues getting dehydrated to work after installing it, and there seems to be no documentation installed with it that I can find. The package is installed, but I am unable to get the web side of things working and have found conflicting information. I tried creating a directory in my webroot named .well-known with permissions of 770 and owned by www:_dehydrated. I then linked it to /usr/local/etc/dehydrated Now, if I run # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated —cron' I get: ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://covisp.net/.well-known/acme-challenge/…. So I create the acme-challenge directory with the same permissions. Same error. # ls -lsRa /www/.well-known/ total 24 8 drwxrwxrwx 3 www _dehydrated 512 Nov 8 05:40 . 8 drwxr-xr-x 30 root wheel1024 Nov 8 05:32 .. 8 drwxrwx--- 2 www _dehydrated 512 Nov 8 05:37 acme-challenge 0 -rw-r--r-- 1 root _dehydrated 0 Nov 8 05:11 index.html /www/.well-known/acme-challenge: total 16 8 drwxrwx--- 2 www _dehydrated 512 Nov 8 05:37 . 8 drwxrwxrwx 3 www _dehydrated 512 Nov 8 05:40 .. 0 -rw-r--r-- 1 root _dehydrated0 Nov 8 05:26 index.html I can load http://covisp.net/.well-known and http://covisp.net/.well-known/acme-challenge/ (they show a blank page because I put a blank index.html file there). I even tried setting both directories to 777 permissions, but to no avail. the http error log just shows the file that is trying to be accessed is not there: [client 66.133.109.36:50250] AH00128: File does not exist: /usr/local/www/.well-known/acme-challenge/bXxlfu… Certs are being created in /usr/local/etc/dehydrated/certs each time I try to run the script. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Dehydrated setup
I’m having issues getting dehydrated to work after installing it, and there seems to be no documentation installed with it that I can find. The package is installed, but I am unable to get the web side of things working and have found conflicting information. I tried creating a directory in my webroot named .well-known with permissions of 770 and owned by www:_dehydrated. I then linked it to /usr/local/etc/dehydrated Now, if I run # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated —cron' I get: ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://covisp.net/.well-known/acme-challenge/…. So I create the acme-challenge directory with the same permissions. Same error. # ls -lsRa /www/.well-known/ total 24 8 drwxrwxrwx 3 www _dehydrated 512 Nov 8 05:40 . 8 drwxr-xr-x 30 root wheel1024 Nov 8 05:32 .. 8 drwxrwx--- 2 www _dehydrated 512 Nov 8 05:37 acme-challenge 0 -rw-r--r-- 1 root _dehydrated 0 Nov 8 05:11 index.html /www/.well-known/acme-challenge: total 16 8 drwxrwx--- 2 www _dehydrated 512 Nov 8 05:37 . 8 drwxrwxrwx 3 www _dehydrated 512 Nov 8 05:40 .. 0 -rw-r--r-- 1 root _dehydrated0 Nov 8 05:26 index.html I can load http://covisp.net/.well-known and http://covisp.net/.well-known/acme-challenge/ (they show a blank page because I put a blank index.html file there). I even tried setting both directories to 777 permissions, but to no avail. the http error log just shows the file that is trying to be accessed is not there: [client 66.133.109.36:50250] AH00128: File does not exist: /usr/local/www/.well-known/acme-challenge/bXxlfu… Certs are being created in /usr/local/etc/dehydrated/certs each time I try to run the script. ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Dehydrated
In een bericht van 19-9-2016 13:58: Btw, can someone tell me what the logic is between the new name dehydrated and its functionality (domain certification)? Don't see it yet :-) Thanks for explaining. ./Jos ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Dehydrated
On 19/09/2016 15:10, Mark Martinec wrote: > It seems to allude to instant drinks (dehydrated): just add water and > it does all the rest by magic - you obtain a ready drink / a valid > certificate. It's a pun on the ACME protocol it implements. ACME dehydrated rocks, just add water. erdgeist ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Dehydrated
On 2016-09-19 13:58, JosC wrote: Btw, can someone tell me what the logic is between the new name dehydrated and its functionality (domain certification)? Don't see it yet :-) It seems to allude to instant drinks (dehydrated): just add water and it does all the rest by magic - you obtain a ready drink / a valid certificate. So in this sense: it does all the necessary steps in obtaining or renewing a certificate, no need to bother with details. Mark ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: Dehydrated
In een bericht van 17-9-2016 1:38: After switching from letsencrypt to dehydrated, the upgrade to the latest port version keeps appearing when running Is solved - for some reason letsencrypts was still installed although it didn't show in my pkg list. After deinstalling it an re-installing dehydrated, it all works fine now. Btw, can someone tell me what the logic is between the new name dehydrated and its functionality (domain certification)? Don't see it yet :-) Best regards, Jos Chrispijn ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Dehydrated
After switching from letsencrypt to dehydrated, the upgrade to the latest port version keeps appearing when running portmaster -y --clean-distfiles portmaster -y --clean-packages portmaster -y --check-depends portmaster -a although there is no port update of it available. Apperantly there is something outta sync**: ===>>> Gathering distinfo list for installed ports ===>>> Starting check of installed ports for available updates ===>>> The security/letsencrypt.sh port moved to security/dehydrated ===>>> Reason: Upstream renamed the project ===>>> Launching child to reinstall letsencrypt.sh-0.3.0 ===>>> All >> letsencrypt.sh-0.3.0 (1/1) ** ===>>> The security/letsencrypt.sh port moved to security/dehydrated ===>>> Reason: Upstream renamed the project ===>>> Currently installed version: dehydrated-0.3.1 ===>>> Port directory: /usr/ports/security/dehydrated ===>>> Launching 'make checksum' for security/dehydrated in background ===>>> Gathering dependency list for security/dehydrated from ports ===>>> Initial dependency check complete for security/dehydrated ===>>> Returning to update check of installed ports ===>>> All >> (1) ===>>> The following actions will be taken if you choose to proceed: Re-install dehydrated-0.3.1 Can someone tell me how to solve this? Thanks! regards, Jos Chrispijn ___ freebsd-ports@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"