Re: [OpenBSD 6.1] acme-client + nginx

2017-07-06 Thread Stephane HUC "PengouinBSD" 


Le 07/06/17 à 12:03, Stuart Henderson a écrit :
(...)
> 
> /usr/local/www seems unlikely on OpenBSD.
> 
> I just have
> 
> location /.well-known/acme-challenge { root /var/www/letsencrypt/; }
> 
> and
> 
> challengedir "/var/www/letsencrypt/.well-known/acme-challenge"
>  
> but there are several ways you can configure this. (e.g. you might want
> to use a different directory layout if you have anything else that uses
> the RFC5785 .well-known URIs). It doesn't matter what you use as long as
> letsencrypt can fetch the file that acme-client wrote.
> 
> 

OK, it's run correctly as you wrote.

I changed nginx:

location ^~ /.well-known/acme-challenge {
allow all;
#default_type "text/plain";
root /var/www/acme/test.obsd4a.net/;
}

I changed acme-client.conf:

challengedir "/var/www/acme/test.obsd4a.net/.well-known/acme-challenge"

And, the result is:

$ doas acme-client -vAD test.obsd4a.net
acme-client: /etc/ssl/acme/private/test.obsd4a.net-privkey.pem: domain
key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
creating)
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 184.87.72.109
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: test.obsd4a.net
acme-client:
/var/www/acme/test.obsd4a.net/.well-known/acme-challenge/cugIljWXyalHSHnsOa51W4BoBEW5n0_JctHP8Y59l8U:
created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/_8nN0V__nplwfEcqpwa698yd4bKBywHRWrOj8Hl33I8/1489582140:
challenge
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/_8nN0V__nplwfEcqpwa698yd4bKBywHRWrOj8Hl33I8/1489582140:
status
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
acme-client: http://cert.int-x3.letsencrypt.org/: full chain
acme-client: cert.int-x3.letsencrypt.org: DNS: 88.221.234.34
acme-client: /etc/ssl/acme//test.obsd4a.net-chain.pem: created
acme-client: /etc/ssl/acme/test.obsd4a.net-cert.pem: created
acme-client: /etc/ssl/acme//test.obsd4a.net-fullchain.pem: created

Thank you! :D


-- 
~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<<

Stephane HUC as PengouinBSD or CIOTBSD
b...@stephane-huc.net



signature.asc
Description: OpenPGP digital signature

Re: [OpenBSD 6.1] acme-client + nginx

2017-07-06 Thread Stuart Henderson 
On 2017-07-06, Stephane HUC "PengouinBSD"  wrote:
> This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
> --rkBdQXDqolEAWWU60OD3iD4CWuma05dgb
> From: "Stephane HUC \"PengouinBSD\"" 
> Reply-To: b...@stephane-huc.net
> To: misc@openbsd.org
> Message-ID: <629618fb-cc48-f929-d285-46f9d08e8...@stephane-huc.net>
> Subject: [OpenBSD 6.1] acme-client + nginx
> Content-Language: fr-xx-classique+reforme1990
> Content-Type: text/plain; charset=utf-8
> Content-Transfer-Encoding: quoted-printable
>
> Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing.
>
> But it fail with a bad response.

...

> acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
> "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
> response from
> http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rb=
> hyJrV0AuLhjfsqI3aU:
> \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not
> Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody

...

LE fetches from http://test.obsd4a.net/.well-known/acme-challenge/(filename)
but gets 404 Not Found.

> I try with this nginx config:
>
> location ^~ /.well-known/acme-challenge {
> #alias /var/www/acme;
> #try_files $uri =3D404;
> allow all;
> default_type "text/plain";
> proxy_redirect off;
> root /var/www/acme;
> }

With "root" it will look in /var/www/acme/.well-known/acme-challenge.
Either adjust acme-client config to place the files there, or adjust nginx
config to serve files from the actual location.

Test by writing a file to the directory acme-client uses and make sure you
can fetch it yourself. Only reattempt acme-client when this works, they have a
rate-limit for bad auths and will blacklist you for a while if you exceed it.

> or this:
>
> location ^~ /.well-known/acme-challenge {
>alias /usr/local/www/acme;
>   try_files $uri =3D404;
> }

/usr/local/www seems unlikely on OpenBSD.

I just have

location /.well-known/acme-challenge { root /var/www/letsencrypt/; }

and

challengedir "/var/www/letsencrypt/.well-known/acme-challenge"
 
but there are several ways you can configure this. (e.g. you might want
to use a different directory layout if you have anything else that uses
the RFC5785 .well-known URIs). It doesn't matter what you use as long as
letsencrypt can fetch the file that acme-client wrote.

[OpenBSD 6.1] acme-client + nginx

2017-07-06 Thread Stephane HUC "PengouinBSD" 
Hi, I attempt to use acme-client on server OpenBSD 6.1, with nginx runing.

But it fail with a bad response.


doas acme-client -vAD test.obsd4a.net
acme-client: /etc/ssl/acme/private/test.obsd4a.net-privkey.pem: domain
key exists (not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
creating)
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.206.21.80
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: test.obsd4a.net
acme-client:
/var/www/htdocs/test.obsd4a.net/www/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU:
created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367:
challenge
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367:
status
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367:
bad response
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
"error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
response from
http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU:
\"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not
Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody
bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not
Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
"status": 403 }, "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/hf0gCJFBvVlSBRp877_PVmTYLGNYmZDXC9eH2E_I0GE/1485696367";,
"token": "L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU",
"keyAuthorization":
"L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU.btIkQ8owertOE1LvXr1mezl9i5h6KptZrzIehfgwdcg",
"validationRecord": [ { "url":
"http://test.obsd4a.net/.well-known/acme-challenge/L-pjGy6umVejj6q78_P_gW7rbhyJrV0AuLhjfsqI3aU";,
"hostname": "test.obsd4a.net", "port": "80", "addressesResolved": [
"213.246.39.160" ], "addressUsed": "213.246.39.160", "addressesTried":
[] } ] }] (1149 bytes)
acme-client: bad exit: netproc(32816): 1


I try with this nginx config:

location ^~ /.well-known/acme-challenge {
#alias /var/www/acme;
#try_files $uri =404;
allow all;
default_type "text/plain";
proxy_redirect off;
root /var/www/acme;
}

or this:

location ^~ /.well-known/acme-challenge {
   alias /usr/local/www/acme;
  try_files $uri =404;
}

But, same result, bad status.



FIY, i can obtain certs - in mode test - with cerbot ;)
(and first setting location).


-- 
~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<<

Stephane HUC as PengouinBSD or CIOTBSD
b...@stephane-huc.net



signature.asc
Description: OpenPGP digital signature