Re: OpenBSD 6.1 current relayd TLS error "cannot load certificates"
On Fri, Jun 02, 2017 at 08:38:50PM -0700, Dillon Jay Pena wrote: > I'm not understanding why I'm getting a relayd error. Thanks in advance. > > According to > http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/relayd.conf.5#listen_on, > I just need address.crt and private/address.key to use tls with > relayd, which you can see I do below. > So why am I getting the relayd error "cannot load certificates for relay www"? > > I have included how I got the key and crt files from acme-client/lets > encrypt in case it's relevant. > > > $ uname -prsv > OpenBSD 6.1 GENERIC#88 amd64 > > $ cat /etc/acme-client.conf > # > # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $ > # > authority letsencrypt { > agreement url > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; > api url "https://acme-v01.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-privkey.pem" > } > > authority letsencrypt-staging { > agreement url > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; > api url "https://acme-staging.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-staging-privkey.pem" > } > > domain thelang.space { > alternative names { mail.thelang.space www.thelang.space } > domain key "/etc/ssl/private/thelang.space.key" > domain certificate "/etc/ssl/thelang.space.crt" > domain full chain certificate "/etc/ssl/thelang.space.fullchain.pem" > sign with letsencrypt > challengedir "/var/www/htdocs/.well-known/acme-challenge" > } > > $ doas acme-client -vAD thelang.space > acme-client: /etc/ssl/private/thelang.space.key: domain key exists > (not creating) > acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists > (not creating) > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories > acme-client: acme-v01.api.letsencrypt.org: DNS: 104.68.109.156 > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: > req-auth: thelang.space > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: > req-auth: mail.thelang.space > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: > req-auth: www.thelang.space > acme-client: > /var/www/htdocs/.well-known/acme-challenge/hALHIbtLAX4k274bN4AFBV0W-T08pKTqD6lBw0-CplM: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083: > challenge > acme-client: > /var/www/htdocs/.well-known/acme-challenge/SMwY0p1ma9ZDQrlyM6h9BbZkEnMCKx2lW69__zcmCgI: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087: > challenge > acme-client: > /var/www/htdocs/.well-known/acme-challenge/wu3Zhef8NA8b9wmxHeMjXBZCg3EKGHgnM30Tx_qn1Ws: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092: > challenge > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083: > status > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087: > status > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092: > status > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate > acme-client: http://cert.int-x3.letsencrypt.org/: full chain > acme-client: cert.int-x3.letsencrypt.org: DNS: 165.254.42.42 > acme-client: /etc/ssl/thelang.space.crt: created > acme-client: /etc/ssl/thelang.space.fullchain.pem: created > > $ cat /etc/relayd.conf > table { 127.0.0.1 } > > relay www { > listen on thelang.space port 443 tls > > forward to check tcp port 8080 > } > > $ doas relayd -d > startup > /etc/relayd.conf:7: cannot load certificates for relay www > no actions, nothing to do > hce exiting, pid 2324 > pfe exiting, pid 21204 > ca exiting, pid 18722 > ca exiting, pid 45718 > ca exiting, pid 79639 > relay exiting, pid 31292 > relay exiting, pid 32940 > relay exiting, pid 75225 > > $ ls /etc/ssl/thelang.space.crt > /etc/ssl/thelang.space.crt > $ doas ls /etc/ssl/private/thelang.space.key > /etc/ssl/private/thelang.space.key > > - Dillon > Hey, ktrace is also useful help here. # ktrace relayd -d -v # kdump ... I've had a similar thing to debug listening on IPV6 interface(s). Hope this helps you, -- Kind regards, Hiltjo
Re: OpenBSD 6.1 current relayd TLS error "cannot load certificates"
On Fri, Jun 02, 2017 at 08:38:50PM -0700, Dillon Jay Pena wrote: > I'm not understanding why I'm getting a relayd error. Thanks in advance. > > According to > http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/relayd.conf.5#listen_on, > I just need address.crt and private/address.key to use tls with > relayd, which you can see I do below. > So why am I getting the relayd error "cannot load certificates for relay www"? > > I have included how I got the key and crt files from acme-client/lets > encrypt in case it's relevant. > > > $ uname -prsv > OpenBSD 6.1 GENERIC#88 amd64 > > $ cat /etc/acme-client.conf > # > # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $ > # > authority letsencrypt { > agreement url > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; > api url "https://acme-v01.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-privkey.pem" > } > > authority letsencrypt-staging { > agreement url > "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; > api url "https://acme-staging.api.letsencrypt.org/directory"; > account key "/etc/acme/letsencrypt-staging-privkey.pem" > } > > domain thelang.space { > alternative names { mail.thelang.space www.thelang.space } > domain key "/etc/ssl/private/thelang.space.key" > domain certificate "/etc/ssl/thelang.space.crt" > domain full chain certificate "/etc/ssl/thelang.space.fullchain.pem" > sign with letsencrypt > challengedir "/var/www/htdocs/.well-known/acme-challenge" > } > > $ doas acme-client -vAD thelang.space > acme-client: /etc/ssl/private/thelang.space.key: domain key exists > (not creating) > acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists > (not creating) > acme-client: https://acme-v01.api.letsencrypt.org/directory: directories > acme-client: acme-v01.api.letsencrypt.org: DNS: 104.68.109.156 > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: > req-auth: thelang.space > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: > req-auth: mail.thelang.space > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: > req-auth: www.thelang.space > acme-client: > /var/www/htdocs/.well-known/acme-challenge/hALHIbtLAX4k274bN4AFBV0W-T08pKTqD6lBw0-CplM: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083: > challenge > acme-client: > /var/www/htdocs/.well-known/acme-challenge/SMwY0p1ma9ZDQrlyM6h9BbZkEnMCKx2lW69__zcmCgI: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087: > challenge > acme-client: > /var/www/htdocs/.well-known/acme-challenge/wu3Zhef8NA8b9wmxHeMjXBZCg3EKGHgnM30Tx_qn1Ws: > created > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092: > challenge > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083: > status > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087: > status > acme-client: > https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092: > status > acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate > acme-client: http://cert.int-x3.letsencrypt.org/: full chain > acme-client: cert.int-x3.letsencrypt.org: DNS: 165.254.42.42 > acme-client: /etc/ssl/thelang.space.crt: created > acme-client: /etc/ssl/thelang.space.fullchain.pem: created > > $ cat /etc/relayd.conf > table { 127.0.0.1 } > > relay www { > listen on thelang.space port 443 tls > > forward to check tcp port 8080 > } > > $ doas relayd -d > startup > /etc/relayd.conf:7: cannot load certificates for relay www > no actions, nothing to do > hce exiting, pid 2324 > pfe exiting, pid 21204 > ca exiting, pid 18722 > ca exiting, pid 45718 > ca exiting, pid 79639 > relay exiting, pid 31292 > relay exiting, pid 32940 > relay exiting, pid 75225 > > $ ls /etc/ssl/thelang.space.crt > /etc/ssl/thelang.space.crt > $ doas ls /etc/ssl/private/thelang.space.key > /etc/ssl/private/thelang.space.key > You need to use IP addresses not domain names for the cert name. e.g. /etc/ssl/127.0.0.1.crt ect -- :wq Claudio
OpenBSD 6.1 current relayd TLS error "cannot load certificates"
I'm not understanding why I'm getting a relayd error. Thanks in advance. According to http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/relayd.conf.5#listen_on, I just need address.crt and private/address.key to use tls with relayd, which you can see I do below. So why am I getting the relayd error "cannot load certificates for relay www"? I have included how I got the key and crt files from acme-client/lets encrypt in case it's relevant. $ uname -prsv OpenBSD 6.1 GENERIC#88 amd64 $ cat /etc/acme-client.conf # # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $ # authority letsencrypt { agreement url "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; api url "https://acme-v01.api.letsencrypt.org/directory"; account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { agreement url "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; api url "https://acme-staging.api.letsencrypt.org/directory"; account key "/etc/acme/letsencrypt-staging-privkey.pem" } domain thelang.space { alternative names { mail.thelang.space www.thelang.space } domain key "/etc/ssl/private/thelang.space.key" domain certificate "/etc/ssl/thelang.space.crt" domain full chain certificate "/etc/ssl/thelang.space.fullchain.pem" sign with letsencrypt challengedir "/var/www/htdocs/.well-known/acme-challenge" } $ doas acme-client -vAD thelang.space acme-client: /etc/ssl/private/thelang.space.key: domain key exists (not creating) acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating) acme-client: https://acme-v01.api.letsencrypt.org/directory: directories acme-client: acme-v01.api.letsencrypt.org: DNS: 104.68.109.156 acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: thelang.space acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: mail.thelang.space acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth: www.thelang.space acme-client: /var/www/htdocs/.well-known/acme-challenge/hALHIbtLAX4k274bN4AFBV0W-T08pKTqD6lBw0-CplM: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083: challenge acme-client: /var/www/htdocs/.well-known/acme-challenge/SMwY0p1ma9ZDQrlyM6h9BbZkEnMCKx2lW69__zcmCgI: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087: challenge acme-client: /var/www/htdocs/.well-known/acme-challenge/wu3Zhef8NA8b9wmxHeMjXBZCg3EKGHgnM30Tx_qn1Ws: created acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092: challenge acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083: status acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087: status acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092: status acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate acme-client: http://cert.int-x3.letsencrypt.org/: full chain acme-client: cert.int-x3.letsencrypt.org: DNS: 165.254.42.42 acme-client: /etc/ssl/thelang.space.crt: created acme-client: /etc/ssl/thelang.space.fullchain.pem: created $ cat /etc/relayd.conf table { 127.0.0.1 } relay www { listen on thelang.space port 443 tls forward to check tcp port 8080 } $ doas relayd -d startup /etc/relayd.conf:7: cannot load certificates for relay www no actions, nothing to do hce exiting, pid 2324 pfe exiting, pid 21204 ca exiting, pid 18722 ca exiting, pid 45718 ca exiting, pid 79639 relay exiting, pid 31292 relay exiting, pid 32940 relay exiting, pid 75225 $ ls /etc/ssl/thelang.space.crt /etc/ssl/thelang.space.crt $ doas ls /etc/ssl/private/thelang.space.key /etc/ssl/private/thelang.space.key - Dillon