Althttpd

acme-client SSL keys generation
Login
Hierarchical

acme-client SSL keys generation

(1) By Verion (verion) on 2022-10-03 18:59:02 [link] [source]

I would like to give althttpd a try instead of OpenBSDs httpd but I simply can't figure out :) how to gnereate letsencrypt certificates for althttpd and particular domain and ensure their renewal via cron. I'm getting the following errors:

acme-client: 2606:4700:3037::ac43:c260: Invalid response from http://www.mydomain.org/.well-known/acme-challenge/pQ5v-Vz_Xw3EPSfcU77ORKUnjjAbfqz_uKEFsqVlv0A: 404

Should .well-known directory physically exist? where? or what is the workaround? Because in httpd it is actually /var/www/acme directory. Please help me to solve this problem.

V.

(2) By Stephan Beal (stephan) on 2022-10-03 22:15:11 in reply to 1 [link] [source]

I would like to give althttpd a try instead of OpenBSDs httpd but I simply can't figure out

i've been running althttpd with certbot on Linux for almost a year and the way it works for me is...

  1. Shut down the web server (xinet in my case)
  2. Run certbot. IIRC the --standalone flag is important here.
  3. Start web server.

Step (2) sets up the automatic renewals by itself. When adding a new subdomain to the cert i have to repeat those steps to run:

cerbot certonly --standalone -d x.mydomain.net -d y.mydomain.net -d ...

My xinet.d/http{,s} files:

service http
{
  port = 80
  flags = IPv4
  bind = my.ip.addr.ess
  socket_type = stream
  wait = no
  user = root
  server = /jail/bin/althttpd
  server_args = -ipshun /jail/ipshun -logfile /jail/log/althttpd-%Y-%m-%d.log -root /jail -user www-data -jail 1 -enable-sab
}


service https
{
  port = 443
  flags = IPv4
  bind = my.ip.addr.ess
  socket_type = stream
  wait = no
  user = root
  server = /jail/bin/althttpsd
  server_args = -jail 1 -ipshun /jail/ipshun -logfile /jail/log/althttpsd-%Y-%m-%d.log -root /jail -user www-data -cert /jail/cert/mydomain.pem -enable-sab
}

Ah, it also needs some scripts so that the renewal automation works: pre/post cert update hooks which copy the cert to where althttpd can access it. These are custom for each system but the fundamentals are the same.

root@wh:/etc/letsencrypt/renewal-hooks# find . -type f
./pre/stop-www.sh
./deploy/update-fossil-cert.sh
./post/start-www.sh

root@wh:/etc/letsencrypt/renewal-hooks# cat pre/stop-www.sh 
#!/bin/bash
/usr/bin/systemctl stop xinetd
exit 0

root@wh:/etc/letsencrypt/renewal-hooks# cat deploy/update-fossil-cert.sh 
#!/bin/bash

# What follows is for an althttpd/fossil-server environment:
#
# Update althttpd/fossil server with the new cert...
# RENEWED_LINEAGE ==> /etc/letsencrypt/live/mydomain.net
lin=$RENEWED_LINEAGE
cname=${lin##*/} # ==> mydomain.net
fcdir=/jail/cert
fcert=$fcdir/$cname.pem
if [ -f "$fcert" ]; then
    p=$fcdir/$cname.pem
    rm -f $p
    cat $lin/privkey.pem $lin/fullchain.pem > $p
    chmod 0600 $p
    /usr/bin/systemctl restart xinetd
fi

root@wh:/etc/letsencrypt/renewal-hooks# cat post/start-www.sh 
#!/bin/bash

/usr/bin/systemctl start xinetd
exit 0

(3) By Verion (verion) on 2022-10-05 13:22:24 in reply to 2 [source]

Thank you Stephan!

Thanks for your exhausting reply. I didn't know about certbot utility and used to use acme-client to this time. I saw an exception for .well-known folder in althttpd.c and in docs and still don't understand why is that there but it works for me now using certbot. A renewal process will be a bit different but it doesn't matter.

V.