Made on IRCNow

Blob

Date:: Sun Jan 22 05:00:30 2023 UTC
Message:: Daily backup
Actions:: History | Blame | Raw File
1 version=pmwiki-2.2.130 ordered=1 urlencoded=1
2 agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
3 author=miniontoby
4 charset=UTF-8
5 csum=fixed troubleshooting links
6 ctime=1597060757
7 host=145.132.146.30
8 name=Openbsd.Acme-client
9 rev=12
10 targets=Openbsd.Openhttpd,Openbsd.Nsd
11 text=In order to provide proper TLS for your services, you will need a certificate signed by a trusted certificate authority (CA). The easiest option for now is to use the Let's Encrypt client by acme-client.%0a%0a!! Howto%0aYou will need to set up a httpd server in order for the acme-client to work. It is recommended to use openhttpd, click [[Openbsd/Openhttpd|here]] to find out how to set up openhttpd.%0a%0aFirst, copy the /etc/examples/acme-client.conf template:%0a%0a[@%0a$ doas cp /etc/examples/acme-client.conf /etc/acme-client.conf%0a@]%0a%0a[@%0aauthority letsencrypt {%0a        api url "https://acme-v02.api.letsencrypt.org/directory"%0a        account key "/etc/acme/letsencrypt-privkey.pem"%0a}%0a%0aauthority letsencrypt-staging {%0a        api url "https://acme-staging.api.letsencrypt.org/directory"%0a        account key "/etc/acme/letsencrypt-staging-privkey.pem"%0a}%0a%0adomain example.com {%0a        alternative names { secure.example.com }%0a        domain key "/etc/ssl/private/example.com.key"%0a        domain full chain certificate "/etc/ssl/example.com.fullchain.pem"%0a        sign with letsencrypt%0a}%0a@]%0a%0aReplace example.com with your domain. If you didn't use any alternative names, in the past, having:%0a%0a[@%0aalternative names { }%0a@]%0a%0awould cause issues. So, if you have no alternative names, I recommend you comment that line out as follows:%0a%0a[@%0a#        alternative names { secure.example.com }%0a@]%0a%0aNow, run acme-client:%0a%0a[@%0a$ doas acme-client -Fv example.com%0a@]%0a%0a!! Troubleshooting%0aIf you run into errors, check to make sure:%0a%0a  # [[nsd|DNS]] is configured properly. %0a  # The [[Openhttpd|web server]] is configured properly. You **must** have a web server in order for the acme-client to work. (Don't be confused here if your web server seems not running in a web browser: the example config redirects all visits to the https port, that may not yet be working yet.)%0a  # You have the proper permissions set on the folders in /var/www/. An example output would be,%0a%0a[@%0a$ ls -l /var | grep www%0adrwxr-xr-x  11 root     daemon     512 Mar 28 05:28 www%0a$ ls -l /var/www%0atotal 36%0adrwxr-xr-x  2 root  daemon  512 Mar 28 22:16 acme%0adrwxr-xr-x  2 root  daemon  512 Mar 14 06:12 bin%0adrwx-----T  2 www   daemon  512 Oct 12 12:34 cache%0adrwxr-xr-x  2 root  daemon  512 Mar 14 06:12 cgi-bin%0adrwxr-xr-x  2 root  daemon  512 Mar 14 06:03 conf%0adrwxr-xr-x  3 root  daemon  512 Oct 12 12:34 htdocs%0adrwxr-xr-x  2 root  daemon  512 Mar 29 00:00 logs%0adrwxr-xr-x  2 root  daemon  512 Oct 12 12:34 run%0a@]%0a  # Your firewall is not configured to block Let's Encrypt certification verification process. Typically it will initiate a few servers to connect to port 80 on your server.%0a%0a!! Successful outcomes%0aA successful outcome would result in:%0a  # A ASCII text file, suffixed with .key with your hostname in /etc/ssl/private e.g.%0a[@%0a$ doas ls -l /etc/ssl/private%0a-r--------  1 root  wheel  3272 Mar 28 22:16 example.com.key%0a@]%0a  # A PEM certificate under /etc/ssl e.g.%0a[@%0a$ ls -l /etc/ssl/*.pem%0a-r--r--r--  1 root  wheel    3937 Mar 28 22:16 example.com.fullchain.pem%0a@]%0a%0aIt would have the following output of running acme-client, generating a certificate for example.com%0a%0a[@%0aacme-client: /etc/ssl/private/example.com.key: generated RSA domain key%0aacme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key%0aacme-client: https://acme-v02.api.letsencrypt.org/directory: directories%0aacme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3674632835%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: challenge, token: mylkLrPXTvdyiTbDDybKy7M-0JyqiBr0nOg8UXnJ0uDL, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/3674632835/-1tUXQ, status: 0%0aacme-client: /var/www/acme/mylkLrPXTvdyiTbDDybKy7M-0JyqiBr0nOg8UXnJ0uDL: created%0aacme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/3674632835/-1tUXQ: challenge%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: order.status 0%0aacme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3674632835%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: challenge, token: mylkLrPXTvdyiTbDDybKy7M-0JyqiBr0nOg8UXnJ0uDL, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/3674632835/-1tUXQ, status: 2%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: order.status 1%0aacme-client: https://acme-v02.api.letsencrypt.org/acme/finalize/81817869/2815341474: certificate%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: order.status 3%0aacme-client: https://acme-v02.api.letsencrypt.org/acme/cert/vxsJMODZOeZxwiuyq9Bz6jqgoRRRUak8ZQ3ob: certificate%0aacme-client: 172.65.32.248: tls_close: EOF without close notify%0aacme-client: /etc/ssl/example.com.fullchain.pem: created%0a@]%0a%0a!! Common errors%0a%0a# Do not request domains you don't own%0a# If you change the domains, you need to move the cert and request again
12 time=1607539655
13 author:1607539655=miniontoby
14 csum:1607539655=fixed troubleshooting links
15 diff:1607539655:1605711527:=52,53c52,53%0a%3c   # [[nsd|DNS]] is configured properly. %0a%3c   # The [[Openhttpd|web server]] is configured properly. You **must** have a web server in order for the acme-client to work. (Don't be confused here if your web server seems not running in a web browser: the example config redirects all visits to the https port, that may not yet be working yet.)%0a---%0a>   # [[openbsd:nsd|DNS]] is configured properly. %0a>   # The [[openbsd:www:openhttpd|web server]] is configured properly. You **must** have a web server in order for the acme-client to work. (Don't be confused here if your web server seems not running in a web browser: the example config redirects all visits to the https port, that may not yet be working yet.)%0a
16 host:1607539655=145.132.146.30
17 author:1605711527=jrmu
18 diff:1605711527:1598250148:=4c4%0a%3c You will need to set up a httpd server in order for the acme-client to work. It is recommended to use openhttpd, click [[Openbsd/Openhttpd|here]] to find out how to set up openhttpd.%0a---%0a> You will need to set up a httpd server in order for the acme-client to work. It is recommended to use openhttpd, click [[openbsd:www:openhttpd|here]] to find out how to set up openhttpd.%0a
19 host:1605711527=198.251.81.119
20 author:1598250148=baytuch
21 diff:1598250148:1598249562:=
22 host:1598250148=91.228.147.58
23 author:1598249562=baytuch
24 diff:1598249562:1598245157:=
25 host:1598249562=91.228.147.58
26 author:1598245157=baytuch
27 diff:1598245157:1598215562:=
28 host:1598245157=91.228.147.58
29 author:1598215562=baytuch
30 diff:1598215562:1598215241:=
31 host:1598215562=91.228.147.58
32 author:1598215241=baytuch
33 diff:1598215241:1598215091:=119c119%0a%3c # If you change the domains, you need to move the cert and request again %0a\ No newline at end of file%0a---%0a> # If you change the domains, you need to move the cert and request again%0a\ No newline at end of file%0a
34 host:1598215241=91.228.147.58
35 author:1598215091=baytuch
36 diff:1598215091:1597224957:=
37 host:1598215091=91.228.147.58
38 author:1597224957=jrmu
39 diff:1597224957:1597061005:=114,119c114%0a%3c @]%0a%3c %0a%3c !! Common errors%0a%3c %0a%3c # Do not request domains you don't own%0a%3c # If you change the domains, you need to move the cert and request again%0a\ No newline at end of file%0a---%0a> @]%0a\ No newline at end of file%0a
40 host:1597224957=38.81.163.143
41 author:1597061005=jrmu
42 diff:1597061005:1597060918:=12c12%0a%3c [@%0a---%0a> %3ccode>%0a29,30c29,30%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a33c33%0a%3c [@%0a---%0a> %3ccode>%0a35,36c35,36%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a39c39%0a%3c [@%0a---%0a> %3ccode>%0a41,42c41,42%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a45c45%0a%3c [@%0a---%0a> %3ccode>%0a47,49c47,49%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a---%0a> %3c/code>%0a> %0a> ==== Troubleshooting ====%0a52,56c52,55%0a%3c   # [[openbsd:nsd|DNS]] is configured properly. %0a%3c   # The [[openbsd:www:openhttpd|web server]] is configured properly. You **must** have a web server in order for the acme-client to work. (Don't be confused here if your web server seems not running in a web browser: the example config redirects all visits to the https port, that may not yet be working yet.)%0a%3c   # You have the proper permissions set on the folders in /var/www/. An example output would be,%0a%3c %0a%3c [@%0a---%0a>   * [[openbsd:nsd|DNS]] is configured properly. %0a>   * The [[openbsd:www:openhttpd|web server]] is configured properly. You **must** have a web server in order for the acme-client to work. (Don't be confused here if your web server seems not running in a web browser: the example config redirects all visits to the https port, that may not yet be working yet.)%0a>   * You have the proper permissions set on the folders in /var/www/. An example output would be,%0a> %3ccode>%0a69,72c68,71%0a%3c @]%0a%3c   # Your firewall is not configured to block Let's Encrypt certification verification process. Typically it will initiate a few servers to connect to port 80 on your server.%0a%3c %0a%3c !! Successful outcomes%0a---%0a> %3c/code>%0a>   * Your firewall is not configured to block Let's Encrypt certification verification process. Typically it will initiate a few servers to connect to port 80 on your server.%0a> %0a> ==== Successful outcomes ====%0a74,75c73,74%0a%3c   # A ASCII text file, suffixed with .key with your hostname in /etc/ssl/private e.g.%0a%3c [@%0a---%0a>   * A ASCII text file, suffixed with .key with your hostname in /etc/ssl/private e.g.%0a> %3ccode>%0a78,80c77,79%0a%3c @]%0a%3c   # A PEM certificate under /etc/ssl e.g.%0a%3c [@%0a---%0a> %3c/code>%0a>   * A PEM certificate under /etc/ssl e.g.%0a> %3ccode>%0a83,84c82,83%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a86,87c85%0a%3c %0a%3c [@%0a---%0a> %3ccode>%0a114c112%0a%3c @]%0a\ No newline at end of file%0a---%0a> %3c/code>%0a
43 host:1597061005=38.81.163.143
44 author:1597060918=jrmu
45 diff:1597060918:1597060757:=3c3%0a%3c !! Howto%0a---%0a> ==== Howto ====%0a8c8%0a%3c [@%0a---%0a> %3ccode>%0a10c10%0a%3c @]%0a---%0a> %3c/code>%0a
46 host:1597060918=38.81.163.143
47 author:1597060757=jrmu
48 diff:1597060757:1597060757:=1,112d0%0a%3c In order to provide proper TLS for your services, you will need a certificate signed by a trusted certificate authority (CA). The easiest option for now is to use the Let's Encrypt client by acme-client.%0a%3c %0a%3c ==== Howto ====%0a%3c You will need to set up a httpd server in order for the acme-client to work. It is recommended to use openhttpd, click [[openbsd:www:openhttpd|here]] to find out how to set up openhttpd.%0a%3c %0a%3c First, copy the /etc/examples/acme-client.conf template:%0a%3c %0a%3c %3ccode>%0a%3c $ doas cp /etc/examples/acme-client.conf /etc/acme-client.conf%0a%3c %3c/code>%0a%3c %0a%3c %3ccode>%0a%3c authority letsencrypt {%0a%3c         api url "https://acme-v02.api.letsencrypt.org/directory"%0a%3c         account key "/etc/acme/letsencrypt-privkey.pem"%0a%3c }%0a%3c %0a%3c authority letsencrypt-staging {%0a%3c         api url "https://acme-staging.api.letsencrypt.org/directory"%0a%3c         account key "/etc/acme/letsencrypt-staging-privkey.pem"%0a%3c }%0a%3c %0a%3c domain example.com {%0a%3c         alternative names { secure.example.com }%0a%3c         domain key "/etc/ssl/private/example.com.key"%0a%3c         domain full chain certificate "/etc/ssl/example.com.fullchain.pem"%0a%3c         sign with letsencrypt%0a%3c }%0a%3c %3c/code>%0a%3c %0a%3c Replace example.com with your domain. If you didn't use any alternative names, in the past, having:%0a%3c %0a%3c %3ccode>%0a%3c alternative names { }%0a%3c %3c/code>%0a%3c %0a%3c would cause issues. So, if you have no alternative names, I recommend you comment that line out as follows:%0a%3c %0a%3c %3ccode>%0a%3c #        alternative names { secure.example.com }%0a%3c %3c/code>%0a%3c %0a%3c Now, run acme-client:%0a%3c %0a%3c %3ccode>%0a%3c $ doas acme-client -Fv example.com%0a%3c %3c/code>%0a%3c %0a%3c ==== Troubleshooting ====%0a%3c If you run into errors, check to make sure:%0a%3c %0a%3c   * [[openbsd:nsd|DNS]] is configured properly. %0a%3c   * The [[openbsd:www:openhttpd|web server]] is configured properly. You **must** have a web server in order for the acme-client to work. (Don't be confused here if your web server seems not running in a web browser: the example config redirects all visits to the https port, that may not yet be working yet.)%0a%3c   * You have the proper permissions set on the folders in /var/www/. An example output would be,%0a%3c %3ccode>%0a%3c $ ls -l /var | grep www%0a%3c drwxr-xr-x  11 root     daemon     512 Mar 28 05:28 www%0a%3c $ ls -l /var/www%0a%3c total 36%0a%3c drwxr-xr-x  2 root  daemon  512 Mar 28 22:16 acme%0a%3c drwxr-xr-x  2 root  daemon  512 Mar 14 06:12 bin%0a%3c drwx-----T  2 www   daemon  512 Oct 12 12:34 cache%0a%3c drwxr-xr-x  2 root  daemon  512 Mar 14 06:12 cgi-bin%0a%3c drwxr-xr-x  2 root  daemon  512 Mar 14 06:03 conf%0a%3c drwxr-xr-x  3 root  daemon  512 Oct 12 12:34 htdocs%0a%3c drwxr-xr-x  2 root  daemon  512 Mar 29 00:00 logs%0a%3c drwxr-xr-x  2 root  daemon  512 Oct 12 12:34 run%0a%3c %3c/code>%0a%3c   * Your firewall is not configured to block Let's Encrypt certification verification process. Typically it will initiate a few servers to connect to port 80 on your server.%0a%3c %0a%3c ==== Successful outcomes ====%0a%3c A successful outcome would result in:%0a%3c   * A ASCII text file, suffixed with .key with your hostname in /etc/ssl/private e.g.%0a%3c %3ccode>%0a%3c $ doas ls -l /etc/ssl/private%0a%3c -r--------  1 root  wheel  3272 Mar 28 22:16 example.com.key%0a%3c %3c/code>%0a%3c   * A PEM certificate under /etc/ssl e.g.%0a%3c %3ccode>%0a%3c $ ls -l /etc/ssl/*.pem%0a%3c -r--r--r--  1 root  wheel    3937 Mar 28 22:16 example.com.fullchain.pem%0a%3c %3c/code>%0a%3c %0a%3c It would have the following output of running acme-client, generating a certificate for example.com%0a%3c %3ccode>%0a%3c acme-client: /etc/ssl/private/example.com.key: generated RSA domain key%0a%3c acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key%0a%3c acme-client: https://acme-v02.api.letsencrypt.org/directory: directories%0a%3c acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3674632835%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: challenge, token: mylkLrPXTvdyiTbDDybKy7M-0JyqiBr0nOg8UXnJ0uDL, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/3674632835/-1tUXQ, status: 0%0a%3c acme-client: /var/www/acme/mylkLrPXTvdyiTbDDybKy7M-0JyqiBr0nOg8UXnJ0uDL: created%0a%3c acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/3674632835/-1tUXQ: challenge%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: order.status 0%0a%3c acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3674632835%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: challenge, token: mylkLrPXTvdyiTbDDybKy7M-0JyqiBr0nOg8UXnJ0uDL, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/3674632835/-1tUXQ, status: 2%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: order.status 1%0a%3c acme-client: https://acme-v02.api.letsencrypt.org/acme/finalize/81817869/2815341474: certificate%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: order.status 3%0a%3c acme-client: https://acme-v02.api.letsencrypt.org/acme/cert/vxsJMODZOeZxwiuyq9Bz6jqgoRRRUak8ZQ3ob: certificate%0a%3c acme-client: 172.65.32.248: tls_close: EOF without close notify%0a%3c acme-client: /etc/ssl/example.com.fullchain.pem: created%0a%3c %3c/code>%0a
49 host:1597060757=38.81.163.143