A working setup with tlssrv(8) and acmed(8) is documented here: • https://9lab.org/plan9/web-server-with-go-based-static-site-generator-hugo/#https-port-443
A comparison of those steps with your steps below might reveal the issue. Quoth Iban Nieto <iban.ni...@gmail.com>: > Hello! > > I'm trying to serve https (443) and gemini (1965) under 9front. > > I've already a working rc-httpd (80) setup and now I would like to start > using letsencrypt certificates. > Also rc-gemd (gemini server) needs a certificate in order to work. > > I manage to get the certificate with acmed using the following procedure: > > ramfs -p > cd /tmp > auth/rsagen -t 'service=acme role=sign hash=sha256 acct=i...@mydomain.com' > >i...@mydomain.com.key > auth/rsa2jwk i...@mydomain.com.key >/sys/lib/tls/acmed/i...@mydomain.com.pub > cat i...@mydomain.com.key >/mnt/factotum/ctl > auth/rsagen -t 'service=tls role=client owner=*' >mydomain.com.key > chmod 600 i...@mydomain.com.key mydomain.com.key > cp i...@mydomain.com.key mydomain.com.key /sys/lib/tls/acmed/ > auth/rsa2csr 'CN=mydomain.com' /sys/lib/tls/acmed/mydomain.com.key > >/sys/lib/tls/acmed/mydomain.com.csr > > webfs > auth/acmed -t http -o /sys/www/mydomain.com/.well-known/acme-challenge > i...@mydomain.com /sys/lib/tls/acmed/mydomain.com.csr > >/sys/lib/tls/acmed/mydomain.com.crt > > I think acmed do the job because the certificate is generated and stored in > the proper location. > DNS is in place and working fine, the dir > /sys/www/mydomain.com/.well-known/acme-challenge is already in place as is > served by rc-httpd. > > This a (trimmed) decode of the certificate: > auth/pemdecode 'CERTIFICATE' /sys/lib/tls/acmed/mydomain.com.crt | > auth/x5092pub > key proto=rsa size=2048 ek=10001 > n=1E71BLABLABLABLABAE0CA13254122D600BLABLABLABD4D89D18EB7D7E0BLABLABLABLAC69 > subject=mydomain.com > > Then I try to serve https with: > aux/listen1 tcp!*!443 tlssrv -c /sys/lib/tls/acmed/mydomain.com.crt > /rc/bin/rc-httpd/rc-httpd > > And rc-gemd with: > aux/listen1 tcp!*!1965 tlssrv -c /sys/lib/tls/acmed/mydomain.com.crt > /rc/bin/rc-gemd/rc-gemd > > Problem is when I try to connect to https://mydomain.com I got this from the > server side: > tlssrv: tls reports failed: factotum_rsa_open: no key matches proto=rsa > service=tls role=client > > The same error occurs when I try to connect to gemini using a client: > tlssrv: tls reports failed: factotum_rsa_open: no key matches proto=rsa > service=tls role=client > > Trying to add the keys to factotum using this: > cat /sys/lib/tls/acmed/i...@mydomain.com.key >/mnt/factotum/ctl > cat /sys/lib/tls/acmed/mydomain.com.key >/mnt/factotum/ctl > > I'm still wondering if factotum is aware of these keys... anyway I checked if > the factotum process is running: > > cpu% pstree | grep -i factotum > 130 ├factotum > 408 │└factotum > 4986 ├factotum > 5119 │└factotum > 11793 │└grep -i factotum > > But I still got the same error from factotum when I try to use the > certificates using tlssrv :-( > > What I'm missing? How to debug the problem? > > Any help very appreciated :) > > Many thanks in advance. > > Iban. ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/Te82df98419e38504-M8e647fed602d71bb73a3cfb7 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
