On Sun, Jun 04, 2023 at 10:48:07AM +0200, Ronald Heggenberger wrote: > Hi! > > (sorry for the second attempt of this message - our domain was not configured > properly for mailing lists (dmarc reject) and I think the first attempt > probably wasn't processed properly) > > I am using step-ca to host my own acme provisioner (which is already working > - an existing proxmox cluster can request and get x509 TLS certificates just > fine), and as next step I wanted to use acme-client on OpenBSD servers, since > it's deployed within the default installation. So I added it to > /etc/acme-client.conf > ``` > [...] > api url "https://use.some.domain.com:8443/acme/acme/directory"; > [...] > ``` > > But, when I run acme-client to actually get a certificate it terminates with > the following error: > ``` > acme-client:https://use.some.domain.com:8443/acme/acme/directory: directories > acme-client: use.some.domain.com:8443: parse error: non-recoverable failure > in name resolution > acme-client:https://use.some.domain.com:8443/acme/acme/directory: bad comm > acme-client: bad exit: netproc(21203): 1 > acme-client: bad exit: dnsproc(35017): 1 > ``` > > I think the acme-client's interpretation of the host-name is wrong since it's > trying to resolve the hostname including the used tcp port as well. > > What I've tried so far: > Using a relayd configuration to forward port 443 to 8443 (this was not > correctly working - just to prove a point) and changed the api url within the > acme-client.conf to get rid of the port definition: > ``` > [...] > api url "https://use.some.domain.com/acme/acme/directory"; > [...] > ``` > > When having the relayd setup waiting for connections and using acme-client I > got the following error (which makes me even more confident that there is a > problem in acme-client's handling of the hostname): > ``` > acme-client: 10.42.120.12: tls_write: handshake failed: unexpected EOF > acme-client: 10.42.120.12: tls_read: handshake failed: unexpected EOF > ``` > > I don't want to setup relayd to handle my TLS properly on port 443, since I > am totally fine having the step-ca service handling it over port 8443. > > I am currently running OpenBSD 7.3, with default setup/configuration - > nothing special. > > How would one navigate this issue? > > Thank you in advance and best regards > Ronald
> BEGIN:VCARD > VERSION:4.0 > N:Heggenberger;Ronald;;; > FN:Ronald Heggenberger > EMAIL;PREF=1:ronald.heggenber...@docoscope.com > END:VCARD Hi Ronald, I think the approach is wrong to add a port number into acme-client. What you perhaps need is something of the proposed internet standard for HTTPS RR's. https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ It's not an STD or RFC yet but it soon will be, many DNS Server softwares support it already. As far as browser support I dunno :-( Perhaps someone else knows. Best Regards, -peter -- Over thirty years experience on Unix-like Operating Systems starting with QNX.
