Have you tried redirecting port 443 to port 8443 thru pf? This way, you could even make it only redirect specific clients to 8443, and, in theory, still run a https webserver for other clients.
Cheers, Paul 'WEiRD' de Weerd On Sun, Jun 04, 2023 at 05:56:47PM +0200, Ronald Heggenberger wrote: | Hi, Peter! | | Well, when you run the step-ca as a non-root user (which is the | default config for the package) you cannot use the default TLS port | (443) - hence 8443 for the step-ca service. | | I don't want to run step-ca as root user for a couple of reasons: | - deviate from the default package configuration | - introduce potential security risks | | Don't get me wrong, a DNS service discovery sounds interesting, but | it would put another layer of complexity on the configuration | (compared to just add the port in a URL - which is part of an RFC: | https://www.ietf.org/rfc/rfc1738.txt). | | Best regards, | Ronald | | On 6/4/23 16:04, Peter J. Philipp wrote: | > On Sun, Jun 04, 2023 at 10:48:07AM +0200, Ronald Heggenberger wrote: | > > Hi! | > > | > > (sorry for the second attempt of this message - our domain was not configured properly for mailing lists (dmarc reject) and I think the first attempt probably wasn't processed properly) | > > | > > I am using step-ca to host my own acme provisioner (which is already working - an existing proxmox cluster can request and get x509 TLS certificates just fine), and as next step I wanted to use acme-client on OpenBSD servers, since it's deployed within the default installation. So I added it to /etc/acme-client.conf | > > ``` | > > [...] | > > api url "https://use.some.domain.com:8443/acme/acme/directory"; | > > [...] | > > ``` | > > | > > But, when I run acme-client to actually get a certificate it terminates with the following error: | > > ``` | > > acme-client:https://use.some.domain.com:8443/acme/acme/directory: directories | > > acme-client: use.some.domain.com:8443: parse error: non-recoverable failure in name resolution | > > acme-client:https://use.some.domain.com:8443/acme/acme/directory: bad comm | > > acme-client: bad exit: netproc(21203): 1 | > > acme-client: bad exit: dnsproc(35017): 1 | > > ``` | > > | > > I think the acme-client's interpretation of the host-name is wrong since it's trying to resolve the hostname including the used tcp port as well. | > > | > > What I've tried so far: | > > Using a relayd configuration to forward port 443 to 8443 (this was not correctly working - just to prove a point) and changed the api url within the acme-client.conf to get rid of the port definition: | > > ``` | > > [...] | > > api url "https://use.some.domain.com/acme/acme/directory"; | > > [...] | > > ``` | > > | > > When having the relayd setup waiting for connections and using acme-client I got the following error (which makes me even more confident that there is a problem in acme-client's handling of the hostname): | > > ``` | > > acme-client: 10.42.120.12: tls_write: handshake failed: unexpected EOF | > > acme-client: 10.42.120.12: tls_read: handshake failed: unexpected EOF | > > ``` | > > | > > I don't want to setup relayd to handle my TLS properly on port 443, since I am totally fine having the step-ca service handling it over port 8443. | > > | > > I am currently running OpenBSD 7.3, with default setup/configuration - nothing special. | > > | > > How would one navigate this issue? | > > | > > Thank you in advance and best regards | > > Ronald | > > BEGIN:VCARD | > > VERSION:4.0 | > > N:Heggenberger;Ronald;;; | > > FN:Ronald Heggenberger | > > EMAIL;PREF=1:ronald.heggenber...@docoscope.com | > > END:VCARD | > Hi Ronald, | > | > I think the approach is wrong to add a port number into acme-client. What | > you perhaps need is something of the proposed internet standard for HTTPS RR's. | > | > https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ | > | > It's not an STD or RFC yet but it soon will be, many DNS Server softwares | > support it already. As far as browser support I dunno :-( Perhaps someone | > else knows. | > | > Best Regards, | > -peter | > | -- >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] http://www.weirdnet.nl/
