Nothing like posting a question to misc@ to cause the fog to lift. :-/
see below...
On 03/15/17 22:37, Nick Holland wrote:
> First of all, I did set up an acme-client(1) ssl cert a few months ago
> before the acme-client.conf(5) file days, and it was stupidly,
> jaw-droppingly simple, and it's renewed successfully, so yay man pages!
>
> Now, I'm doing it again on a (-current) system serving up a few domains
> on one IP address, so having to do SNI. Since it was so simple before,
> why not https the thing?
>
> Not so simple.
> (I got it working, but I'm pretty sure I'm Doing It Wrong)
>
> The man page for acme-client says "Before a certificate can be
> requested, an account key needs to be created using the -A argument."
>
> ok. So ...
> # acme-client -A
> acme-client: cannot stat /etc/ssl/private/holland-consulting.net.key:
> No such file or directory
>
> After much head-scratching, I found a commit message that indicated this
> is the proper process:
>
> # acme-client -A -D holland-consulting.net
>
> tada! Worked! Produces three files:
> /etc/ssl/private/holland-consulting.net.key
> /etc/ssl/holland-consulting.net.chain.pem
> /etc/ssl/holland-consulting.net.crt
>
> (and going back and re-reading the man page again...I'm not seeing how I
> was supposed to figure this out!)
>
> So after much trial and error of what file goes where in httpd.conf, I
> found this worked...almost:
> server "holland-consulting.net" {
> alias "www.holland-consulting.net"
> listen on $ext_addr port 80
> listen on $ext_addr tls port 443
> tls certificate "/etc/ssl/holland-consulting.net.crt"
> tls key "/etc/ssl/private/holland-consulting.net.key"
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> root strip 2
> }
> root "/hc.net"
> }
>
> httpd started, no errors logged, and the website came up with a valid
> cert according to Chrome and Firefox on OpenBSD. Almost. A friend of
> mine said he got a cert error, and after dismissing his machine or
> browser as being horribly out of date, I pulled up my phone and saw the
> same thing. Oops. A cert checker site confirmed that I was missing the
> intermediate certificate. (and that's when the profanity began, and if
> you deal with certs, you know what I mean, this is why I thought my
> first use of acme-client was so fantastic...it just worked!).
>
> So I looked at my (far less -current) functioning site, and saw only TWO
> files were being generated...and one (named "fullchain.pem") had
> basically the contents of the TWO /etc/ssh/ files for the domain, but
> now, acme-client is generating two separate files.
>
> So more head-scratching later, I put the contents of
> holland-consulting.net.chain.pem at the END of
> holland-consulting.net.crt, and ta-da, everything worked. (reversing
> the order did NOT work).
>
> # cat holland-consulting.net.chain.pem >>holland-consulting.net.crt
>
> Almost happy!
>
> EXCEPT ... when the cert is renewed, I'm pretty sure it will generate
> separate files again, breaking the trust chain. And I'm pretty sure
> that's not the way it is supposed to work.
>
> So -- is there a way to add the intermediate cert to httpd.conf other
> than concatenating the files? Am I doing something wrong? Or do I just
> need to add the concatenation step to my refresh script?
Doing Something Wrong, of course.
Followed the example a little too closely, didn't understand the
acme-client.conf(5) man page until the problem was solved.
This is the template in /etc/acme-client.conf:
#domain example.com {
# alternative names { secure.example.com }
# domain key "/etc/ssl/private/example.com.key"
# domain certificate "/etc/ssl/example.com.crt"
# domain chain certificate "/etc/ssl/example.com.chain.pem"
# sign with letsencrypt
#}
A better config would be using the line,
"domain full chain certificate" instead.
That creates the PEM file with both certificates in the right order for
httpd to chew on.
Still, I think there are some man page and sample file improvements that
could be made. (will put diff together if no one beats me to it)
Nick.
