Your suggestion of changing things up in my /etc/httpd.conf file did the
trick! My initial version of the file, prior to initializing the
account and requesting a new domain key ended up looking like this based
on your suggestions:
ext_ip="0.0.0.0"
#server "localhost" {
server "git.example.com" {
listen on $ext_ip port 80
# serve the cgit static files directly
location "/cgit.*" {
root "/cgit"
no fastcgi
}
location "/.well-known/acme-challenge/*" {
root { "/acme", strip 2 }
}
# cgit CGI
location "*" {
root "/cgi-bin/cgit.cgi"
fastcgi socket "/run/slowcgi.sock"
}
}
After I was able to successfully run
# acme-client -vAD git.example.com
I modified /etc/httpd.conf to:
ext_ip="0.0.0.0"
#server "localhost" {
server "git.example.com" {
# listen on $ext_ip port 80
listen on * tls port 443
tls certificate "/etc/ssl/git.example.com.fullchain.pem"
tls key "/etc/ssl/private/git.example.com.key"
# serve the cgit static files directly
location "/cgit.*" {
root "/cgit"
no fastcgi
}
location "/.well-known/acme-challenge/*" {
root { "/acme", strip 2 }
}
# cgit CGI
location "*" {
root "/cgi-bin/cgit.cgi"
fastcgi socket "/run/slowcgi.sock"
}
}
server "git.example.com" {
listen on * port 80
block return 301 "https://git.example.com$REQUEST_URI";
}
The site now gets an "A" grade over at ssllabs.com.
I guess my only remaining question is how did you know I needed to make
this change? I know the OpenBSD documentation is really good but I'm
still fascinated how people manage to sort things like this out. Maybe
it's just pure experience?
Either way, thanks again!
Samir
This e-mail, and any attachments are strictly confidential and intended for the
addressee(s) only. The content may also contain legal, professional or other
privileged information. If you are not the intended recipient, please notify
the sender immediately and then delete the e-mail and any attachments. You
should not disclose, copy or take any action in reliance on this transmission.
You may report the matter by contacting us via our UK Contacts
Page<https://www.nationalgrid.com/uk/contact-us/> or our US Contacts
Page<https://www.nationalgridus.com/contact-us> (accessed by clicking on the
appropriate link)
Please ensure you have adequate virus protection before you open or detach any
documents from this transmission. National Grid plc and its affiliates do not
accept any liability for viruses. An e-mail reply to this address may be
subject to monitoring for operational reasons or lawful business practices.
For the registered information on the UK operating companies within the
National Grid group please use the attached link:
https://www.nationalgrid.com/group/about-us/corporate-registrations
