Hi openbsd-misc, I am a hobbyist hosting several services on my OpenBSD-7.5 machine. Because some of the services that I want to use export their own HTTP server (and not a FastCGI one), I am cornered into using relayd with httpd.
When things were simpler, I could serve gitea with just httpd. Everything worked perfectly in the browser and I could "git clone" repos without problems. However, when I introduced relayd into the stack as a TLS accelerator, I got a curious error. Navigating to the gitea server with the browser (i.e., https://src.domain.io) still works with zero problems. But when I try to use "git clone" or "curl" on the terminal, I get the following errors: $ git clone https://src.domain.io/user/aoc.git Cloning into 'aoc'... fatal: unable to access 'https://src.domain.io/user/aoc.git/': SSL certificate problem: unable to get local issuer certificate and $ curl https://src.domain.io curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. Am I missing something obvious? Below are my configs. Thanks in advance. # httpd.conf server "src.domain.io" { listen on * port 80 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } block return 302 "https://$HTTP_HOST$REQUEST_URI"; } # relayd.conf ip4="192.168.1.78" table <src.domain.io> { 127.0.0.1 } http protocol wwwtls { return error match request header set "X-Forwarded-For" value "$REMOTE_ADDR" match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "X-Forwarded-Host" value "$HOST" match request header set "X-Forwarded-Port" value "$SERVER_PORT" match request header set "X-Forwarded-Proto" value "https" match response header set "X-XSS-Protection" value "1; mode=block" match response header set "X-Content-Type-Options" value "nosniff" match request header set "Connection" value "close" match response header set "Permissions-Policy" value "accelerometer=(), ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(), focus-without-user-activation=(),geolocation=(),gyroscope=(), magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(), speaker=(),sync-xhr=(),usb=(),vr=()" match header set "Keep-Alive" value "$TIMEOUT" match response header remove "X-Powered-By" tcp { nodelay, sack, backlog 128, socket buffer 65536 } tls keypair src.domain.io match request header "Host" value "src.domain.io" forward to < src.domain.io> } relay wwwtls { listen on $ip4 port 443 tls protocol wwwtls forward to <src.domain.io> port 3000 } # gitea app.ini APP_NAME = my_gitea_server RUN_USER = _gitea WORK_PATH = /usr/local/share/gitea RUN_MODE = prod [server] PROTOCOL = http DOMAIN = src.domain.io ROOT_URL = https://src.domain.io HTTP_ADDR = 127.0.0.1 HTTP_PORT = 3000 SSH_PORT = 22 APP_DATA_PATH = /var/gitea/data SSH_DOMAIN = 192.168.1.78 DOMAIN = 192.168.1.78 DISABLE_SSH = false LANDING_PAGE = home # /etc/ssl drwxr-xr-x 3 root wheel 512B Dec 27 2021 acme/ drwx------ 2 root wheel 512B Oct 25 19:57 private/ -r--r--r-- 1 root wheel 341K Sep 14 19:34 cert.pem -r--r--r-- 1 root wheel 2.1K Oct 25 19:59 src.domain.io.crt -r--r--r-- 1 root wheel 3.8K Oct 25 19:59 src.domain.io.fullchain.pem -rw-r--r-- 1 root wheel 504B Oct 26 17:46 src.domain.io.ocsp -rw-r--r-- 1 root wheel 504B Oct 26 13:58 src.domain.io.ocsp.pem
