Date: Tue, 8 Nov 2016 07:23:24 -0700 From: "@lbutlr" <kremels@kreme.com> To: freebsd-ports@freebsd.org Subject: Re: Dehydrated setup Message-ID: <85DE1A10-ADFD-4132-A71C-9F4064630B9B@kreme.com> In-Reply-To: <1ee859d9-0fe3-c479-d183-66cbab63e937@erdgeist.org> References: <FECFF380-14AD-4692-AC42-2483238C4520@gmail.com> <68409904-4868-5210-6c76-f123ca849996@erdgeist.org> <C3108A51-6680-4F15-973F-8CA82F4C775B@kreme.com> <1ee859d9-0fe3-c479-d183-66cbab63e937@erdgeist.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>=20
> On 08 Nov 2016, at 07:11, Dirk Engling <erdgeist@erdgeist.org> wrote:
>=20
> On 08/11/2016 14:59, @lbutlr wrote:
>=20
>> # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron'
>> # INFO: Using main config file /usr/local/etc/dehydrated/config
>> Processing covisp.net with alternative names: covisp.net =
www.covisp.net
>> + Signing domains...
>> + Generating private key...
>> + Generating signing request...
>> + Requesting challenge for covisp.net...
>> + Requesting challenge for covisp.net...
>> + Requesting challenge for www.covisp.net...
>> + Responding to challenge for covisp.net...
>> ERROR: Challenge is invalid! (returned: invalid) (result: {
>> "type": "http-01",
>> "status": "invalid",
>> "error": {
>> "type": "urn:acme:error:unauthorized",
>> "detail": "Invalid response from =
http://covisp.net/.well-known/acme-challenge/t4DhXZyC
>>=20
>> same results with WELLKNOWN=3D"/usr/local/etc/dehydrated/.well-known"
>=20
> It says unauthorized now. Could it be that your web server does not
> follow links by default?
It is possible, but I am pretty sure it did. It is apache 2.4 built from =
portmaster.
> Could you tell me, which webserver you're
> using? Then I can copy you a snippet for its config that should work.
>=20
>> /usr/local/etc/dehydrated]# ls -lsR
>> total 40
>> 8 drwxrwx--- 2 root _dehydrated 512 Nov 8 04:34 .acme-challenges
>> 0 lrwxr-xr-x 1 root _dehydrated 16 Nov 8 06:48 .well-known ->
> /www/.well-known
>> 8 drwxrwx--- 3 root _dehydrated 512 Nov 8 06:45 accounts
>> 8 drwxrwx--- 3 root _dehydrated 512 Oct 31 17:38 certs
>> 8 -rw-r--r-- 1 root _dehydrated 141 Nov 8 06:56 config
>> 8 -rw-r--r-- 1 root _dehydrated 129 Nov 8 06:54 domains.txt
>=20
> Also I would suggest setting
>=20
> BASEDIR=3D/var/dehydrated
Do you mean create that directory?
> in your config and make /usr/local/etc/dehydrated/ belong to root.
It does belong to root.
# ls -lsd /usr/local/etc/dehydrated=20
8 drwxrwx--x 5 root _dehydrated 512 Nov 8 06:56 =
/usr/local/etc/dehydrated
> Currently your privlege separation does not yield much, as the
> _dehydrated can write /usr/local/etc/dehydrated and could possibly
> overwrite your deploy.sh script, if you chose to provide one for use
> with periodic.
>=20
> You would just need to move the accounts and certs directory and
> domains.txt to /var/dehydrated, give this directory to _dehdrated and
> leave permissions on /usr/local/etc/dehydrated/ as they are (this =
saves
> you A LOT of trouble when updating the package).
I can certainly do that, though I think it would be better to do it once =
I get something of some sort actually working, yes?=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85DE1A10-ADFD-4132-A71C-9F4064630B9B>