Date: Tue, 8 Nov 2016 07:23:24 -0700 From: "@lbutlr" <kremels@kreme.com> To: freebsd-ports@freebsd.org Subject: Re: Dehydrated setup Message-ID: <85DE1A10-ADFD-4132-A71C-9F4064630B9B@kreme.com> In-Reply-To: <1ee859d9-0fe3-c479-d183-66cbab63e937@erdgeist.org> References: <FECFF380-14AD-4692-AC42-2483238C4520@gmail.com> <68409904-4868-5210-6c76-f123ca849996@erdgeist.org> <C3108A51-6680-4F15-973F-8CA82F4C775B@kreme.com> <1ee859d9-0fe3-c479-d183-66cbab63e937@erdgeist.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>=20 > On 08 Nov 2016, at 07:11, Dirk Engling <erdgeist@erdgeist.org> wrote: >=20 > On 08/11/2016 14:59, @lbutlr wrote: >=20 >> # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron' >> # INFO: Using main config file /usr/local/etc/dehydrated/config >> Processing covisp.net with alternative names: covisp.net = www.covisp.net >> + Signing domains... >> + Generating private key... >> + Generating signing request... >> + Requesting challenge for covisp.net... >> + Requesting challenge for covisp.net... >> + Requesting challenge for www.covisp.net... >> + Responding to challenge for covisp.net... >> ERROR: Challenge is invalid! (returned: invalid) (result: { >> "type": "http-01", >> "status": "invalid", >> "error": { >> "type": "urn:acme:error:unauthorized", >> "detail": "Invalid response from = http://covisp.net/.well-known/acme-challenge/t4DhXZyC >>=20 >> same results with WELLKNOWN=3D"/usr/local/etc/dehydrated/.well-known" >=20 > It says unauthorized now. Could it be that your web server does not > follow links by default? It is possible, but I am pretty sure it did. It is apache 2.4 built from = portmaster. > Could you tell me, which webserver you're > using? Then I can copy you a snippet for its config that should work. >=20 >> /usr/local/etc/dehydrated]# ls -lsR >> total 40 >> 8 drwxrwx--- 2 root _dehydrated 512 Nov 8 04:34 .acme-challenges >> 0 lrwxr-xr-x 1 root _dehydrated 16 Nov 8 06:48 .well-known -> > /www/.well-known >> 8 drwxrwx--- 3 root _dehydrated 512 Nov 8 06:45 accounts >> 8 drwxrwx--- 3 root _dehydrated 512 Oct 31 17:38 certs >> 8 -rw-r--r-- 1 root _dehydrated 141 Nov 8 06:56 config >> 8 -rw-r--r-- 1 root _dehydrated 129 Nov 8 06:54 domains.txt >=20 > Also I would suggest setting >=20 > BASEDIR=3D/var/dehydrated Do you mean create that directory? > in your config and make /usr/local/etc/dehydrated/ belong to root. It does belong to root. # ls -lsd /usr/local/etc/dehydrated=20 8 drwxrwx--x 5 root _dehydrated 512 Nov 8 06:56 = /usr/local/etc/dehydrated > Currently your privlege separation does not yield much, as the > _dehydrated can write /usr/local/etc/dehydrated and could possibly > overwrite your deploy.sh script, if you chose to provide one for use > with periodic. >=20 > You would just need to move the accounts and certs directory and > domains.txt to /var/dehydrated, give this directory to _dehdrated and > leave permissions on /usr/local/etc/dehydrated/ as they are (this = saves > you A LOT of trouble when updating the package). I can certainly do that, though I think it would be better to do it once = I get something of some sort actually working, yes?=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85DE1A10-ADFD-4132-A71C-9F4064630B9B>