From owner-freebsd-ports@freebsd.org  Tue Nov  8 14:23:27 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 57324C3768B
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Tue,  8 Nov 2016 14:23:27 +0000 (UTC)
 (envelope-from kremels@kreme.com)
Received: from mail.covisp.net (mail.covisp.net [65.121.55.42])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 25AE42FC
 for <freebsd-ports@freebsd.org>; Tue,  8 Nov 2016 14:23:26 +0000 (UTC)
 (envelope-from kremels@kreme.com)
Received: from mail.covisp.net (localhost [127.0.0.1])
 by mail.covisp.net (Postfix) with ESMTP id 3tCs3y2dSVzvp7r;
 Tue,  8 Nov 2016 07:23:26 -0700 (MST)
X-Virus-Scanned: amavisd-new at covisp.net
Received: from mail.covisp.net ([127.0.0.1])
 by mail.covisp.net (mail.covisp.net [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ObbYwC39cLPS; Tue,  8 Nov 2016 07:23:24 -0700 (MST)
From: "@lbutlr" <kremels@kreme.com>
Subject: Re: Dehydrated setup
Date: Tue, 8 Nov 2016 07:23:24 -0700
References: <FECFF380-14AD-4692-AC42-2483238C4520@gmail.com>
 <68409904-4868-5210-6c76-f123ca849996@erdgeist.org>
 <C3108A51-6680-4F15-973F-8CA82F4C775B@kreme.com>
 <1ee859d9-0fe3-c479-d183-66cbab63e937@erdgeist.org>
To: freebsd-ports@freebsd.org
In-Reply-To: <1ee859d9-0fe3-c479-d183-66cbab63e937@erdgeist.org>
Message-Id: <85DE1A10-ADFD-4132-A71C-9F4064630B9B@kreme.com>
X-Mailer: Apple Mail (2.3253)
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 14:23:27 -0000

>=20
> On 08 Nov 2016, at 07:11, Dirk Engling <erdgeist@erdgeist.org> wrote:
>=20
> On 08/11/2016 14:59, @lbutlr wrote:
>=20
>> # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron'
>> # INFO: Using main config file /usr/local/etc/dehydrated/config
>> Processing covisp.net with alternative names: covisp.net =
www.covisp.net
>> + Signing domains...
>> + Generating private key...
>> + Generating signing request...
>> + Requesting challenge for covisp.net...
>> + Requesting challenge for covisp.net...
>> + Requesting challenge for www.covisp.net...
>> + Responding to challenge for covisp.net...
>> ERROR: Challenge is invalid! (returned: invalid) (result: {
>> "type": "http-01",
>> "status": "invalid",
>> "error": {
>>   "type": "urn:acme:error:unauthorized",
>>   "detail": "Invalid response from =
http://covisp.net/.well-known/acme-challenge/t4DhXZyC
>>=20
>> same results with WELLKNOWN=3D"/usr/local/etc/dehydrated/.well-known"
>=20
> It says unauthorized now. Could it be that your web server does not
> follow links by default?

It is possible, but I am pretty sure it did. It is apache 2.4 built from =
portmaster.

> Could you tell me, which webserver you're
> using? Then I can copy you a snippet for its config that should work.
>=20
>> /usr/local/etc/dehydrated]# ls -lsR
>> total 40
>> 8 drwxrwx---  2 root  _dehydrated  512 Nov  8 04:34 .acme-challenges
>> 0 lrwxr-xr-x  1 root  _dehydrated   16 Nov  8 06:48 .well-known ->
> /www/.well-known
>> 8 drwxrwx---  3 root  _dehydrated  512 Nov  8 06:45 accounts
>> 8 drwxrwx---  3 root  _dehydrated  512 Oct 31 17:38 certs
>> 8 -rw-r--r--  1 root  _dehydrated  141 Nov  8 06:56 config
>> 8 -rw-r--r--  1 root  _dehydrated  129 Nov  8 06:54 domains.txt
>=20
> Also I would suggest setting
>=20
> BASEDIR=3D/var/dehydrated

Do you mean create that directory?

> in your config and make /usr/local/etc/dehydrated/ belong to root.

It does belong to root.

# ls -lsd /usr/local/etc/dehydrated=20
8 drwxrwx--x  5 root  _dehydrated  512 Nov  8 06:56 =
/usr/local/etc/dehydrated

> Currently your privlege separation does not yield much, as the
> _dehydrated can write /usr/local/etc/dehydrated and could possibly
> overwrite your deploy.sh script, if you chose to provide one for use
> with periodic.

>=20
> You would just need to move the accounts and certs directory and
> domains.txt to /var/dehydrated, give this directory to _dehdrated and
> leave permissions on /usr/local/etc/dehydrated/ as they are (this =
saves
> you A LOT of trouble when updating the package).

I can certainly do that, though I think it would be better to do it once =
I get something of some sort actually working, yes?=