From owner-freebsd-ports@freebsd.org  Tue Nov  8 14:25:26 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E301C37731
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Tue,  8 Nov 2016 14:25:26 +0000 (UTC)
 (envelope-from erdgeist@erdgeist.org)
Received: from elektropost.org (elektropost.org [217.115.13.198])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 83701623
 for <freebsd-ports@freebsd.org>; Tue,  8 Nov 2016 14:25:25 +0000 (UTC)
 (envelope-from erdgeist@erdgeist.org)
Received: (qmail 13075 invoked from network); 8 Nov 2016 14:24:35 -0000
Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org)
 by elektropost.org with ESMTPS (DHE-RSA-AES128-SHA encrypted);
 8 Nov 2016 14:24:35 -0000
Subject: Re: Dehydrated setup
To: @lbutlr <kremels@kreme.com>, freebsd-ports@freebsd.org
References: <FECFF380-14AD-4692-AC42-2483238C4520@gmail.com>
 <68409904-4868-5210-6c76-f123ca849996@erdgeist.org>
 <C3108A51-6680-4F15-973F-8CA82F4C775B@kreme.com>
 <1ee859d9-0fe3-c479-d183-66cbab63e937@erdgeist.org>
 <85DE1A10-ADFD-4132-A71C-9F4064630B9B@kreme.com>
From: Dirk Engling <erdgeist@erdgeist.org>
Message-ID: <25a344db-71b1-012e-603a-1b1f3b4988e0@erdgeist.org>
Date: Tue, 8 Nov 2016 15:25:22 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0)
 Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <85DE1A10-ADFD-4132-A71C-9F4064630B9B@kreme.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 14:25:26 -0000

On 08/11/2016 15:16, @lbutlr wrote:

> It is possible, but I am pretty sure it did. It is apache 2.4 built
from portmaster.
>
>> Could you tell me, which webserver you're
>> using? Then I can copy you a snippet for its config that should work.

With apache I changed

WELLKNOWN="/usr/local/www/dehydrated/.well-known/acme-challenge"

created both directories and had apache use /usr/local/www/dehydrated
for non-tls connections. Your mileage may vary, so you might need to
have WELLKNOWN point to /usr/local/www/.well-known/acme-challenge and
make this directory belong to _dehydrated and be world readable.

>> Also I would suggest setting
>>
>> BASEDIR=/var/dehydrated
>
> Do you mean create that directory?

Yes. Actually in a perfect world the package would have done that for
you, but port's maintainers have been busy getting the transition from
the name letsencrypt.sh to dehydrated right.

>> in your config and make /usr/local/etc/dehydrated/ belong to root.
>
> It does belong to root.
>
> # ls -lsd /usr/local/etc/dehydrated
> 8 drwxrwx--x  5 root  _dehydrated  512 Nov  8 06:56
/usr/local/etc/dehydrated

But group has +w, so it can just delete files and write them anew. See,
complex permission models always leave you head scratching if you really
thought of everything.

> I can certainly do that, though I think it would be better to do it
> once I get something of some sort actually working, yes?

Sure ;) But its not worth it to get something running that you need to
change afterwards.

  erdgeist