Date: Tue, 8 Nov 2016 15:11:43 +0100 From: Dirk Engling <erdgeist@erdgeist.org> To: @lbutlr <kremels@kreme.com>, freebsd-ports@freebsd.org Subject: Re: Dehydrated setup Message-ID: <1ee859d9-0fe3-c479-d183-66cbab63e937@erdgeist.org> In-Reply-To: <C3108A51-6680-4F15-973F-8CA82F4C775B@kreme.com> References: <FECFF380-14AD-4692-AC42-2483238C4520@gmail.com> <68409904-4868-5210-6c76-f123ca849996@erdgeist.org> <C3108A51-6680-4F15-973F-8CA82F4C775B@kreme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/11/2016 14:59, @lbutlr wrote: > # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron' > # INFO: Using main config file /usr/local/etc/dehydrated/config > Processing covisp.net with alternative names: covisp.net www.covisp.net > + Signing domains... > + Generating private key... > + Generating signing request... > + Requesting challenge for covisp.net... > + Requesting challenge for covisp.net... > + Requesting challenge for www.covisp.net... > + Responding to challenge for covisp.net... > ERROR: Challenge is invalid! (returned: invalid) (result: { > "type": "http-01", > "status": "invalid", > "error": { > "type": "urn:acme:error:unauthorized", > "detail": "Invalid response from http://covisp.net/.well-known/acme-challenge/t4DhXZyC > > same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known" It says unauthorized now. Could it be that your web server does not follow links by default? Could you tell me, which webserver you're using? Then I can copy you a snippet for its config that should work. > /usr/local/etc/dehydrated]# ls -lsR > total 40 > 8 drwxrwx--- 2 root _dehydrated 512 Nov 8 04:34 .acme-challenges > 0 lrwxr-xr-x 1 root _dehydrated 16 Nov 8 06:48 .well-known -> /www/.well-known > 8 drwxrwx--- 3 root _dehydrated 512 Nov 8 06:45 accounts > 8 drwxrwx--- 3 root _dehydrated 512 Oct 31 17:38 certs > 8 -rw-r--r-- 1 root _dehydrated 141 Nov 8 06:56 config > 8 -rw-r--r-- 1 root _dehydrated 129 Nov 8 06:54 domains.txt Also I would suggest setting BASEDIR=/var/dehydrated in your config and make /usr/local/etc/dehydrated/ belong to root. Currently your privlege separation does not yield much, as the _dehydrated can write /usr/local/etc/dehydrated and could possibly overwrite your deploy.sh script, if you chose to provide one for use with periodic. You would just need to move the accounts and certs directory and domains.txt to /var/dehydrated, give this directory to _dehdrated and leave permissions on /usr/local/etc/dehydrated/ as they are (this saves you A LOT of trouble when updating the package). erdgeist
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1ee859d9-0fe3-c479-d183-66cbab63e937>