From owner-freebsd-ports@freebsd.org Tue Nov 8 14:11:47 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8EF3DC3730E for ; Tue, 8 Nov 2016 14:11:47 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [217.115.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E654FBED for ; Tue, 8 Nov 2016 14:11:46 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: (qmail 7172 invoked from network); 8 Nov 2016 14:10:56 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with ESMTPS (DHE-RSA-AES128-SHA encrypted); 8 Nov 2016 14:10:56 -0000 Subject: Re: Dehydrated setup To: @lbutlr , freebsd-ports@freebsd.org References: <68409904-4868-5210-6c76-f123ca849996@erdgeist.org> From: Dirk Engling Message-ID: <1ee859d9-0fe3-c479-d183-66cbab63e937@erdgeist.org> Date: Tue, 8 Nov 2016 15:11:43 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2016 14:11:47 -0000 On 08/11/2016 14:59, @lbutlr wrote: > # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron' > # INFO: Using main config file /usr/local/etc/dehydrated/config > Processing covisp.net with alternative names: covisp.net www.covisp.net > + Signing domains... > + Generating private key... > + Generating signing request... > + Requesting challenge for covisp.net... > + Requesting challenge for covisp.net... > + Requesting challenge for www.covisp.net... > + Responding to challenge for covisp.net... > ERROR: Challenge is invalid! (returned: invalid) (result: { > "type": "http-01", > "status": "invalid", > "error": { > "type": "urn:acme:error:unauthorized", > "detail": "Invalid response from http://covisp.net/.well-known/acme-challenge/t4DhXZyC > > same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known" It says unauthorized now. Could it be that your web server does not follow links by default? Could you tell me, which webserver you're using? Then I can copy you a snippet for its config that should work. > /usr/local/etc/dehydrated]# ls -lsR > total 40 > 8 drwxrwx--- 2 root _dehydrated 512 Nov 8 04:34 .acme-challenges > 0 lrwxr-xr-x 1 root _dehydrated 16 Nov 8 06:48 .well-known -> /www/.well-known > 8 drwxrwx--- 3 root _dehydrated 512 Nov 8 06:45 accounts > 8 drwxrwx--- 3 root _dehydrated 512 Oct 31 17:38 certs > 8 -rw-r--r-- 1 root _dehydrated 141 Nov 8 06:56 config > 8 -rw-r--r-- 1 root _dehydrated 129 Nov 8 06:54 domains.txt Also I would suggest setting BASEDIR=/var/dehydrated in your config and make /usr/local/etc/dehydrated/ belong to root. Currently your privlege separation does not yield much, as the _dehydrated can write /usr/local/etc/dehydrated and could possibly overwrite your deploy.sh script, if you chose to provide one for use with periodic. You would just need to move the accounts and certs directory and domains.txt to /var/dehydrated, give this directory to _dehdrated and leave permissions on /usr/local/etc/dehydrated/ as they are (this saves you A LOT of trouble when updating the package). erdgeist